analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SLskC.7z

Full analysis: https://app.any.run/tasks/1624b762-a325-423c-9603-035a7297b5fa
Verdict: Malicious activity
Analysis date: May 30, 2020, 08:17:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

9F97BAD35B8084440E655218C923A8B7

SHA1:

AFBA38FB39102652E78D74AC731BF754EEFE38BE

SHA256:

CB11DE448907B2AA4D14243E6D36AA07AB1F46418C15F8229B2A0070AEA691AC

SSDEEP:

12288:lY3qg569F389C++ia10x8lI97Goc8JdTfhiUI/cRHmpkzpIKFtPjD:llF3hu26Tq+dThi505lJt/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • TokenX.exe (PID: 3096)
      • SearchProtocolHost.exe (PID: 1132)
      • TokenX.exe (PID: 3624)
      • TokenX.exe (PID: 2004)
    • Application was dropped or rewritten from another process

      • TokenX.exe (PID: 3096)
      • TokenX.exe (PID: 3624)
      • TokenX.exe (PID: 2004)
  • SUSPICIOUS

    • Creates files in the Windows directory

      • DllHost.exe (PID: 3400)
    • Starts Internet Explorer

      • TokenX.exe (PID: 3096)
      • TokenX.exe (PID: 3624)
      • TokenX.exe (PID: 2004)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3748)
    • Executed via COM

      • DllHost.exe (PID: 3400)
  • INFO

    • Manual execution by user

      • fontview.exe (PID: 3424)
      • TokenX.exe (PID: 3096)
      • WinRAR.exe (PID: 3748)
      • TokenX.exe (PID: 3624)
      • TokenX.exe (PID: 2004)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3696)
      • iexplore.exe (PID: 2736)
      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 2360)
      • iexplore.exe (PID: 1380)
      • iexplore.exe (PID: 2992)
    • Changes internet zones settings

      • iexplore.exe (PID: 3696)
      • iexplore.exe (PID: 2360)
      • iexplore.exe (PID: 2992)
    • Creates files in the user directory

      • iexplore.exe (PID: 2736)
      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 1380)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2736)
      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 1380)
    • Application launched itself

      • iexplore.exe (PID: 2360)
      • iexplore.exe (PID: 2992)
    • Dropped object may contain Bitcoin addresses

      • TokenX.exe (PID: 3624)
      • TokenX.exe (PID: 2004)
    • Reads settings of System Certificates

      • TokenX.exe (PID: 3624)
      • iexplore.exe (PID: 2736)
      • iexplore.exe (PID: 3976)
      • iexplore.exe (PID: 1380)
      • iexplore.exe (PID: 3696)
      • iexplore.exe (PID: 2360)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3696)
      • iexplore.exe (PID: 2360)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3696)
      • iexplore.exe (PID: 2360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
14
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe searchprotocolhost.exe no specs fontview.exe no specs DllHost.exe no specs tokenx.exe iexplore.exe iexplore.exe tokenx.exe iexplore.exe iexplore.exe tokenx.exe no specs iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SLskC.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3748"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\SLskC.7z" C:\Users\admin\Desktop\SLskC\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1132"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3424"C:\Windows\System32\fontview.exe" C:\Users\admin\Desktop\SLskC\Install Me!.ttfC:\Windows\System32\fontview.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Font Viewer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3400C:\Windows\system32\DllHost.exe /Processid:{642EF9D6-48A5-476B-919A-A507CFD02C0F}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3096"C:\Users\admin\Desktop\SLskC\TokenX.exe" C:\Users\admin\Desktop\SLskC\TokenX.exe
explorer.exe
User:
admin
Company:
HP Inc.
Integrity Level:
MEDIUM
Description:
TokenX
Exit code:
3221225477
Version:
1.0.0.0
3696"C:\Program Files\Internet Explorer\iexplore.exe" https://pastr.io/raw/3aBVlvUpVXOC:\Program Files\Internet Explorer\iexplore.exe
TokenX.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2736"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3696 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3624"C:\Users\admin\Desktop\SLskC\TokenX.exe" C:\Users\admin\Desktop\SLskC\TokenX.exe
explorer.exe
User:
admin
Company:
HP Inc.
Integrity Level:
MEDIUM
Description:
TokenX
Exit code:
3221225477
Version:
1.0.0.0
2360"C:\Program Files\Internet Explorer\iexplore.exe" https://pastr.io/raw/3aBVlvUpVXOC:\Program Files\Internet Explorer\iexplore.exe
TokenX.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
16 204
Read events
5 632
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
35
Text files
25
Unknown types
16

Dropped files

PID
Process
Filename
Type
2736iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab67BB.tmp
MD5:
SHA256:
2736iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar67BC.tmp
MD5:
SHA256:
2736iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1binary
MD5:9BB39F3A800B48405F4EC6C7E699599A
SHA256:4851D1D7F62EEA679528244E3E604EBC4D3C87D8F989053B5D6A6547E3070952
2736iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:1C400D233070530C717A810D7F9BC99E
SHA256:58B407B0DDF17FBF78FCB2E2DAD4FABAADA9BD88641F19941480951A200AE4E0
2736iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\0FATKW25.txt
MD5:
SHA256:
3748WinRAR.exeC:\Users\admin\Desktop\SLskC\TokenX.exeexecutable
MD5:F4BA474BCE00EF8E5B8B087B26315356
SHA256:BABF0958F7B4085D2BDF1A2730017E24FEE16073B953F85DDA79F94551FF8F15
2736iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1der
MD5:1ACA50EC477964C4D861F2701CF66EEA
SHA256:0F11ACD16954DCCA31CFFED26AD2DEB75FF3409E4810EC46DE67F8CBEF4EB2B9
3748WinRAR.exeC:\Users\admin\Desktop\SLskC\Anarchy.dllexecutable
MD5:4BB491A20C5BF97DDAB33EF7174D3355
SHA256:8EDEE658943E3D9871E3F4CFF5C2301AC56078C22989315F82F8CAE70C4DE682
3748WinRAR.exeC:\Users\admin\Desktop\SLskC\Cracked.to Authentication.dllexecutable
MD5:1722E9B8A75163DA09D7B0443DAB0E0C
SHA256:F98AB8F3CB1E42DE9918629264D365BD37D2438C286076B06C6C4D882723B814
3748WinRAR.exeC:\Users\admin\Desktop\SLskC\Read Me!.txttext
MD5:24CD3A36798304044C5225BF0F11822E
SHA256:B3A0BFAFCAE7860394C53FDE3DAF02CB5E2A4BBDC05C25CF0E0550C4EDB3D619
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
44
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2736
iexplore.exe
GET
200
172.217.22.99:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDEKiK1zGWeAwgAAAAAPr4Q
US
der
472 b
whitelisted
2736
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
2736
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
2736
iexplore.exe
GET
200
172.217.22.99:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDEKiK1zGWeAwgAAAAAPr4Q
US
der
472 b
whitelisted
3696
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2736
iexplore.exe
GET
200
172.217.22.99:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDvkDzv2QYa2AgAAAABnMwk%3D
US
der
471 b
whitelisted
2736
iexplore.exe
GET
200
172.217.22.99:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDvkDzv2QYa2AgAAAABnMwk%3D
US
der
471 b
whitelisted
3696
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2736
iexplore.exe
GET
200
172.217.22.99:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3696
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2736
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2736
iexplore.exe
172.217.22.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2736
iexplore.exe
104.24.111.173:443
pastr.io
Cloudflare Inc
US
shared
2736
iexplore.exe
172.217.23.174:443
Google Inc.
US
whitelisted
2736
iexplore.exe
216.58.212.163:443
ssl.gstatic.com
Google Inc.
US
whitelisted
2736
iexplore.exe
172.217.23.110:443
consent.google.com
Google Inc.
US
whitelisted
2736
iexplore.exe
172.217.18.100:443
www.google.com
Google Inc.
US
whitelisted
3696
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3696
iexplore.exe
172.217.18.100:443
www.google.com
Google Inc.
US
whitelisted
3976
iexplore.exe
104.24.111.173:443
pastr.io
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
pastr.io
  • 104.24.111.173
  • 104.24.110.173
  • 172.67.181.103
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.pki.goog
  • 172.217.22.99
whitelisted
www.google.com
  • 172.217.18.100
whitelisted
consent.google.com
  • 172.217.23.110
shared
ssl.gstatic.com
  • 216.58.212.163
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
id.google.com
  • 172.217.21.227
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

No threats detected
No debug info