analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Q9om3ev2DO1d6cA6F9KbTA(1).zip

Full analysis: https://app.any.run/tasks/8cce8c77-0276-4357-88d7-414c7d0e47a8
Verdict: Malicious activity
Analysis date: November 15, 2018, 02:46:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

9059962192E58A0F89A3B05C871A5F89

SHA1:

C2B8A2FD5F2D1543D2E5A331800B0A5E3D65BA87

SHA256:

CA4467AA603DB93689AD3969149D588CF7C7F6F170F437A8BFE026003DEE67A0

SSDEEP:

393216:uhcSwW4rtvUtKwzeF/+HhoeMKaGUP3jkK:uB2UwwzeF/+BzMKaGUPgK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PhotoViewer_v1.4.0.9_sem2_001.exe (PID: 588)
      • PhotoViewer_v1.4.0.9_sem2_001.exe (PID: 2452)
      • PhotoViewer.exe (PID: 3124)
      • PdfReader.exe (PID: 3556)
      • PhotoViewer.exe (PID: 3500)
      • Report.exe (PID: 2592)
      • UpdateCheck.exe (PID: 2852)
      • Report.exe (PID: 4088)
      • PhotoViewer.exe (PID: 3268)

    • Registers / Runs the DLL via REGSVR32.EXE

      • PhotoViewer_v1.4.0.9_sem2_001.exe (PID: 2452)

    • Loads the Task Scheduler COM API

      • PhotoViewer_v1.4.0.9_sem2_001.exe (PID: 2452)
      • PhotoViewer.exe (PID: 3500)
      • PhotoViewer.exe (PID: 3268)

    • Loads dropped or rewritten executable

      • svchost.exe (PID: 1772)
      • regsvr32.exe (PID: 3572)
      • PhotoViewer.exe (PID: 3124)
      • PdfReader.exe (PID: 3556)
      • svchost.exe (PID: 832)
      • regsvr32.exe (PID: 348)
      • PhotoViewer.exe (PID: 3500)
      • PhotoViewer.exe (PID: 3268)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3564)
      • PhotoViewer_v1.4.0.9_sem2_001.exe (PID: 2452)

    • Uses TASKKILL.EXE to kill process

      • PhotoViewer_v1.4.0.9_sem2_001.exe (PID: 2452)

    • Creates files in the user directory

      • PhotoViewer_v1.4.0.9_sem2_001.exe (PID: 2452)

    • Creates or modifies windows services

      • regsvr32.exe (PID: 3572)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 348)

    • Creates files in the Windows directory

      • svchost.exe (PID: 832)

    • Creates a software uninstall entry

      • PhotoViewer_v1.4.0.9_sem2_001.exe (PID: 2452)

    • Modifies the open verb of a shell class

      • PdfReader.exe (PID: 3556)
      • PhotoViewer.exe (PID: 3124)

    • Reads internet explorer settings

      • PhotoViewer.exe (PID: 3500)
      • PhotoViewer.exe (PID: 3268)

    • Reads Internet Cache Settings

      • PhotoViewer.exe (PID: 3500)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: PhotoViewer_v1.4.0.9_sem2_001.exe_
ZipUncompressedSize: 16168352
ZipCompressedSize: 15102957
ZipCRC: 0x80219d79
ZipModifyDate: 2018:11:15 02:39:05
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
21
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe photoviewer_v1.4.0.9_sem2_001.exe no specs photoviewer_v1.4.0.9_sem2_001.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs svchost.exe no specs photoviewer.exe no specs pdfreader.exe no specs photoviewer.exe report.exe svchost.exe updatecheck.exe report.exe photoviewer.exe

Process information

PID
CMD
Path
Indicators
Parent process
3564"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Q9om3ev2DO1d6cA6F9KbTA(1).zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
588"C:\Users\admin\Desktop\PhotoViewer_v1.4.0.9_sem2_001.exe" C:\Users\admin\Desktop\PhotoViewer_v1.4.0.9_sem2_001.exeexplorer.exe
User:
admin
Company:
上海展盟网络科技有限公司
Integrity Level:
MEDIUM
Description:
ABC看图安装包
Exit code:
3221226540
Version:
1.4.0.9
2452"C:\Users\admin\Desktop\PhotoViewer_v1.4.0.9_sem2_001.exe" C:\Users\admin\Desktop\PhotoViewer_v1.4.0.9_sem2_001.exe
explorer.exe
User:
admin
Company:
上海展盟网络科技有限公司
Integrity Level:
HIGH
Description:
ABC看图安装包
Exit code:
0
Version:
1.4.0.9
3520"C:\Windows\System32\taskkill.exe" /f /im PhotoViewer.exeC:\Windows\System32\taskkill.exePhotoViewer_v1.4.0.9_sem2_001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3656"C:\Windows\System32\taskkill.exe" /f /im Photomanager.exeC:\Windows\System32\taskkill.exePhotoViewer_v1.4.0.9_sem2_001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3876"C:\Windows\System32\taskkill.exe" /f /im PdfReader.exeC:\Windows\System32\taskkill.exePhotoViewer_v1.4.0.9_sem2_001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4080"C:\Windows\System32\taskkill.exe" /f /im Update.exeC:\Windows\System32\taskkill.exePhotoViewer_v1.4.0.9_sem2_001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2484"C:\Windows\System32\taskkill.exe" /f /im Report.exeC:\Windows\System32\taskkill.exePhotoViewer_v1.4.0.9_sem2_001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3096"C:\Windows\system32\regsvr32.exe" /s /u C:\Users\admin\AppData\Roaming\PhotoViewer\ShellExt.dllC:\Windows\system32\regsvr32.exePhotoViewer_v1.4.0.9_sem2_001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1996"C:\Windows\system32\regsvr32.exe" /s /u C:\Users\admin\AppData\Roaming\PhotoViewer\Checker.dllC:\Windows\system32\regsvr32.exePhotoViewer_v1.4.0.9_sem2_001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 707
Read events
2 664
Write events
0
Delete events
0

Modification events

No data
Executable files
22
Suspicious files
0
Text files
114
Unknown types
11

Dropped files

PID
Process
Filename
Type
2452PhotoViewer_v1.4.0.9_sem2_001.exeC:\Users\admin\AppData\Local\Temp\ABCPhotoView.7z
MD5:
SHA256:
832svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:9A24B65FCBC1386B75BEF6D800F00467
SHA256:CA84D551051C7FEEEB2E618C1ED21EF3A5511C3F4937EB969629F58AEADF58E6
2452PhotoViewer_v1.4.0.9_sem2_001.exeC:\Users\admin\AppData\Local\Temp\CheckABCPhotoView.7z.md5text
MD5:D3A69274F5AFD78BAF3962EB67A11E7D
SHA256:084DC4A0AED2CA57137B62A88A1FBB0F98B61485A640BD870405D564B784C213
2452PhotoViewer_v1.4.0.9_sem2_001.exeC:\Users\admin\AppData\Roaming\PhotoViewer\UpdateCheck.exeexecutable
MD5:B337F848EAE3E82EF226237DC967CD5D
SHA256:662035F10460F746F54DAB734DD74519D23985708020A3055E79B186C0F2F61F
2452PhotoViewer_v1.4.0.9_sem2_001.exeC:\Users\admin\AppData\Roaming\PhotoViewer\render-gdi.dllexecutable
MD5:8D7FA3E6D279BF7E18ED1978B3A3DF0C
SHA256:920A6EF0B8D0180483F493C517475FD02260EE45FB92588B5E20B35695B59639
2452PhotoViewer_v1.4.0.9_sem2_001.exeC:\Users\admin\AppData\Roaming\PhotoViewer\Uninst.exeexecutable
MD5:0AF56280F0E3622309C4C16ABD51994A
SHA256:BA6CF403C10A6CEEE80531F0BE8D9BB6A21448FC9079D4B618CF3D54B170DCAD
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.3830\PhotoViewer_v1.4.0.9_sem2_001.exe_executable
MD5:63C8853AB225B5764FBA1ABC5D2C897B
SHA256:B9C1693F726F0AF9378FB5AC979986A60430D2262B47E0B34E6C29EC264D0DA0
2452PhotoViewer_v1.4.0.9_sem2_001.exeC:\Users\admin\AppData\Roaming\PhotoViewer\CaptureScreen.exeexecutable
MD5:3E4C0737DA7CFB1777AC4B780F111BAC
SHA256:098237F348DBD21280CC2D1B685BA0B08792E95D0C27EF72B6CCD9724A41EC31
2452PhotoViewer_v1.4.0.9_sem2_001.exeC:\Users\admin\AppData\Roaming\PhotoViewer\PhotoManager.exeexecutable
MD5:6EB403F6D631E7A383C4235B04905C06
SHA256:962A275F2318366B470018BEC4E76BB7FBB1C02585DDC11ADAEE77BA1347CAFF
2452PhotoViewer_v1.4.0.9_sem2_001.exeC:\Users\admin\AppData\Roaming\PhotoViewer\imgdecoder-gdip.dllexecutable
MD5:397E4E197ED636452CC708136DE66DBA
SHA256:9C788ADF50510B2C52B088C1DFD551B397FE9BBE795FFB9A60C20F0136CC85EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
33
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3500
PhotoViewer.exe
GET
200
221.204.58.110:80
http://ktnews.7654.com/css/reset.css
CN
text
915 b
malicious
3500
PhotoViewer.exe
GET
200
221.204.58.110:80
http://ktnews.7654.com/css/reset.css
CN
text
915 b
malicious
3500
PhotoViewer.exe
GET
200
221.204.58.110:80
http://ktnews.7654.com/
CN
html
625 b
malicious
3500
PhotoViewer.exe
GET
200
221.204.58.110:80
http://ktnews.7654.com/imgs/img_ktnews.png
CN
image
151 Kb
malicious
2592
Report.exe
GET
200
117.50.8.146:80
http://kantu.shzhanmeng.com/2.gif?proj=kantu&food=D5CmfVa3GLYOp7vJfg4eJzBqmNAKk4D5s4iWrN493HliZr6wPa/CkXSxSZeMkN3tRtfydHIcsV42Yzqrr7+GtJJBI5QFK8z8U2RX8GLddccSGIoJg7vNdjWpw+ZrQgGaLfjlF0vKjuYXrZ9Mt7VXiZHYoT/CQsAIbplnJQkJ/X7SB+cm3zLQ/v+QM4SihKRgD0GmsjWNgFLv20Z9bFnvcskH
CN
image
43 b
malicious
3500
PhotoViewer.exe
GET
200
221.204.58.110:80
http://ktnews.7654.com/css/index.css
CN
text
449 b
malicious
3500
PhotoViewer.exe
GET
200
221.204.58.110:80
http://ktnews.7654.com/imgs/news_logo.png
CN
image
824 b
malicious
4088
Report.exe
GET
200
117.50.8.146:80
http://kantu.shzhanmeng.com/2.gif?proj=kantu&food=D5CmfVa3GLYOp7vJfg4eJzBqmNAKk4D5s4iWrN493HliZr6wPa/CkXSxSZeMkN3tRtfydHIcsV42Yzqrr7+GtJJBI5QFK8z8U2RX8GLddccSGIoJg7vNdjWpw+ZrQgGaLfjlF0vKjuYXrZ9Mt7VXiZHYoT/CQsAIbplnJQkJ/X7SB+cm3zLQ/v+QM4SihKRgD0GmsjWNgFLv2kp7bFnvcskGlB4xiguZm09g7d6kxrOn41QeX6lX5bD7QYXD9rTXWnL4KKKIV1ok1PKIe1y9OYBoVb5pYCgcsOMREN2LDtYl
CN
image
43 b
malicious
3500
PhotoViewer.exe
GET
200
221.204.58.110:80
http://ktnews.7654.com/js/data.js
CN
text
643 b
malicious
4088
Report.exe
GET
200
117.50.8.146:80
http://kantu.shzhanmeng.com/2.gif?proj=kantu&food=D5CmfVa3GLYOp7vJfg4eJzBqmNAKk4D5s4iWrN493HliZr6wPa/CkXSxSZeMkN3tRtfydHIcsV42Yzqrr7+GtJJBI5QFK8z8U2RX8GLddccSGIoJg7vNdjWpw+ZrQgGaLfjlF0vKjuYXrZ9Mt7VXiZHYoT/CQsAIbplnJQkJ/X7SB+cm3zLQ/v+QM4SihKR1HwiqtjGZ3ga9jhJ2GlDjcpta3BY/wR6V0w4xuJjzkOvzsg9dXbUY8r+uV4nf6O6IUmjnPLnIA1YmgqTYM0yk
CN
image
43 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3500
PhotoViewer.exe
221.204.58.110:80
ktnews.7654.com
CHINA UNICOM China169 Backbone
CN
suspicious
2592
Report.exe
117.50.8.146:80
kantu.shzhanmeng.com
China Unicom Beijing Province Network
CN
malicious
3500
PhotoViewer.exe
43.224.184.222:80
down2.abckantu.com
Computer Network Information Center
CN
suspicious
2592
Report.exe
43.224.184.222:80
down2.abckantu.com
Computer Network Information Center
CN
suspicious
2592
Report.exe
43.224.184.221:80
down2.abckantu.com
Computer Network Information Center
CN
unknown
3500
PhotoViewer.exe
43.224.184.221:80
down2.abckantu.com
Computer Network Information Center
CN
unknown
3500
PhotoViewer.exe
221.204.166.22:80
ktnews.7654.com
CHINA UNICOM China169 Backbone
CN
malicious
2592
Report.exe
43.224.184.217:80
down2.abckantu.com
Computer Network Information Center
CN
unknown
2592
Report.exe
43.224.184.219:80
down2.abckantu.com
Computer Network Information Center
CN
unknown
2592
Report.exe
43.224.184.235:80
down2.abckantu.com
Computer Network Information Center
CN
unknown

DNS requests

Domain
IP
Reputation
kantu.shzhanmeng.com
  • 117.50.8.146
malicious
ktnews.7654.com
  • 221.204.58.110
  • 125.211.204.209
  • 221.204.166.22
  • 36.248.26.201
  • 221.204.60.63
  • 123.6.6.112
  • 125.211.204.225
  • 211.91.160.204
  • 218.11.8.104
  • 112.132.32.105
  • 221.204.166.36
  • 221.204.60.123
  • 221.204.166.20
  • 221.204.166.38
  • 121.29.54.65
malicious
down2.abckantu.com
  • 43.224.184.222
  • 43.224.184.221
  • 43.224.184.217
  • 43.224.184.235
  • 43.224.184.219
  • 43.224.184.234
  • 43.224.184.220
  • 43.224.184.218
unknown
cdn3.guangsuss.com
  • 221.204.166.22
  • 36.248.26.201
  • 221.204.60.63
  • 123.6.6.112
  • 125.211.204.225
  • 211.91.160.204
  • 218.11.8.104
  • 112.132.32.105
  • 221.204.166.36
  • 221.204.60.123
  • 221.204.166.20
  • 221.204.166.38
  • 121.29.54.65
  • 221.204.58.110
  • 125.211.204.209
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
Process
Message
PhotoViewer.exe
~ImageProxy()
PhotoViewer.exe
~ImageProxy()
PhotoViewer.exe
~ImageProxy()
PhotoViewer.exe
~ImageProxy()
PhotoViewer.exe
~ImageProxy()
PhotoViewer.exe
~ImageProxy()
PhotoViewer.exe
~ImageProxy()
PhotoViewer.exe
~ImageProxy()
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Q9om3ev2DO1d6cA6F9KbTA(1).zip