analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

setup_FYunZip.exe

Full analysis: https://app.any.run/tasks/e273acf5-59bb-4aad-8d5d-c40498b53b72
Verdict: Malicious activity
Analysis date: July 02, 2019, 13:12:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7837F101FD4BBC3DACBEAC7717F7F999

SHA1:

3B6E5D6FAAF9A41B363D6A0559F3ED196D285D95

SHA256:

D94F55F0C15D14D1706205A043EF9515C9A11ECFDE374A43953BF65A4B689C55

SSDEEP:

196608:qmzj6KlMgimOWQ7cJsdYF9htgIpUNoucBC2y/w+KenpByM0A4rn0D0ys48:qBgimOv7cJsdY9KcBC9qrn0D0n48

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Slctk.exe (PID: 1940)
      • Host.exe (PID: 2624)
      • Kit.exe (PID: 3808)
      • Service.exe (PID: 2732)
      • Zip.exe (PID: 236)
      • Slctk.exe (PID: 3164)
      • TimeHelp.exe (PID: 1820)
      • FM.exe (PID: 320)
      • Slctk.exe (PID: 2924)
      • Slctk.exe (PID: 1908)
    • Loads dropped or rewritten executable

      • Kit.exe (PID: 3808)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • setup_FYunZip.exe (PID: 1868)
    • Uses TASKKILL.EXE to kill process

      • setup_FYunZip.exe (PID: 1868)
    • Creates files in the program directory

      • setup_FYunZip.exe (PID: 1868)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 3380)
      • Host.exe (PID: 2624)
      • Kit.exe (PID: 3808)
      • NOTEPAD.EXE (PID: 184)
      • Service.exe (PID: 2732)
      • Zip.exe (PID: 236)
      • Slctk.exe (PID: 3164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (21.4)
.exe | Win64 Executable (generic) (14.2)
.exe | Win32 Executable (generic) (2.3)
.exe | Generic Win/DOS Executable (1)

EXIF

EXE

ProductVersion: 1,0,8,19625
ProductName: 风云压缩
OriginalFileName: Install.exe
LegalCopyright: Copyright (C) 2019
InternalName: 风云压缩
FileVersion: 1.0.8.19625
FileDescription: 风云压缩
CompanyName: 浙江自贸区耀光网络科技有限公司
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 1.0.8.19625
FileVersionNumber: 1.0.8.19625
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x4389d
UninitializedDataSize: -
InitializedDataSize: 7682048
CodeSize: 1577984
LinkerVersion: 14
PEType: PE32
TimeStamp: 2019:06:25 15:46:23+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Jun-2019 13:46:23
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • E:\svn\YaSuo\ChengXu\Tags\fytag_1.0.8.19625\Bundles\FYunZip\Temp\Release\Install.pdb
CompanyName: 浙江自贸区耀光网络科技有限公司
FileDescription: 风云压缩
FileVersion: 1.0.8.19625
InternalName: 风云压缩
LegalCopyright: Copyright (C) 2019
OriginalFilename: Install.exe
ProductName: 风云压缩
ProductVersion: 1,0,8,19625

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000138

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 25-Jun-2019 13:46:23
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00181223
0x00181400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.63791
.rdata
0x00183000
0x00068AC4
0x00068C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.65602
.data
0x001EC000
0x000124CC
0x0000B400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.22463
.gfids
0x001FF000
0x000001B4
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.50573
.tls
0x00200000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x00201000
0x006CA960
0x006CAA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.9707
.reloc
0x008CC000
0x000148D4
0x00014A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.57546

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.41141
1260
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.99013
67624
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
6.16355
38056
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
6.1269
21640
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
5.96956
16936
Latin 1 / Western European
Chinese - PRC
RT_ICON
6
6.08982
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
5.92339
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
8
5.83767
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
101
2.94794
118
Latin 1 / Western European
Chinese - PRC
RT_GROUP_ICON
SKINDATA
7.99403
335562
Latin 1 / Western European
Chinese - PRC
ZIPRES

Imports

ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
IMM32.dll
IPHLPAPI.DLL
KERNEL32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
19
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start setup_fyunzip.exe no specs setup_fyunzip.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs explorer.exe no specs slctk.exe notepad.exe no specs host.exe no specs kit.exe no specs service.exe no specs slctk.exe no specs zip.exe no specs timehelp.exe no specs slctk.exe no specs slctk.exe no specs fm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2296"C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe" C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exeexplorer.exe
User:
admin
Company:
浙江自贸区耀光网络科技有限公司
Integrity Level:
MEDIUM
Description:
风云压缩
Exit code:
3221226540
Version:
1.0.8.19625
1868"C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe" C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe
explorer.exe
User:
admin
Company:
浙江自贸区耀光网络科技有限公司
Integrity Level:
HIGH
Description:
风云压缩
Version:
1.0.8.19625
2980taskkill /f /im Config.exeC:\Windows\system32\taskkill.exesetup_FYunZip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2276taskkill /f /im Service.exeC:\Windows\system32\taskkill.exesetup_FYunZip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2400taskkill /f /im Kit.exeC:\Windows\system32\taskkill.exesetup_FYunZip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1716taskkill /f /im Slctk.exeC:\Windows\system32\taskkill.exesetup_FYunZip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2312taskkill /f /im Uninst.exeC:\Windows\system32\taskkill.exesetup_FYunZip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3380"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1940"C:\Program Files\FYunZip\Slctk.exe" SpdOp --NewQID fyunzip****** --Silent falseC:\Program Files\FYunZip\Slctk.exe
setup_FYunZip.exe
User:
admin
Company:
浙江自贸区耀光网络科技有限公司
Integrity Level:
HIGH
Description:
风云压缩
Version:
1.0.8.19625
184"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\FYunZip\FYunZip.iniC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
109
Read events
91
Write events
0
Delete events
0

Modification events

No data
Executable files
19
Suspicious files
1
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
1868setup_FYunZip.exeC:\Users\admin\AppData\Local\Temp\FYunZip-31604-7zData.7z
MD5:
SHA256:
1868setup_FYunZip.exeC:\Program Files\FYunZip\Lang\zh-cn.txttext
MD5:F651D44C7EDD6A12F09FDFCE81F75516
SHA256:0A4C2424D9349091E8B97FDDFABBBD6C633CE4B9E12DEE35EB61FF8106B41E37
1868setup_FYunZip.exeC:\Program Files\FYunZip\FYunZip.initext
MD5:22BB6101C692AB5B3E1D8321EACF6F5B
SHA256:A29E995CB3564BC1E6AD2E0B37977F4F3F9BC56447DDEA9688B6C8A75595E95D
1868setup_FYunZip.exeC:\Users\admin\AppData\LocalLow\FYunZip\CfgPath\SyHj.srctext
MD5:C73743F9B266A8892828011C86F853EC
SHA256:D83F5A964F42F7D4F5EEDBE344780D1D73C22F383F2E6A4D94FC7FF484ADDB33
1868setup_FYunZip.exeC:\Program Files\Common Files\FYunZip\FYunZip.initext
MD5:6D86F106E05339D95B6D0FBB34EE590F
SHA256:BB2ABA1AF6DD9E75F6AB3F359D2116AD0A76643323CC62D80E5909E0251FC0CF
1868setup_FYunZip.exeC:\Program Files\FYunZip\Setting\AlgorithmConfig.xmlxml
MD5:D3517B07CFF8652912B5DBD5B10C22AB
SHA256:2634C31C0AB0717E8A40FA62F9538A57BCB1065F5A65B44BF07F76A2138F7F62
1868setup_FYunZip.exeC:\Program Files\FYunZip\Host.exeexecutable
MD5:84A7F0054F049D960668D792AEB08D45
SHA256:E22EB308441C04CFE0CFCDB38F48C008BBD6E203C879DDE558E8D33252AE7C5C
1868setup_FYunZip.exeC:\Program Files\FYunZip\Setting\FilterConfig.xmlxml
MD5:47B7A11DF71A074AE38BC52DA976401F
SHA256:5645B2234B8BF80D6568661D49497E1FE3D6F976580F7C8399DBE04469DCDC6E
1868setup_FYunZip.exeC:\Program Files\FYunZip\Kit.exeexecutable
MD5:EE34CB8B50F3DE999DAFA0A332620CE0
SHA256:FD9C3B6123AF69DDAD216B6648B6F68A15257A9751654104CB2BC2D2891F4BAD
1868setup_FYunZip.exeC:\Program Files\FYunZip\Reg.exeexecutable
MD5:DABD2E2647040E21ADDEB36F12691316
SHA256:D97F39863FE2246689CD9F0FADCFA1B97648A2B0C5E3127B70C404A8F493BF43
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1940
Slctk.exe
GET
112.124.193.155:80
http://sc.yaoguangsoft.cn/tm.php
CN
malicious
1868
setup_FYunZip.exe
GET
112.124.193.155:80
http://sc.yaoguangsoft.cn/tm.php
CN
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1868
setup_FYunZip.exe
112.124.193.155:80
sc.yaoguangsoft.cn
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
1940
Slctk.exe
112.124.193.155:80
sc.yaoguangsoft.cn
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious

DNS requests

Domain
IP
Reputation
sc.yaoguangsoft.cn
  • 112.124.193.155
malicious

Threats

No threats detected
No debug info