| File name: | 13637570622.zip |
| Full analysis: | https://app.any.run/tasks/932dd450-a97f-4e5d-b56a-d6081d5921f2 |
| Verdict: | Malicious activity |
| Analysis date: | December 20, 2023, 14:08:22 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 69498407112893D4B3C4C98B88581EFF |
| SHA1: | D3C6E0C131C388CF70E8D9433A70852CF22F4891 |
| SHA256: | C9C71D98989AF8739C6C98D6A90A3FA47475330B1CC008FE02F96D008CB6D774 |
| SSDEEP: | 393216:l0E/pwkgv5Lw4MNIg+SehH/h4PkXsqXyIh8Z/sb01A:HpwF5s4tg+Se9W6nCZ/swC |
MALICIOUS
Drops the executable file immediately after the start
- setup.exe (PID: 5588)
- Advanced_IP_Scanner.exe (PID: 6136)
- Advanced_IP_Scanner.tmp (PID: 1724)
- Advanced_IP_Scanner.exe (PID: 2968)
SUSPICIOUS
Process drops legitimate windows executable
- WinRAR.exe (PID: 1904)
- setup.exe (PID: 5588)
- Advanced_IP_Scanner.tmp (PID: 1724)
Application launched itself
- WinRAR.exe (PID: 5164)
The process drops C-runtime libraries
- setup.exe (PID: 5588)
Loads Python modules
- pythonw.exe (PID: 4288)
- pythonw.exe (PID: 776)
Reads the Windows owner or organization settings
- Advanced_IP_Scanner.tmp (PID: 1724)
INFO
Checks supported languages
- TextInputHost.exe (PID: 2496)
- setup.exe (PID: 5588)
- Advanced_IP_Scanner.exe (PID: 6136)
- Advanced_IP_Scanner.tmp (PID: 1724)
- pythonw.exe (PID: 4288)
- setup.exe (PID: 5408)
- Advanced_IP_Scanner.exe (PID: 2968)
- Advanced_IP_Scanner.tmp (PID: 1372)
- pythonw.exe (PID: 776)
Reads the computer name
- TextInputHost.exe (PID: 2496)
- setup.exe (PID: 5588)
- Advanced_IP_Scanner.tmp (PID: 1724)
- setup.exe (PID: 5408)
- Advanced_IP_Scanner.tmp (PID: 1372)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 1904)
Process checks computer location settings
- setup.exe (PID: 5588)
- setup.exe (PID: 5408)
Create files in a temporary directory
- Advanced_IP_Scanner.exe (PID: 6136)
- Advanced_IP_Scanner.exe (PID: 2968)
- Advanced_IP_Scanner.tmp (PID: 1724)
Reads the machine GUID from the registry
- pythonw.exe (PID: 4288)
- pythonw.exe (PID: 776)
Creates files or folders in the user directory
- setup.exe (PID: 5588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:00:00 00:00:00 |
| ZipCRC: | 0x21e54071 |
| ZipCompressedSize: | 42581401 |
| ZipUncompressedSize: | 42569435 |
| ZipFileName: | 502f28c06338d9fc9c2994292be0f8dea3a199455ca749307b3bfc29fec5ca83 |
Total processes
135
Monitored processes
11
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 776 | C:\Users\admin\AppData\Local\Notepad\pythonw.exe C:\Users\admin\AppData\Local\Notepad\slv.py | C:\Users\admin\AppData\Local\Notepad\pythonw.exe | — | setup.exe | |||||||||||
User: admin Company: Python Software Foundation Integrity Level: MEDIUM Description: Python Exit code: 2 Version: 3.10.11 Modules
| |||||||||||||||
| 1372 | "C:\Users\admin\AppData\Local\Temp\is-NRJK8.tmp\Advanced_IP_Scanner.tmp" /SL5="$4029A,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" | C:\Users\admin\AppData\Local\Temp\is-NRJK8.tmp\Advanced_IP_Scanner.tmp | — | Advanced_IP_Scanner.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 1 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1724 | "C:\Users\admin\AppData\Local\Temp\is-A2JFI.tmp\Advanced_IP_Scanner.tmp" /SL5="$30296,20439558,139776,C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" | C:\Users\admin\AppData\Local\Temp\is-A2JFI.tmp\Advanced_IP_Scanner.tmp | — | Advanced_IP_Scanner.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 2 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1904 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb5164.32364\502f28c06338d9fc9c2994292be0f8dea3a199455ca749307b3bfc29fec5ca83.zip | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2496 | "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Exit code: 0 Version: 2001.22012.0.3920 Modules
| |||||||||||||||
| 2968 | "C:\Users\Public\Downloads\Advanced_IP_Scanner.exe" | C:\Users\Public\Downloads\Advanced_IP_Scanner.exe | setup.exe | ||||||||||||
User: admin Company: Famatech Corp. Integrity Level: HIGH Description: Advanced IP Scanner Setup Exit code: 1 Version: 2.5.4594.1 Modules
| |||||||||||||||
| 4288 | C:\Users\admin\AppData\Local\Notepad\pythonw.exe C:\Users\admin\AppData\Local\Notepad\slv.py | C:\Users\admin\AppData\Local\Notepad\pythonw.exe | — | setup.exe | |||||||||||
User: admin Company: Python Software Foundation Integrity Level: MEDIUM Description: Python Exit code: 2 Version: 3.10.11 Modules
| |||||||||||||||
| 5164 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\13637570622.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 5408 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1904.44083\setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1904.44083\setup.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Secure Biometrics Exit code: 2147942402 Version: 10.0.19041.1706 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5588 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1904.33356\setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1904.33356\setup.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Secure Biometrics Exit code: 2147942402 Version: 10.0.19041.1706 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 573
Read events
4 514
Write events
55
Delete events
4
Modification events
| (PID) Process: | (5164) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\General |
| Operation: | write | Name: | VerInfo |
Value: 003C050012F8FE6A437AD701 | |||
| (PID) Process: | (5164) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\SpybotAntiBeaconPortable-safer-networking.org_3.7.0.paf.zip | |||
| (PID) Process: | (5164) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\MicrosoftEdgePolicyTemplates.cab | |||
| (PID) Process: | (5164) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\MicrosoftEdgePolicyTemplates.zip | |||
| (PID) Process: | (5164) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (5164) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (5164) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (5164) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5164) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Downloads\13637570622.zip | |||
| (PID) Process: | (5164) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | name |
Value: 256 | |||
Executable files
85
Suspicious files
40
Text files
281
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5164 | WinRAR.exe | C:\Users\admin\Downloads\__rzi_5164.32162 | — | |
MD5:— | SHA256:— | |||
| 5164 | WinRAR.exe | C:\Users\admin\Downloads\13637570622.zip | — | |
MD5:— | SHA256:— | |||
| 5164 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb5164.32364\502f28c06338d9fc9c2994292be0f8dea3a199455ca749307b3bfc29fec5ca83.zip | — | |
MD5:— | SHA256:— | |||
| 1904 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1904.33356\iumbase.dll | — | |
MD5:— | SHA256:— | |||
| 5164 | WinRAR.exe | C:\Users\admin\AppData\Roaming\WinRAR\version.dat | binary | |
MD5:5AE463027726476C4534B67189671A87 | SHA256:DE22A4DDB59CEB55F8A8DD4DDF3817CEE2CAE3370D5C1EBFE7DB61E40DDB5FB0 | |||
| 1904 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1904.33356\advanced_ip_scanner_en_us.qm | qm | |
MD5:FA3064E9270B3CE8D90EF2C4E00277C5 | SHA256:BA4E20952EAE5DD959F1C0D3A4B9726A37BD81645D9DDE6B83C1E367032C77CD | |||
| 1904 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1904.33356\details_panel_uk_ua.tpl | html | |
MD5:280FFC27B6422BD266F49BE7798DB4D9 | SHA256:5DC9054AD67076F853743C7512BEC17071EF732A13B6BE5D0C18A39F7DBF32C6 | |||
| 1904 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1904.33356\advanced_ip_scanner_uk_ua.qm | qm | |
MD5:EE64BC556D9E554E5122531BBA368240 | SHA256:11D722019F26DAEF74AF7EAE33823B4625D4EBBC33352D5EFAC85D19B2BA0658 | |||
| 1904 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1904.33356\service_probes | binary | |
MD5:637FB65A1755C4B6DC1E0428E69B634E | SHA256:B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6 | |||
| 5588 | setup.exe | C:\Users\admin\AppData\Local\Notepad\Cryptodome\Cipher\ARC4.py | text | |
MD5:B7DB48C5F7014ACBC825C6E17DA74016 | SHA256:4CD3C14EC39AC5F0C6E032228D7BAD4729AB4C7A0430AC2F685BE1C2C89FEB26 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
37
DNS requests
15
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1092 | svchost.exe | POST | 302 | 23.35.238.131:80 | http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409 | unknown | — | — | unknown |
1092 | svchost.exe | POST | 302 | 23.35.238.131:80 | http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409 | unknown | — | — | unknown |
3200 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | binary | 418 b | unknown |
2644 | OfficeClickToRun.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | binary | 471 b | unknown |
2908 | svchost.exe | GET | 200 | 23.212.210.158:80 | http://x1.c.lencr.org/ | unknown | binary | 717 b | unknown |
1092 | svchost.exe | POST | 302 | 23.35.238.131:80 | http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409 | unknown | — | — | unknown |
1092 | svchost.exe | POST | 302 | 23.35.238.131:80 | http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409 | unknown | — | — | unknown |
1092 | svchost.exe | POST | 302 | 23.35.238.131:80 | http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409 | unknown | — | — | unknown |
2580 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | unknown |
3200 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | binary | 409 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3720 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
5612 | MoUsoCoreWorker.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2580 | svchost.exe | 40.126.31.67:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1092 | svchost.exe | 23.35.238.131:80 | go.microsoft.com | AKAMAI-AS | DE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1092 | svchost.exe | 20.231.121.79:80 | dmd.metaservices.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2580 | svchost.exe | 192.229.221.95:80 | — | EDGECAST | US | whitelisted |
1092 | svchost.exe | 138.91.171.81:80 | dmd.metaservices.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
3200 | SIHClient.exe | 13.85.23.86:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3200 | SIHClient.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
dmd.metaservices.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
dns.msftncsi.com |
| shared |