analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Ana.zip

Full analysis: https://app.any.run/tasks/c17439ba-bf1c-4ef6-9c55-a5e6712ff53c
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: October 14, 2019, 16:36:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract
MD5:

3C5430E07584540249682FB103D226F6

SHA1:

CB3F679EB4F71AD27B688A9A345099433D3456F5

SHA256:

CAAC656E4E29166CAC506A18C2A4DA3C11F645380A2D90AC3E695AE9989AECED

SSDEEP:

49152:sz1kljUXHsNl9R4W/iLHZP8q+bTCioHaYiOFOR3+Lf:shaUXsRaGcHZ0rCIY4ROb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • [email protected] (PID: 1520)
      • EN.EXE (PID: 884)
      • AV.EXE (PID: 3724)
      • SB.EXE (PID: 2488)
      • DB.EXE (PID: 3376)
      • AV2.EXE (PID: 236)
      • DB.EXE (PID: 3372)
      • setup46730704.exe (PID: 3796)
      • setup46730704.exe (PID: 2864)
      • iA17766EjDaE17766.exe (PID: 2056)
      • [email protected] (PID: 3280)
      • AV.EXE (PID: 3448)
      • AV2.EXE (PID: 2232)
      • DB.EXE (PID: 944)
      • SB.EXE (PID: 3216)
      • EN.EXE (PID: 3460)
      • setup274794624.exe (PID: 2396)
      • AV.EXE (PID: 2920)
      • EN.EXE (PID: 2004)
      • AV2.EXE (PID: 3072)
      • [email protected] (PID: 3260)
      • DB.EXE (PID: 2308)
      • setup274794624.exe (PID: 2932)
      • SB.EXE (PID: 2980)
      • RtlDriver32.exe (PID: 3820)
    • Loads the Task Scheduler COM API

      • SB.EXE (PID: 2488)
      • SB.EXE (PID: 3216)
    • Loads dropped or rewritten executable

      • spoolsv.exe (PID: 1204)
      • rundll32.exe (PID: 324)
    • Loads the Task Scheduler DLL interface

      • DB.EXE (PID: 3372)
    • Tries to delete the host file

      • spoolsv.exe (PID: 1204)
    • Changes settings of System certificates

      • rundll32.exe (PID: 3616)
      • AV.EXE (PID: 2920)
    • Connects to CnC server

      • AV2.EXE (PID: 236)
    • Changes the autorun value in the registry

      • iA17766EjDaE17766.exe (PID: 2056)
      • AV2.EXE (PID: 2232)
      • AV.EXE (PID: 2920)
      • AV2.EXE (PID: 3072)
      • RtlDriver32.exe (PID: 3820)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • [email protected] (PID: 1520)
      • SB.EXE (PID: 2488)
      • setup46730704.exe (PID: 2864)
      • DB.EXE (PID: 3372)
      • AV2.EXE (PID: 236)
      • spoolsv.exe (PID: 1204)
      • [email protected] (PID: 3280)
      • SB.EXE (PID: 3216)
      • setup274794624.exe (PID: 2932)
      • [email protected] (PID: 3260)
      • SB.EXE (PID: 2980)
      • AV.EXE (PID: 2920)
    • Application launched itself

      • DB.EXE (PID: 3376)
    • Starts itself from another location

      • SB.EXE (PID: 2488)
      • SB.EXE (PID: 3216)
      • AV.EXE (PID: 2920)
    • Creates files in the Windows directory

      • DB.EXE (PID: 3372)
      • spoolsv.exe (PID: 1204)
    • Executed via Task Scheduler

      • rundll32.exe (PID: 324)
    • Creates or modifies windows services

      • spoolsv.exe (PID: 1204)
    • Creates files in the program directory

      • AV2.EXE (PID: 236)
      • iA17766EjDaE17766.exe (PID: 2056)
    • Reads Internet Cache Settings

      • DB.EXE (PID: 3372)
    • Starts CMD.EXE for commands execution

      • DB.EXE (PID: 3372)
      • EN.EXE (PID: 884)
      • DB.EXE (PID: 944)
      • DB.EXE (PID: 2308)
      • EN.EXE (PID: 3460)
      • EN.EXE (PID: 2004)
    • Removes files from Windows directory

      • spoolsv.exe (PID: 1204)
    • Reads internet explorer settings

      • iA17766EjDaE17766.exe (PID: 2056)
    • Adds / modifies Windows certificates

      • AV.EXE (PID: 2920)
    • Creates files in the user directory

      • AV.EXE (PID: 2920)
  • INFO

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: [email protected]
ZipUncompressedSize: 2173952
ZipCompressedSize: 1915381
ZipCRC: 0x00000000
ZipModifyDate: 2011:09:21 08:09:04
ZipCompression: Unknown (99)
ZipBitFlag: 0x0001
ZipRequiredVersion: 51
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
94
Monitored processes
37
Malicious processes
13
Suspicious processes
5

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs [email protected] av.exe av2.exe db.exe no specs en.exe no specs dw20.exe no specs sb.exe db.exe setup46730704.exe no specs setup46730704.exe spoolsv.exe rundll32.exe no specs ia17766ejdae17766.exe cmd.exe no specs rundll32.exe cmd.exe no specs [email protected] av.exe av2.exe db.exe no specs en.exe no specs sb.exe dw20.exe no specs cmd.exe no specs setup274794624.exe no specs setup274794624.exe [email protected] av.exe av2.exe db.exe en.exe sb.exe cmd.exe no specs rtldriver32.exe cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
392"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ana.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1520"C:\Users\admin\Desktop\[email protected]" C:\Users\admin\Desktop\[email protected]
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
3724"C:\Users\admin\AppData\Local\Temp\AV.EXE" C:\Users\admin\AppData\Local\Temp\AV.EXE
[email protected]
User:
admin
Company:
Realtek Inc
Integrity Level:
MEDIUM
Description:
Realtek Audio Driver
Exit code:
3762507597
Version:
2.0.5.0
236"C:\Users\admin\AppData\Local\Temp\AV2.EXE" C:\Users\admin\AppData\Local\Temp\AV2.EXE
[email protected]
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3376"C:\Users\admin\AppData\Local\Temp\DB.EXE" C:\Users\admin\AppData\Local\Temp\DB.EXE[email protected]
User:
admin
Company:
Prjfeusek Vdceboszrya
Integrity Level:
MEDIUM
Description:
Internet Connection Wizard
Exit code:
0
Version:
6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
884"C:\Users\admin\AppData\Local\Temp\EN.EXE" C:\Users\admin\AppData\Local\Temp\EN.EXE[email protected]
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1576dw20.exe -x -s 432C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeAV.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.4927 (NetFXspW7.050727-4900)
2488"C:\Users\admin\AppData\Local\Temp\SB.EXE" C:\Users\admin\AppData\Local\Temp\SB.EXE
[email protected]
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3372"C:\Users\admin\AppData\Local\Temp\DB.EXE" /reserved001:1C:\Users\admin\AppData\Local\Temp\DB.EXE
DB.EXE
User:
admin
Company:
Prjfeusek Vdceboszrya
Integrity Level:
HIGH
Description:
Internet Connection Wizard
Exit code:
0
Version:
6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
3796"C:\Users\admin\AppData\Local\Temp\setup46730704.exe" C:\Users\admin\AppData\Local\Temp\setup46730704.exeSB.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Total events
3 869
Read events
3 572
Write events
0
Delete events
0

Modification events

No data
Executable files
32
Suspicious files
28
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb392.1478\[email protected]
MD5:
SHA256:
2488SB.EXEC:\Users\admin\AppData\Local\Temp\2115.tmp
MD5:
SHA256:
2864setup46730704.exeC:\Users\admin\AppData\Local\Temp\2C7F.tmp
MD5:
SHA256:
1520[email protected]C:\Users\admin\AppData\Local\Temp\SB.EXEexecutable
MD5:9252E1BE9776AF202D6AD5C093637022
SHA256:CE822FF86E584F15B6ABD14C61453BD3B481D4EC3FDEB961787FCEB52ACD8BD6
2488SB.EXEC:\Windows\system32\tasks\76a45340xml
MD5:C355A42DE624417EF8ADA650F407DD40
SHA256:64E07C03FC64FF69713006177E768A1DFE0D5711EC1F78BB907E9E3EE36F107E
2488SB.EXEC:\Users\admin\AppData\Local\Temp\setup46730704.exeexecutable
MD5:9252E1BE9776AF202D6AD5C093637022
SHA256:CE822FF86E584F15B6ABD14C61453BD3B481D4EC3FDEB961787FCEB52ACD8BD6
3724AV.EXEC:\Users\admin\Desktop\tsa.crttext
MD5:6E630504BE525E953DEBD0CE831B9AA0
SHA256:2563FE2F793F119A1BAE5CCA6EAB9D8C20409AA1F1E0DB341C623E1251244EF5
3616rundll32.exeC:\Users\admin\AppData\Local\Temp\Cab6320.tmp
MD5:
SHA256:
3372DB.EXEC:\Windows\Tasks\Fwocovuw.jobbinary
MD5:9F4193561FC48BB65D02D33F11E0D792
SHA256:11BF578B13D2F2EBACEB69C0FDE20B412257E26F842F599905974B88F46C0003
3372DB.EXEC:\Windows\system32\FM20ENU6.dllexecutable
MD5:B3F95E64C305252872D90696B8817F9F
SHA256:51422300883FEF667468483974DA7EF41E2E4A545950F3C237CD5390B04F0FC3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
8
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2056
iA17766EjDaE17766.exe
GET
178.162.174.147:80
http://178.162.174.147/api/stats/install/1007/17766
NL
malicious
236
AV2.EXE
GET
178.162.174.147:80
http://178.162.174.147/api/urls/?affid=17766
NL
malicious
1204
spoolsv.exe
GET
95.143.193.138:80
http://95.143.193.138/xxxx_2/NTI1NDA0YTRhZnwzMDMwNnwwfDN8MHw2LjEgNzYwMSBTUDEuMHwwfDB8cHJuMTU=
SE
unknown
236
AV2.EXE
GET
178.162.174.147:80
http://178.162.174.147/api/urls/?affid=17766
NL
malicious
236
AV2.EXE
GET
178.162.174.147:80
http://178.162.174.147/api/urls/?affid=17766
NL
malicious
3616
rundll32.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.0 Kb
whitelisted
GET
193.105.171.154:80
http://193.105.171.154/p/?sku_name=P102SSV_EN,P102SSV_EN_00,P102SSV_EN_01,ACTF_EN_01&aid=test&lid=1007&affid=17766&nid=C4BA3647
US
malicious
1204
spoolsv.exe
GET
95.143.193.138:80
http://95.143.193.138/xxxx_2/NTI1NDA0YTRhZnwzMDMwNnwwfDN8MHw2LjEgNzYwMSBTUDEuMHwwfDB8cHJuMTU=
SE
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2056
iA17766EjDaE17766.exe
178.162.174.147:80
LeaseWeb Netherlands B.V.
NL
malicious
1204
spoolsv.exe
95.143.193.138:80
Internetport Sweden AB
SE
unknown
236
AV2.EXE
178.162.174.147:80
LeaseWeb Netherlands B.V.
NL
malicious
193.105.171.154:80
Region40 LLC
US
malicious
3616
rundll32.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
middlechrist.com
malicious
aeravine.com
malicious
bemachin.com
malicious
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
report.totalsolutionantivirus.com
unknown

Threats

Found threats are available for the paid subscriptions
3 ETPRO signatures available at the full report
Process
Message
C:\Users\admin\AppData\Local\Temp\AV.EXE
C:\Users\admin\AppData\Local\Temp\AV2.EXE
C:\Users\admin\AppData\Local\Temp\DB.EXE
C:\Users\admin\AppData\Local\Temp\EN.EXE
C:\Users\admin\AppData\Local\Temp\GB.EXE
C:\Users\admin\AppData\Local\Temp\SB.EXE
C:\Users\admin\AppData\Local\Temp\AV.EXE
C:\Users\admin\AppData\Local\Temp\AV2.EXE
C:\Users\admin\AppData\Local\Temp\DB.EXE
C:\Users\admin\AppData\Local\Temp\EN.EXE