File name:

sellix.91e917-21ffd3c0b9-154a05.1719480525.zip

Full analysis: https://app.any.run/tasks/f954b8fc-14e1-4237-abb7-6467e622a936
Verdict: Malicious activity
Analysis date: June 27, 2024, 09:29:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

D152EE717C306C1075863E04A8F3BD18

SHA1:

3CE6D8F47F7A8DF7337AB44FBE8B2D537AC71F00

SHA256:

C2ADD7BA8B784F6190670A82DF2AF5C2479EA4F7642C6B1C2E3ED9343FB6CAD9

SSDEEP:

24576:hmbrUg3N6fQjwfsuUL1/unIkhfev58cVWlvkn8xaS4aq1k7+vSjJVNJjEQCo10OW:hmbrUg3N6fQjw0uUL1/uIkhfev58cVWY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3332)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3208)

    • Application launched itself

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3208)

    • Reads the Internet Settings

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3208)
      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3176)

    • Reads settings of System Certificates

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3176)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3332)

    • Checks supported languages

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3176)
      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3208)

    • Reads the machine GUID from the registry

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3208)
      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3176)

    • Manual execution by a user

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3208)

    • Reads the computer name

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3208)
      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3176)

    • Creates files in the program directory

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3176)

    • Disables trace logs

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3176)

    • Reads Environment values

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3176)

    • Reads product name

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3176)

    • Reads the software policy settings

      • 656cac5f0d5f7-Optimizer-14.6.exe.exe (PID: 3176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2024:06:27 09:28:44
ZipCRC: 0x5e3620a7
ZipCompressedSize: 735845
ZipUncompressedSize: 2162176
ZipFileName: 656cac5f0d5f7-Optimizer-14.6.exe.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe 656cac5f0d5f7-optimizer-14.6.exe.exe no specs 656cac5f0d5f7-optimizer-14.6.exe.exe

Process information

PID
CMD
Path
Indicators
Parent process
3176"C:\Users\admin\Desktop\656cac5f0d5f7-Optimizer-14.6.exe.exe" C:\Users\admin\Desktop\656cac5f0d5f7-Optimizer-14.6.exe.exe
656cac5f0d5f7-Optimizer-14.6.exe.exe
User:
admin
Company:
deadmoon © 2022
Integrity Level:
HIGH
Description:
Optimizer
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\656cac5f0d5f7-optimizer-14.6.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3208"C:\Users\admin\Desktop\656cac5f0d5f7-Optimizer-14.6.exe.exe" C:\Users\admin\Desktop\656cac5f0d5f7-Optimizer-14.6.exe.exeexplorer.exe
User:
admin
Company:
deadmoon © 2022
Integrity Level:
MEDIUM
Description:
Optimizer
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\656cac5f0d5f7-optimizer-14.6.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3332"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\sellix.91e917-21ffd3c0b9-154a05.1719480525.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
10 689
Read events
10 633
Write events
56
Delete events
0

Modification events

(PID) Process:(3332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3332) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\sellix.91e917-21ffd3c0b9-154a05.1719480525.zip
(PID) Process:(3332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3332) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
2
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
3176656cac5f0d5f7-Optimizer-14.6.exe.exeC:\ProgramData\Optimizer\ReadyMadeMenus\DesktopShortcuts.regtext
MD5:1213A1260BE0789ADE56ED9BA6656FCA
SHA256:52B190CD52671BA5652AFE574245D72DD91AD0EC4168EA405EECC90BF6365BEA
3176656cac5f0d5f7-Optimizer-14.6.exe.exeC:\ProgramData\Optimizer\ReadyMadeMenus\SystemTools.regtext
MD5:13B285768D5140BC337089840E1A9A3B
SHA256:0DC2F4E580BF09632E0961F857556D5F9378A9EBDE76F4D89F302E02DD829C21
3176656cac5f0d5f7-Optimizer-14.6.exe.exeC:\ProgramData\Optimizer\Required\OneDrive_Uninstaller.cmdtext
MD5:522F706E19F359A973C17722C61478ED
SHA256:43F50E6AD08310C365F143301685950330B15AD58AD4B45EFCBA37D876CB1021
3176656cac5f0d5f7-Optimizer-14.6.exe.exeC:\ProgramData\Optimizer\ReadyMadeMenus\WindowsApps.regtext
MD5:A1714039AB00D6275EF7EF2559346D71
SHA256:21223E33A52A85EC5EA797457DDF8458A5040760BABC5E5367646C312D74D5D4
3176656cac5f0d5f7-Optimizer-14.6.exe.exeC:\ProgramData\Optimizer\ReadyMadeMenus\RemoveTakeOwnership.regtext
MD5:01AE3E08513E213ECF621F92B9F0B47C
SHA256:177FB8F30D10E50115500D1B2AF488A9D885FBA42C2FB22E6FBBEE337806AF19
3176656cac5f0d5f7-Optimizer-14.6.exe.exeC:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.battext
MD5:FED75B5CB9D9F4EC5EE22B8FD304CCF7
SHA256:D884C0D04BA09B113D9439D2F8C0B7ED322111AE2E3ED802F6A95278FF8E0AC2
3176656cac5f0d5f7-Optimizer-14.6.exe.exeC:\ProgramData\Optimizer\Required\EnableOfficeTelemetryTasks.battext
MD5:8E83AAC7A144BB7460A3D7235442B802
SHA256:275F9E1A0701F097C4CB9505D42E1EF3D5DD0AE9ABA2CBB399F7EBB23E3E8773
3176656cac5f0d5f7-Optimizer-14.6.exe.exeC:\ProgramData\Optimizer\Required\DisableXboxTasks.battext
MD5:39618D49DE20114A6E4412507C4AD156
SHA256:AFF075485C4139EC19FA8C3EA1F9AFDCD4C3B6894BB93A56474273E027A7162F
3176656cac5f0d5f7-Optimizer-14.6.exe.exeC:\ProgramData\Optimizer\Required\EnableOfficeTelemetryTasks.regtext
MD5:97A7511DF9DFCE26F0D26F5B6FEB04B9
SHA256:D542F1DFA289BC49DBDBD3A2ED9D9C0A3134367396B5C9AEC8D554DDFB993067
3176656cac5f0d5f7-Optimizer-14.6.exe.exeC:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.regtext
MD5:2446DEB7E8DFD6336A44E1D53DF9CF33
SHA256:61B217EF0FF73B6F35D8FF86096F2DB483785CB7532687EBDF0D4CD029EBAB2A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
unknown
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1060
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3176
656cac5f0d5f7-Optimizer-14.6.exe.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
unknown
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1372
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1372
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1060
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
shared
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
  • 2.16.164.106
  • 2.16.164.49
  • 2.16.164.9
  • 2.16.164.43
  • 2.16.164.18
  • 2.16.164.114
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sellix.91e917-21ffd3c0b9-154a05.1719480525.zip