analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

newupdate_password_2227.zip

Full analysis: https://app.any.run/tasks/793f2c08-9a08-414d-a03c-56f024cae8d8
Verdict: Malicious activity
Analysis date: April 01, 2023, 15:23:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

902E6FEBB705BE9D5A81E80191C5256A

SHA1:

70097464419F45EDB280199E068B52158D724DCE

SHA256:

C299E07C1A2FD29A21C075A5467F1AF42ECE26452B1607F76EA6E500D69B77E7

SSDEEP:

98304:3fioND+IQgyWaU0bn3Phved6/MJdCLglwZ5l2wAjhK8O:qSfQbWaU43JevJdd42wA9c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • version_v317.exe (PID: 3764)

    • Actions looks like stealing of personal data

      • AppLaunch.exe (PID: 3864)

  • SUSPICIOUS

    • Reads browser cookies

      • AppLaunch.exe (PID: 3864)

    • Reads the Internet Settings

      • AppLaunch.exe (PID: 3864)

    • Loads DLL from Mozilla Firefox

      • AppLaunch.exe (PID: 3864)

    • Searches for installed software

      • AppLaunch.exe (PID: 3864)

    • Checks for external IP

      • AppLaunch.exe (PID: 3864)

    • Connects to unusual port

      • AppLaunch.exe (PID: 3864)

  • INFO

    • Reads the computer name

      • AppLaunch.exe (PID: 3864)
      • wmpnscfg.exe (PID: 3004)

    • Checks supported languages

      • AppLaunch.exe (PID: 3864)
      • version_v317.exe (PID: 3764)
      • wmpnscfg.exe (PID: 3004)

    • The process checks LSA protection

      • AppLaunch.exe (PID: 3864)
      • wmpnscfg.exe (PID: 3004)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2680)

    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 3864)
      • wmpnscfg.exe (PID: 3004)

    • Reads Environment values

      • AppLaunch.exe (PID: 3864)

    • Create files in a temporary directory

      • AppLaunch.exe (PID: 3864)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3004)

    • Reads CPU info

      • AppLaunch.exe (PID: 3864)

    • Creates files or folders in the user directory

      • AppLaunch.exe (PID: 3864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: icuin56.dll
ZipUncompressedSize: 1786368
ZipCompressedSize: 625601
ZipCRC: 0x504a8449
ZipModifyDate: 2022:01:24 02:15:04
ZipCompression: Unknown (99)
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe version_v317.exe no specs applaunch.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2680"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\newupdate_password_2227.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
3764"C:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\version_v317.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\version_v317.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb2680.8970\version_v317.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
3864"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
version_v317.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
2148734499
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mscoree.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
3004"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
10 314
Read events
10 276
Write events
32
Delete events
6

Modification events

(PID) Process:(2680) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2680) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
12
Suspicious files
2
Text files
428
Unknown types
364

Dropped files

PID
Process
Filename
Type
2680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\components\accessibility.xptxpt
MD5:1E178B64020F1CE4D8518C5B18B208A0
SHA256:A560EC424A3CAED79CB93049DE888A3843BC34F352B6BB27F10724E10AB690DB
2680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\components\addonManager.jstext
MD5:FEE4AAB83B139A9F171DDFA27ADDDC90
SHA256:F4E3BD9E64163E9F45C9219C728C47BF11EA6F7DE50D92EA6B66F8D8648F9804
2680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\components\ActivityRequestHandler.jstext
MD5:7E6626AEF21B0DB6878A1AAFD28D3D7E
SHA256:95C59A66FBC28D9B13645B9B2CE656D4721272FF8D67E1177201504E059B41E4
2680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\components\ActivityProxy.jstext
MD5:18B159534F17E4ECFE583D0D9BB5DC40
SHA256:72D64C65530EA288072661271A0ABB3CFB56349CCC50B06C711641709D5581B7
2680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\components\amWebInstallListener.jstext
MD5:A8281CCC8C3C6850709546D2E6AE733C
SHA256:C0D1A9D9DF3640080AC06D2F908A07FF29362A6B91C6989034EA6CCCDA708F2C
2680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\components\AlarmsManager.jstext
MD5:424A1C9971BE1F1C4DCE01076281E07D
SHA256:CE3A0C14B6148E58EC396922D6FEAC1E1D3112C241B82315791A5424C489AEA2
2680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\components\addoncompat.manifesttext
MD5:5693979E6BD243F503621BD8A3E1076A
SHA256:414E9DB8B02035B3CDCE8C26D7360C5E92AFBE1D9588900B6E8DD1D141CCA258
2680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\components\Activities.manifesttext
MD5:77983A71105B96C1D9C75E9DBB31AF26
SHA256:BBD1545C49F1A456BCA62B0C0A684C8FB2F802B60EE448BC45EC22B24941BD7C
2680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\components\ActivityMessageConfigurator.jstext
MD5:AA156D59F227CCDB14D7E57610EA4E09
SHA256:5EB82F1263629746E167ED91B3C12D51AAE1408F62F405170A8943759D15F525
2680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2680.8970\icuuc56.dllexecutable
MD5:64B5B250BC5B84BCDEA9B48443D9B1B0
SHA256:DE30C27E7BBF31B4BEE34F1FEBF5A71DC2318420C4E0FA52135FE85A27FCAE65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3864
AppLaunch.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
346 b
shared
3864
AppLaunch.exe
POST
200
185.220.35.84:5002
http://185.220.35.84:5002/uploadfile
RU
text
7 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3864
AppLaunch.exe
185.220.35.84:5002
LLC Vpsville
RU
malicious
3864
AppLaunch.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
malicious

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
3864
AppLaunch.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3864
AppLaunch.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3864
AppLaunch.exe
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
3864
AppLaunch.exe
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
3864
AppLaunch.exe
A Network Trojan was detected
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
3864
AppLaunch.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
4 ETPRO signatures available at the full report
Process
Message
AppLaunch.exe
CLR: Managed code called FailFast without specifying a reason.
AppLaunch.exe
CLR: Managed code called FailFast without specifying a reason.
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
newupdate_password_2227.zip