analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1422-178.zip

Full analysis: https://app.any.run/tasks/360d1b57-0efa-44bc-b3e0-504954966765
Verdict: Malicious activity
Analysis date: November 14, 2018, 09:37:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E1D37129998008278E13B5615E0A3926

SHA1:

25A968EE6E7E6C953E48850BED6B4051186C914B

SHA256:

D37AEEC5F2F7CCF9318130D70C515C769C0B19D21D73330AE5B9611E46D04D6B

SSDEEP:

24:9szXkgG+pQ8diy0bEp4lZNbfgggKDydp55/t/a5XU8tf2uR+AphgChc0Hiv71M6N:9e0MuJbGANcvKO3FKUOh/5aXyBzBrQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2724)
      • powershell.exe (PID: 3756)
      • powershell.exe (PID: 3496)
      • powershell.exe (PID: 2120)
    • Application launched itself

      • powershell.exe (PID: 3756)
    • Executes PowerShell scripts

      • WinRAR.exe (PID: 3032)
      • powershell.exe (PID: 3756)
    • Executable content was dropped or overwritten

      • csc.exe (PID: 3944)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2014:09:23 16:05:18
ZipCRC: 0x1cc3b9e8
ZipCompressedSize: 601
ZipUncompressedSize: 1235
ZipFileName: 1422-178.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
12
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs powershell.exe powershell.exe csc.exe cvtres.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3032"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1422-178.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3324"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa3032.30472\1422-178.txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2724"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3032.31353\Beep.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3940"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\yon1vwib.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
1620C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES94E.tmp" "c:\Users\admin\AppData\Local\Temp\CSC94D.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
3756"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3032.31841\BeepJob.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3496"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3944"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\g6yecqlm.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
3404C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES1FD4.tmp" "c:\Users\admin\AppData\Local\Temp\CSC1FD3.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
2120"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3032.32359\GetFolderPath.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 446
Read events
1 197
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
8
Text files
10
Unknown types
1

Dropped files

PID
Process
Filename
Type
2724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XIOIH4CV3CWT80402GTA.temp
MD5:
SHA256:
3940csc.exeC:\Users\admin\AppData\Local\Temp\CSC94D.tmp
MD5:
SHA256:
3940csc.exeC:\Users\admin\AppData\Local\Temp\yon1vwib.pdb
MD5:
SHA256:
1620cvtres.exeC:\Users\admin\AppData\Local\Temp\RES94E.tmp
MD5:
SHA256:
3940csc.exeC:\Users\admin\AppData\Local\Temp\yon1vwib.dll
MD5:
SHA256:
3940csc.exeC:\Users\admin\AppData\Local\Temp\yon1vwib.out
MD5:
SHA256:
3756powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7YQVHT11ZQ01HE4E2MGM.temp
MD5:
SHA256:
3496powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G7BA8UTT7YHT3J2YR4OZ.temp
MD5:
SHA256:
3944csc.exeC:\Users\admin\AppData\Local\Temp\CSC1FD3.tmp
MD5:
SHA256:
3404cvtres.exeC:\Users\admin\AppData\Local\Temp\RES1FD4.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144