analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

带毒暴风激活.zip

Full analysis: https://app.any.run/tasks/b4e0e65b-82de-4a8b-8f7d-9e1ec65c5c41
Verdict: Malicious activity
Analysis date: July 18, 2019, 07:00:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

348A01DC8257D9CBBFADAAE5F7E6ACF0

SHA1:

A05EB641E25CAEAC7B6C17C9115FCBCA311C290B

SHA256:

D5B2028332CFA7C6ABD45DCC02310443C9ADA7FF61FB8C9BEDE910892E55DFD6

SSDEEP:

98304:ZQ0zOWINi5Ua0ozEW5KujzMwChFgcbr0SOFtBPjAaEPx8VX:K7/owW5KujQ1F74TFXPcnPuR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe (PID: 2792)
      • DesktopLayer.exe (PID: 3976)
      • lmnopqrstuvwxyz1.exe (PID: 2680)
      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)
      • klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe (PID: 1376)
      • ghijklmnopqrstuvwxyz1227Favrite.exe (PID: 3392)
      • ¼¤»î¹¤¾ß2.exe (PID: 2504)
      • FavriteAdd.exe (PID: 3424)
      • vwxyz73351a00c84c94d3.exe (PID: 3968)
      • DelNsisSelf.exe (PID: 3480)
      • IELink.exe (PID: 2880)
      • Del24E8.tmp (PID: 2476)
      • ASBarBroker.exe (PID: 2632)
      • SppExtComObjPatcher.exe (PID: 3496)
      • KMSService.exe (PID: 3804)

    • Changes the login/logoff helper path in the registry

      • iexplore.exe (PID: 4064)

    • Loads dropped or rewritten executable

      • vwxyz73351a00c84c94d3.exe (PID: 3968)
      • OSPPSVC.EXE (PID: 4020)

    • Changes Image File Execution Options

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)

    • Loads the Task Scheduler COM API

      • OSPPSVC.EXE (PID: 4020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3008)
      • ¦¬+t+ñ+e¦ñ+¯V17.0.exe (PID: 3084)
      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)
      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe (PID: 2792)
      • klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe (PID: 1376)
      • ghijklmnopqrstuvwxyz1227Favrite.exe (PID: 3392)
      • vwxyz73351a00c84c94d3.exe (PID: 3968)
      • DelNsisSelf.exe (PID: 3480)

    • Starts itself from another location

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe (PID: 2792)
      • DelNsisSelf.exe (PID: 3480)

    • Creates files in the program directory

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe (PID: 2792)
      • iexplore.exe (PID: 4064)
      • vwxyz73351a00c84c94d3.exe (PID: 3968)

    • Creates files in the user directory

      • lmnopqrstuvwxyz1.exe (PID: 2680)
      • FavriteAdd.exe (PID: 3424)

    • Starts Internet Explorer

      • DesktopLayer.exe (PID: 3976)

    • Executed as Windows Service

      • ¼¤»î¹¤¾ß2.exe (PID: 2504)
      • SppExtComObjPatcher.exe (PID: 3496)
      • KMSService.exe (PID: 3804)

    • Starts CMD.EXE for commands execution

      • klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe (PID: 1376)
      • FavriteAdd.exe (PID: 3424)
      • Del24E8.tmp (PID: 2476)

    • Uses WMIC.EXE to obtain a system information

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)
      • ¼¤»î¹¤¾ß2.exe (PID: 2504)

    • Low-level read access rights to disk partition

      • vwxyz73351a00c84c94d3.exe (PID: 3968)
      • ¼¤»î¹¤¾ß2.exe (PID: 2504)

    • Starts CMD.EXE for self-deleting

      • klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe (PID: 1376)

    • Creates a software uninstall entry

      • vwxyz73351a00c84c94d3.exe (PID: 3968)

    • Starts application with an unusual extension

      • DelNsisSelf.exe (PID: 3480)

    • Creates COM task schedule object

      • vwxyz73351a00c84c94d3.exe (PID: 3968)

    • Uses TASKKILL.EXE to kill process

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)

    • Executes scripts

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)

    • Uses NETSH.EXE for network configuration

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)

    • Creates files in the Windows directory

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)
      • ¼¤»î¹¤¾ß2.exe (PID: 2504)

    • Removes files from Windows directory

      • ¼¤»î¹¤¾ß2.exe (PID: 2504)

    • Reads Environment values

      • ¼¤»î¹¤¾ß2.exe (PID: 2504)

  • INFO

    • Manual execution by user

      • ¦¬+t+ñ+e¦ñ+¯V17.0.exe (PID: 3084)
      • ¦¬+t+ñ+e¦ñ+¯V17.0.exe (PID: 2892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:04:18 18:47:12
ZipCRC: 0x40c57347
ZipCompressedSize: 54767
ZipUncompressedSize: 56320
ZipFileName: ???????缤??/DesktopLayer.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
98
Monitored processes
39
Malicious processes
6
Suspicious processes
7

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe ¦¬+t+ñ+e¦ñ+¯v17.0.exe no specs ¦¬+t+ñ+e¦ñ+¯v17.0.exe uvwxyz±©·ç¼¤»î¹¤¾ßv17.0.exe lmnopqrstuvwxyz1.exe uvwxyz±©·ç¼¤»î¹¤¾ßv17.0srv.exe ghijklmnopqrstuvwxyz1227favrite.exe desktoplayer.exe no specs klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe iexplore.exe vwxyz73351a00c84c94d3.exe favriteadd.exe no specs ¼¤»î¹¤¾ß2.exe wmic.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ielink.exe no specs delnsisself.exe del24e8.tmp no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs asbarbroker.exe no specs wmic.exe no specs taskkill.exe no specs netsh.exe no specs netsh.exe no specs kmsservice.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cscript.exe no specs sppextcomobjpatcher.exe no specs osppsvc.exe no specs cscript.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3008"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\带毒暴风激活.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2892"C:\Users\admin\Desktop\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exe" C:\Users\admin\Desktop\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3084"C:\Users\admin\Desktop\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exe" C:\Users\admin\Desktop\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
752"C:\Users\admin\AppData\Local\Temp\uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe" C:\Users\admin\AppData\Local\Temp\uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe
¦¬+t+ñ+e¦ñ+¯V17.0.exe
User:
admin
Integrity Level:
HIGH
Description:
暴风一键激活工具
Version:
16.0.0.0
2680"C:\Users\admin\AppData\Local\Temp\lmnopqrstuvwxyz1.exe" C:\Users\admin\AppData\Local\Temp\lmnopqrstuvwxyz1.exe
¦¬+t+ñ+e¦ñ+¯V17.0.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2792C:\Users\admin\AppData\Local\Temp\uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exeC:\Users\admin\AppData\Local\Temp\uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe
uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe
User:
admin
Company:
SOFTWIN S.R.L.
Integrity Level:
HIGH
Description:
BitDefender Management Console
Exit code:
0
Version:
106.42.73.61
3392"C:\Users\admin\AppData\Local\Temp\ghijklmnopqrstuvwxyz1227Favrite.exe" C:\Users\admin\AppData\Local\Temp\ghijklmnopqrstuvwxyz1227Favrite.exe
¦¬+t+ñ+e¦ñ+¯V17.0.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3976"C:\Program Files\Microsoft\DesktopLayer.exe"C:\Program Files\Microsoft\DesktopLayer.exeuvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe
User:
admin
Company:
SOFTWIN S.R.L.
Integrity Level:
HIGH
Description:
BitDefender Management Console
Exit code:
0
Version:
106.42.73.61
1376"C:\Users\admin\AppData\Local\Temp\klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe" C:\Users\admin\AppData\Local\Temp\klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe
¦¬+t+ñ+e¦ñ+¯V17.0.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
4064"C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe
DesktopLayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 319
Read events
1 986
Write events
0
Delete events
0

Modification events

No data
Executable files
35
Suspicious files
4
Text files
20
Unknown types
6

Dropped files

PID
Process
Filename
Type
3008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exe
MD5:
SHA256:
3008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\¦+¦ª.exe
MD5:
SHA256:
3008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\¦+¦+.exe
MD5:
SHA256:
4064iexplore.exeC:\Program Files\Internet Explorer\dmlconf.datbinary
MD5:326A6A047A53851BD9173FC64FAD73FA
SHA256:02E2E1CF9C39C685FBFD362472138F82D7F72B82E4796094CD3A4246E775FA58
3424FavriteAdd.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarkstext
MD5:34566C46376D079D27B12EEA85CEEBAA
SHA256:250642DC7E73AD9672BC101A36070DA0146D95C3F7C77339CBF0743DCB5519FB
3084¦¬+t+ñ+e¦ñ+¯V17.0.exeC:\Users\admin\AppData\Local\Temp\ghijklmnopqrstuvwxyz1227Favrite.exeexecutable
MD5:7056FE9E72CA2C0BDA7A9CD3D31F957A
SHA256:8107FD89F68F296ED7B6E1C9EAF0DE8CB7FD30C26C326AF3ABA9181A13E84564
3084¦¬+t+ñ+e¦ñ+¯V17.0.exeC:\Users\admin\AppData\Local\Temp\lmnopqrstuvwxyz1.exeexecutable
MD5:CEBBB6981127ADFE289B7F1590EB3A86
SHA256:95814D21A4E481E90EF386095CA88684CE69EF6B844D8D4C47E1F90F2D3903D4
3008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\QGrX1Y9Ksx.sysexecutable
MD5:92E55907BB25B02522FBAFD21B683D98
SHA256:D87A67CF824DC6C073AF4928563944308722470D663A283DF4E73901CFF21760
3084¦¬+t+ñ+e¦ñ+¯V17.0.exeC:\Users\admin\AppData\Local\Temp\vwxyz73351a00c84c94d3.exeexecutable
MD5:DAFCF4141772AA93371798BEC1C60A28
SHA256:AC8C2D9FBE06DA7D399B6A04B45A00692ADB08D5044C4D776F8C5237F3085FED
3008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\InstallDeleteFile.exeexecutable
MD5:705D68F498D5F31C921B1133ACD0ECAF
SHA256:F360CE7A7952092789EB40B416EA07F63D224A98834743AB04BCB57BB35D7819
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2680
lmnopqrstuvwxyz1.exe
GET
42.180.125.194:80
http://down.win11xz.cn/hp0409.exe
CN
suspicious
2504
¼¤»î¹¤¾ß2.exe
POST
119.23.216.188:80
http://report.win10999.com/reportStatistics/
CN
malicious
2504
¼¤»î¹¤¾ß2.exe
GET
200
103.235.46.39:80
http://www.baidu.com/s?ie=utf-8&wd=ip
HK
html
416 Kb
whitelisted
3968
vwxyz73351a00c84c94d3.exe
POST
61.135.186.213:80
http://dr.toolbar.baidu.com/
CN
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2504
¼¤»î¹¤¾ß2.exe
119.23.216.188:80
report.win10999.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
2680
lmnopqrstuvwxyz1.exe
42.180.125.194:80
down.win11xz.cn
CHINA UNICOM China169 Backbone
CN
suspicious
2504
¼¤»î¹¤¾ß2.exe
103.235.46.39:80
www.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
unknown
3968
vwxyz73351a00c84c94d3.exe
61.135.186.213:80
dr.toolbar.baidu.com
China Unicom Beijing Province Network
CN
unknown

DNS requests

Domain
IP
Reputation
down.win11xz.cn
  • 42.180.125.194
suspicious
dr.toolbar.baidu.com
  • 61.135.186.213
unknown
www.baidu.com
  • 103.235.46.39
whitelisted
dr.addressbar.baidu.com
  • 61.135.186.213
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
report.win10999.com
  • 119.23.216.188
malicious

Threats

PID
Process
Class
Message
2680
lmnopqrstuvwxyz1.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
2680
lmnopqrstuvwxyz1.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
带毒暴风激活.zip