analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

newupdate_password_2227.zip

Full analysis: https://app.any.run/tasks/74cfd549-dc9c-40de-bd44-9a56cb191a85
Verdict: Malicious activity
Analysis date: April 01, 2023, 17:34:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

902E6FEBB705BE9D5A81E80191C5256A

SHA1:

70097464419F45EDB280199E068B52158D724DCE

SHA256:

C299E07C1A2FD29A21C075A5467F1AF42ECE26452B1607F76EA6E500D69B77E7

SSDEEP:

98304:3fioND+IQgyWaU0bn3Phved6/MJdCLglwZ5l2wAjhK8O:qSfQbWaU43JevJdd42wA9c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • version_v317.exe (PID: 3492)
    • Actions looks like stealing of personal data

      • AppLaunch.exe (PID: 3592)
  • SUSPICIOUS

    • Searches for installed software

      • AppLaunch.exe (PID: 3592)
    • Reads the Internet Settings

      • AppLaunch.exe (PID: 3592)
    • Loads DLL from Mozilla Firefox

      • AppLaunch.exe (PID: 3592)
    • Reads browser cookies

      • AppLaunch.exe (PID: 3592)
    • Checks for external IP

      • AppLaunch.exe (PID: 3592)
    • Connects to unusual port

      • AppLaunch.exe (PID: 3592)
  • INFO

    • Checks supported languages

      • version_v317.exe (PID: 3492)
      • AppLaunch.exe (PID: 3592)
      • wmpnscfg.exe (PID: 3112)
    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 3592)
      • wmpnscfg.exe (PID: 3112)
    • Reads the computer name

      • AppLaunch.exe (PID: 3592)
      • wmpnscfg.exe (PID: 3112)
    • Reads Environment values

      • AppLaunch.exe (PID: 3592)
    • The process checks LSA protection

      • AppLaunch.exe (PID: 3592)
      • wmpnscfg.exe (PID: 3112)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2824)
    • Create files in a temporary directory

      • AppLaunch.exe (PID: 3592)
    • Manual execution by a user

      • wmpnscfg.exe (PID: 3112)
    • Reads CPU info

      • AppLaunch.exe (PID: 3592)
    • Creates files or folders in the user directory

      • AppLaunch.exe (PID: 3592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: icuin56.dll
ZipUncompressedSize: 1786368
ZipCompressedSize: 625601
ZipCRC: 0x504a8449
ZipModifyDate: 2022:01:24 02:15:04
ZipCompression: Unknown (99)
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe version_v317.exe no specs applaunch.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2824"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\newupdate_password_2227.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
3492"C:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\version_v317.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\version_v317.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb2824.48787\version_v317.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
3592"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
version_v317.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
2148734499
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mscoree.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3112"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
10 314
Read events
10 276
Write events
32
Delete events
6

Modification events

(PID) Process:(2824) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
12
Suspicious files
2
Text files
432
Unknown types
364

Dropped files

PID
Process
Filename
Type
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\components\accessibility.xptxpt
MD5:1E178B64020F1CE4D8518C5B18B208A0
SHA256:A560EC424A3CAED79CB93049DE888A3843BC34F352B6BB27F10724E10AB690DB
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\components\addoncompat.manifesttext
MD5:5693979E6BD243F503621BD8A3E1076A
SHA256:414E9DB8B02035B3CDCE8C26D7360C5E92AFBE1D9588900B6E8DD1D141CCA258
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\components\ActivityRequestHandler.jstext
MD5:7E6626AEF21B0DB6878A1AAFD28D3D7E
SHA256:95C59A66FBC28D9B13645B9B2CE656D4721272FF8D67E1177201504E059B41E4
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\components\ActivityProxy.jstext
MD5:18B159534F17E4ECFE583D0D9BB5DC40
SHA256:72D64C65530EA288072661271A0ABB3CFB56349CCC50B06C711641709D5581B7
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\components\ActivityMessageConfigurator.jstext
MD5:AA156D59F227CCDB14D7E57610EA4E09
SHA256:5EB82F1263629746E167ED91B3C12D51AAE1408F62F405170A8943759D15F525
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\components\amContentHandler.jstext
MD5:24B4A2E9F7AEEC416ADCC5417B9E1D23
SHA256:BCC9CFE21D5AFFB8F38AFF6DA5A8809AF1E5F0A0C4689224DF50E1FD849548ED
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\components\ActivityWrapper.jstext
MD5:5B7E48E5EBB0312591F7AC2843BA4E8E
SHA256:FE510D8FC2EA30C085010E158067A26ABB31A0616E2BC7D48FDF374AF8E66D3D
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\components\AlarmsManager.jstext
MD5:424A1C9971BE1F1C4DCE01076281E07D
SHA256:CE3A0C14B6148E58EC396922D6FEAC1E1D3112C241B82315791A5424C489AEA2
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\components\alerts.xptxpt
MD5:B59FE9DE24E191FDAC192964A54C46D5
SHA256:883F55272F1342193F295826EAFB3D67B047BA1372494F2D63B0C811BC01808B
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2824.48787\components\addonManager.jstext
MD5:FEE4AAB83B139A9F171DDFA27ADDDC90
SHA256:F4E3BD9E64163E9F45C9219C728C47BF11EA6F7DE50D92EA6B66F8D8648F9804
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3592
AppLaunch.exe
POST
200
185.220.35.84:5002
http://185.220.35.84:5002/uploadfile
RU
text
7 b
malicious
3592
AppLaunch.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
301 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3592
AppLaunch.exe
185.220.35.84:5002
LLC Vpsville
RU
malicious
3592
AppLaunch.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
malicious

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
3592
AppLaunch.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3592
AppLaunch.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3592
AppLaunch.exe
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
3592
AppLaunch.exe
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
3592
AppLaunch.exe
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
3592
AppLaunch.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
4 ETPRO signatures available at the full report
Process
Message
AppLaunch.exe
CLR: Managed code called FailFast without specifying a reason.
AppLaunch.exe
CLR: Managed code called FailFast without specifying a reason.