analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Документы р.ф. от 15.07.2019р.lzh

Full analysis: https://app.any.run/tasks/7a6e3b2d-1193-4ec2-9c59-e6e21ec9f6ef
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 17, 2019, 13:17:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-lzh-compressed
File info: LHa (2.x)/LHark archive data [lh7], with "\252\253\250\245\255\342.jpeg"
MD5:

4D7ADE984A00682648446148660E92A1

SHA1:

434A7AA42C63C3D775E60A6380B88720144E7FA0

SHA256:

C7FA537D970DE378DD8DA4DE49EBE78700D29C9ADF45C8E5E70F816A1D2C7DED

SSDEEP:

1536:bA5N8Z/pDUudRkAMf4lPcrdhB9Ktz5TST7Rq1h+q+9rvBwJNz:bA5OZ/ScRFsdpKHqlqrdelwJNz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • windanr.exe (PID: 2992)
      • SearchProtocolHost.exe (PID: 2108)
      • WinRAR.exe (PID: 3848)
      • DllHost.exe (PID: 3224)
      • DllHost.exe (PID: 2560)
      • WScript.exe (PID: 3724)
      • 598236.exe (PID: 500)
      • WerFault.exe (PID: 836)
      • svchost.exe (PID: 312)

    • Application was dropped or rewritten from another process

      • 598236.exe (PID: 500)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3724)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 3724)

    • Executed via COM

      • DllHost.exe (PID: 3224)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3724)
      • 598236.exe (PID: 500)

  • INFO

    • Manual execution by user

      • WScript.exe (PID: 3724)

    • Reads Microsoft Office registry keys

      • SearchProtocolHost.exe (PID: 2108)

    • Application was crashed

      • 598236.exe (PID: 500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lzh/lha | LHARC/LZARK compressed archive (generic) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
9
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs PhotoViewer.dll no specs wscript.exe 598236.exe windanr.exe no specs Thumbnail Cache Out of Proc Server no specs searchprotocolhost.exe no specs svchost.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3848"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Документы р.ф. от 15.07.2019р.lzh"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3224C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3724"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\aásp¡«¬ Sá¬Gpaá n 127 «G 15.07.2019a..js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
500C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\598236.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\598236.exe
WScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
2992"windanr.exe"C:\Windows\system32\windanr.exeqemu-ga.exe
User:
admin
Integrity Level:
MEDIUM
2560C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2108"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10007_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10007 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
312C:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
836C:\Windows\system32\WerFault.exe -u -p 500 -s 96C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
736
Read events
673
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3848.267\aásp¡«¬ Sá¬Gpaá n 127 «G 15.07.2019a..js
MD5:
SHA256:
3848WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3848.623\¬½¿Ñ¡G.jpeg
MD5:
SHA256:
2108SearchProtocolHost.exeC:\Users\admin\Documents\Outlook Files\[email protected]
MD5:
SHA256:
2108SearchProtocolHost.exeC:\Users\admin\Documents\Outlook Files\[email protected]pst
MD5:3DC663195E7181C60F0B84B4ED9BDFF9
SHA256:14218028B94A114677B59B233D331E416F5024461B6824CD4E60068414A6E3CE
3724WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\malashop[1].exeexecutable
MD5:21B8EBED4DE64207DEDD935D8441E803
SHA256:2B3F9DF82BCC1235ED14C374D3967567F1EDB5AACADF5AB529DEDFC9B2D7F76F
836WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\598236.exe.500.dmpdmp
MD5:7B457B9B77AAFD98BFD03B855829B5C8
SHA256:AE3456748DA1EC4D03FEB287E9B70761331552D6CF2FDBA0FB86173980122F2A
3724WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\598236.exeexecutable
MD5:21B8EBED4DE64207DEDD935D8441E803
SHA256:2B3F9DF82BCC1235ED14C374D3967567F1EDB5AACADF5AB529DEDFC9B2D7F76F
836WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_598236.exe_8b9aa6eaaa475ae170303ce76743f89ab9c15466_034b7e00\Report.werbinary
MD5:86718D2D6FC5F08AF45A0B47306E4BB2
SHA256:F129AF54BE629DC4C44FB17FCFCC83D4A518AD1636B8E197CA4B04BEAF50F810
3724WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
500598236.exeC:\Users\admin\AppData\Local\Temp\6B79.tmpexecutable
MD5:ED60C95C805DBAEE92C90C3AB930085A
SHA256:D35574D2CC42B4EDBF217A86639864422FBE02443250A36EB2CD11B22F165C39
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3724
WScript.exe
GET
200
47.254.69.179:80
http://informatioshopname.ru/partiya/malashop.exe
US
executable
268 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3724
WScript.exe
47.254.69.179:80
informatioshopname.ru
Alibaba (China) Technology Co., Ltd.
US
suspicious

DNS requests

Domain
IP
Reputation
informatioshopname.ru
  • 47.254.69.179
malicious

Threats

PID
Process
Class
Message
3724
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Документы р.ф. от 15.07.2019р.lzh