analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SAMPLE.zip

Full analysis: https://app.any.run/tasks/d02c6fab-b866-4b30-8567-01214da2f36c
Verdict: Malicious activity
Analysis date: July 11, 2019, 20:50:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pup
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A5942CE6165E7F6FDC34FD3D75CC7F84

SHA1:

1874AAF88B7591D092328E3095070C449C88EFDF

SHA256:

D84D470453CDE79F2DC9FB7F0242F0019E72DBC5C24492CD552855A0B95EEF4C

SSDEEP:

24576:G9VMZZHiPhu/uPfW9Xb+Y651w6BzlJJrcgsOI6cldYIyXyZP:6V2iZu/uXW2GCBjrcNOJZI6yZP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • mail.exe (PID: 3404)
      • mail.exe (PID: 3772)
      • na_runner.exe (PID: 1468)
      • MailRuUpdater.exe (PID: 1312)
      • MailRuUpdater.exe (PID: 2972)
      • 768b-df4b-a225-e7e2 (PID: 2828)
      • mrupdsrv.exe (PID: 3800)
      • MailRuUpdater.exe (PID: 2360)
      • MailRuUpdater.exe (PID: 2464)
      • MailRuUpdater.exe (PID: 1916)
      • MailRuUpdater.exe (PID: 1636)
      • MailRuUpdater.exe (PID: 3400)
    • Changes the autorun value in the registry

      • mail.exe (PID: 3404)
      • na_runner.exe (PID: 1468)
      • MailRuUpdater.exe (PID: 2360)
    • MAILRU was detected

      • mail.exe (PID: 3404)
      • MailRuUpdater.exe (PID: 2972)
    • Loads the Task Scheduler COM API

      • na_runner.exe (PID: 1468)
      • MailRuUpdater.exe (PID: 2360)
    • Connects to CnC server

      • mail.exe (PID: 3404)
      • MailRuUpdater.exe (PID: 2972)
    • Disables Windows Defender

      • mail.exe (PID: 3404)
    • Changes Windows auto-update feature

      • mail.exe (PID: 3404)
    • Registers / Runs the DLL via REGSVR32.EXE

      • mail.exe (PID: 3404)
    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 2264)
  • SUSPICIOUS

    • Reads the cookies of Google Chrome

      • mail.exe (PID: 3404)
    • Application launched itself

      • mail.exe (PID: 3772)
    • Reads the cookies of Mozilla Firefox

      • mail.exe (PID: 3404)
    • Creates files in the program directory

      • mail.exe (PID: 3404)
      • na_runner.exe (PID: 1468)
      • MailRuUpdater.exe (PID: 1312)
      • 768b-df4b-a225-e7e2 (PID: 2828)
    • Creates files in the user directory

      • mail.exe (PID: 3404)
      • MailRuUpdater.exe (PID: 1312)
    • Starts itself from another location

      • na_runner.exe (PID: 1468)
      • MailRuUpdater.exe (PID: 2360)
    • Executed as Windows Service

      • MailRuUpdater.exe (PID: 2972)
      • mrupdsrv.exe (PID: 3800)
      • MailRuUpdater.exe (PID: 2464)
      • MailRuUpdater.exe (PID: 1636)
    • Executable content was dropped or overwritten

      • mail.exe (PID: 3404)
      • na_runner.exe (PID: 1468)
      • MailRuUpdater.exe (PID: 2972)
      • 768b-df4b-a225-e7e2 (PID: 2828)
      • regsvr32.exe (PID: 2264)
      • MailRuUpdater.exe (PID: 1312)
      • MailRuUpdater.exe (PID: 1916)
      • MailRuUpdater.exe (PID: 2360)
    • Creates a software uninstall entry

      • na_runner.exe (PID: 1468)
      • MailRuUpdater.exe (PID: 2360)
    • Creates files in the Windows directory

      • MailRuUpdater.exe (PID: 2972)
      • mail.exe (PID: 3404)
      • mrupdsrv.exe (PID: 3800)
    • Starts application with an unusual extension

      • MailRuUpdater.exe (PID: 2972)
    • Removes files from Windows directory

      • MailRuUpdater.exe (PID: 2972)
      • MailRuUpdater.exe (PID: 1916)
      • MailRuUpdater.exe (PID: 1636)
    • Changes the started page of IE

      • mail.exe (PID: 3404)
    • Creates COM task schedule object

      • regsvr32.exe (PID: 2264)
  • INFO

    • Manual execution by user

      • mail.exe (PID: 3772)
    • Reads settings of System Certificates

      • MailRuUpdater.exe (PID: 1312)
      • MailRuUpdater.exe (PID: 3400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 25ceeaed228c2d7c08bad41362ad6619c243324ad8a0e05c75d3672e96373bed.bin
ZipUncompressedSize: 2113312
ZipCompressedSize: 1072075
ZipCRC: 0x0845c3e2
ZipModifyDate: 2019:07:11 20:50:12
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
14
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs mail.exe no specs #MAILRU mail.exe na_runner.exe mailruupdater.exe #MAILRU mailruupdater.exe 768b-df4b-a225-e7e2 mrupdsrv.exe regsvr32.exe mailruupdater.exe mailruupdater.exe mailruupdater.exe mailruupdater.exe mailruupdater.exe

Process information

PID
CMD
Path
Indicators
Parent process
2708"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SAMPLE.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3772"C:\Users\admin\Desktop\mail.exe" C:\Users\admin\Desktop\mail.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
sputnik
Exit code:
0
Version:
5.1.0.194
3404"C:\Users\admin\Desktop\mail.exe" --elevationC:\Users\admin\Desktop\mail.exe
mail.exe
User:
admin
Integrity Level:
HIGH
Description:
sputnik
Exit code:
3221225547
Version:
5.1.0.194
1468"C:\Users\admin\AppData\Local\Temp\3c61-94c9-4d98-ebcb\na_runner.exe" --installC:\Users\admin\AppData\Local\Temp\3c61-94c9-4d98-ebcb\na_runner.exe
mail.exe
User:
admin
Company:
Mail.Ru
Integrity Level:
HIGH
Description:
Mail.Ru updater
Exit code:
0
Version:
5.0.0.176
1312"C:\Users\admin\AppData\Local\Mail.Ru\MailRuUpdater.exe" C:\Users\admin\AppData\Local\Mail.Ru\MailRuUpdater.exe
na_runner.exe
User:
admin
Company:
Mail.Ru
Integrity Level:
HIGH
Description:
Mail.Ru updater
Exit code:
0
Version:
5.0.0.176
2972"C:\Program Files\Mail.Ru\MailRuUpdater\MailRuUpdater.exe" --sC:\Program Files\Mail.Ru\MailRuUpdater\MailRuUpdater.exe
services.exe
User:
SYSTEM
Company:
Mail.Ru
Integrity Level:
SYSTEM
Description:
Mail.Ru updater
Exit code:
0
Version:
5.0.0.176
2828"C:\Windows\TEMP\768b-df4b-a225-e7e2" --installC:\Windows\TEMP\768b-df4b-a225-e7e2
MailRuUpdater.exe
User:
SYSTEM
Company:
Mail.Ru
Integrity Level:
SYSTEM
Description:
Mail.Ru Update Service
Exit code:
0
Version:
3.12.0.10
3800"C:\Program Files\Mail.Ru\Update Service\mrupdsrv.exe" --sC:\Program Files\Mail.Ru\Update Service\mrupdsrv.exe
services.exe
User:
SYSTEM
Company:
Mail.Ru
Integrity Level:
SYSTEM
Description:
Mail.Ru Update Service
Version:
3.12.0.10
2264"C:\Windows\System32\regsvr32.exe" /s "C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\ie_addon_dll.dll"C:\Windows\System32\regsvr32.exe
mail.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2360"C:\Users\admin\AppData\Local\Mail.Ru\MailRuUpdater\us\2d0cd78004_d\MailRuUpdater.exe" --update-installationC:\Users\admin\AppData\Local\Mail.Ru\MailRuUpdater\us\2d0cd78004_d\MailRuUpdater.exe
MailRuUpdater.exe
User:
admin
Company:
Mail.Ru
Integrity Level:
HIGH
Description:
Mail.Ru updater
Exit code:
0
Version:
5.1.0.195
Total events
2 077
Read events
1 212
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
27
Text files
79
Unknown types
7

Dropped files

PID
Process
Filename
Type
2708WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2708.26925\25ceeaed228c2d7c08bad41362ad6619c243324ad8a0e05c75d3672e96373bed.bin
MD5:
SHA256:
3404mail.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3404mail.exeC:\Users\admin\AppData\Local\Temp\674a-9a46-5cb2-d294\MailRu.ico
MD5:
SHA256:
3404mail.exeC:\Users\admin\AppData\Local\Temp\b8ff-9d61-a866-e1d4\GoMailRu.ico
MD5:
SHA256:
3404mail.exeC:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mail.Ru.lnklnk
MD5:2D5E9A5F28DBE2648229312808B40463
SHA256:7261322C0AFCC6E91F52D0D8CFBE4796DED242933BDDCB93E85AEFD5BE502794
3404mail.exeC:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\{EBAF811D-2741-4124-B970-47137A88CE46}_cbinary
MD5:3E5052D5235B022C9F4919A4C3ABFC83
SHA256:E32FB994B214DF53099FAC1605720F64FC2CBEC75D2AB877B26150CA49DC4450
3404mail.exeC:\Users\admin\AppData\Local\Mail.Ru\Sputnik\GoMailRu.icoimage
MD5:ED62B573B9FF118E3EC726D78C5A099F
SHA256:D8AE22194708322B6CA7C8F5686C85D41EAF847A804657ADEEF6ABCAB74B3270
3404mail.exeC:\Users\admin\Favorites\Искать в Интернете.urltext
MD5:EB08378217B4A9D27F46FA00527D778B
SHA256:B0C3586271724BE93C4BA4AF3D9A7DF05462F76B603DD7EF7E5BA4448BB7C244
3404mail.exeC:\Users\admin\Desktop\Искать в Интернете.urltext
MD5:EAA4AE3F04FD33F17CA945431D639099
SHA256:8C1F09710F5AA6E6A82433F12FE1854C2E64A9A07ED9D5F32E1DB8AE43ACC202
3404mail.exeC:\ProgramData\Mail.Ru\Idtext
MD5:3F629FC77512AAC17B0378ED30E43FCB
SHA256:7A412C6F91EEA6BA5B8125BD6E7BC250FABEA925F6679782CE382E5B9AE79E90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
77
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3404
mail.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=spparams&raw=--elevation&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules=
RU
suspicious
3404
mail.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=install&bgn=1&standalone=1&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules=
RU
suspicious
3404
mail.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_mailru&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=2&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules=
RU
suspicious
3404
mail.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_gomailru&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=2&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules=
RU
suspicious
3404
mail.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=fav_gomailru&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=2&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules=
RU
suspicious
3404
mail.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=taskbar_mailru&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=2&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules=
RU
suspicious
3404
mail.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=spnative_load&id=mrupdater&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=14&elapsed_time=14&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules=
RU
suspicious
1468
na_runner.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=mru_install&ovr=0&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=5&elapsed_time=0&mr_service=0&os=win6.1&install_id=%7B91B7B558-A0A9-4458-8233-76AA3D25226A%7D&GUID=%7B91B7B558-A0A9-4458-8233-76AA3D25226A%7D&tool=mrupdater
RU
suspicious
3404
mail.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=desktop_mailru&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=2&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules=
RU
suspicious
2972
MailRuUpdater.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=mru_online_service&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3583&tool_mem=5&elapsed_time=0&mr_service=1&os=win6.1&install_id=%7B91B7B558-A0A9-4458-8233-76AA3D25226A%7D&GUID=%7B91B7B558-A0A9-4458-8233-76AA3D25226A%7D&tool=mrupdater
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3404
mail.exe
217.69.139.245:443
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
3404
mail.exe
217.69.139.247:443
xmlbinupdate.mail.ru
Limited liability company Mail.Ru
RU
malicious
3404
mail.exe
217.69.139.110:443
xtnmailru.cdnmail.ru
Limited liability company Mail.Ru
RU
malicious
3404
mail.exe
217.69.139.122:443
conserv.go.mail.ru
Limited liability company Mail.Ru
RU
unknown
3404
mail.exe
217.69.139.245:80
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
3404
mail.exe
94.100.180.110:443
mailruupdater.cdnmail.ru
Limited liability company Mail.Ru
RU
suspicious
1312
MailRuUpdater.exe
217.69.139.245:80
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
1468
na_runner.exe
217.69.139.245:80
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
1312
MailRuUpdater.exe
217.69.139.245:443
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
1312
MailRuUpdater.exe
217.69.139.247:443
xmlbinupdate.mail.ru
Limited liability company Mail.Ru
RU
malicious

DNS requests

Domain
IP
Reputation
xmlbinupdate.mail.ru
  • 217.69.139.247
shared
conserv.go.mail.ru
  • 217.69.139.122
unknown
mrds.mail.ru
  • 217.69.139.245
suspicious
mailruupdater.cdnmail.ru
  • 94.100.180.110
unknown
xtnmailru.cdnmail.ru
  • 217.69.139.110
unknown
binupdate.mail.ru
  • 217.69.139.245
shared
gosoftdl.mail.ru
  • 217.69.139.110
shared
xml.binupdate.mail.ru
  • 217.69.139.247
shared

Threats

PID
Process
Class
Message
3800
mrupdsrv.exe
Misc activity
ADWARE [PTsecurity] Win32/MailRuSputnik.ru Agent PUA
3800
mrupdsrv.exe
Misc activity
ADWARE [PTsecurity] Win32/MailRuSputnik.ru Agent PUA
14 ETPRO signatures available at the full report
Process
Message
MailRuUpdater.exe
RunAsService: Entry
MailRuUpdater.exe
Updater.Mail.Ru: SERVICE_CONTROL_STOP
MailRuUpdater.exe
switches::kUpdateService run to update
MailRuUpdater.exe
Service::Update update operation is proceed
MailRuUpdater.exe
RunAsService: Exit
MailRuUpdater.exe
Service::StopService done
MailRuUpdater.exe
Service::CopyMeTo program files done
MailRuUpdater.exe
RunAsService: Entry
MailRuUpdater.exe
Service::StartService done
MailRuUpdater.exe
Updater.Mail.Ru: SERVICE_CONTROL_STOP