File name:

W32.CodeRed.Worm.C.zip

Full analysis: https://app.any.run/tasks/0af1faaa-03f4-4a91-bf4f-b2bbec0ef467
Verdict: Malicious activity
Analysis date: February 08, 2022, 10:57:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

48957F52B0AE0505FD529727C724A65B

SHA1:

508D1E38089893D3E14640D01AA4D88E14634810

SHA256:

D9CC91B4FD61349877A38793FF4633BE0D7DBD1BB820AE38FEF905184282F355

SSDEEP:

12288:Xy5qOW9Wacj4dEKMOJ4RKGW+egZXfFK4vIpcqpRnZ:JF9ujnK74Y7rgfZvpqpRnZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Q300972I.EXE (PID: 1252)
      • hotfix.exe (PID: 2956)
      • Q30097~1.EXE (PID: 3824)
      • hotfix.exe (PID: 2620)

    • Drops executable file immediately after starts

      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3728)
      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)

    • Checks supported languages

      • WinRAR.exe (PID: 3728)
      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)

    • Reads the computer name

      • WinRAR.exe (PID: 3728)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 3728)
      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)

    • Drops a file that was compiled in debug mode

      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3728)

    • Manual execution by user

      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)
      • rundll32.exe (PID: 2328)

    • Checks supported languages

      • rundll32.exe (PID: 2328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: .DS_Store
ZipUncompressedSize: 6148
ZipCompressedSize: 194
ZipCRC: 0x49a732f0
ZipModifyDate: 2019:01:08 21:16:29
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe q300972i.exe hotfix.exe no specs q30097~1.exe hotfix.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1252"C:\Users\admin\Desktop\PATCH\NT4\Q300972I.EXE" C:\Users\admin\Desktop\PATCH\NT4\Q300972I.EXE
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
740
2328"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\I-Worm.CodeRed.BINC:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2620c:\temp\ext11896\hotfix.exec:\temp\ext11896\hotfix.exeQ30097~1.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows 2000 Setup Hotfix Utility
Exit code:
3221226540
Version:
5.00.2195.4055
2956c:\temp\ext17442\hotfix.exec:\temp\ext17442\hotfix.exeQ300972I.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows NT Setup Hotfix Utility
Exit code:
3221226540
Version:
4.00
3728"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\W32.CodeRed.Worm.C.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3824"C:\Users\admin\Desktop\PATCH\WINK\Q30097~1.EXE" C:\Users\admin\Desktop\PATCH\WINK\Q30097~1.EXE
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
740
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
3
Text files
2
Unknown types
6

Dropped files

PID
Process
Filename
Type
3728WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3728.2371\I-Worm.CodeRed.BINbs
MD5:5EDC2375E7ACA69F8C1A8D77C4FFFF18
SHA256:D0A22DC80900DD2F71730150B7647014244EDF7FB5F7F1E90AF078EEF1359196
3824Q30097~1.EXEC:\temp\ext11896\sp3.catcat
MD5:A15D238CDF326EBE60C3EDAF8B2E3E31
SHA256:DB7EE8BCF4C8A309FDE386291921478A4294265707196E71B25B26CB0DF0A024
3824Q30097~1.EXEC:\temp\ext11896\hotfix.exeexecutable
MD5:52736732A272779A095A21E094684138
SHA256:7F6791CBD6F6C1177B1C028AA46A885E56D3ACBABD019C9921C040FCCE9B0318
3728WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3728.2371\PATCH\.DS_Storeds_store
MD5:9225EA0B05ED07DBD85513086CB0C829
SHA256:0B507649C10B4F76F98AB66B879F12790164348DE08E916868DFF128EFE5CAC2
3824Q30097~1.EXEC:\temp\ext11896\symbols\dll\idq.pdbpdb
MD5:C97790ADDA0CEBE34DB30D5C99880988
SHA256:30638DDEBDB747E047D2BE922E784E37698BF9F896F7BDBD6A5F08DA55823CF6
1252Q300972I.EXEC:\temp\ext17442\symbols\dll\idq.dbgbinary
MD5:D431F39B7B3DA50CDEDA71B0F534C8D0
SHA256:41368BBB9DC6D80CFA500D63AF08F63B0FFA98F2763BEE3239D02FF5CA63E1F6
1252Q300972I.EXEC:\temp\ext17442\hotfix.infini
MD5:52692EF5834A62233373E0341B330750
SHA256:29DFF9EEA5734D8334EE5F0F810F55AED86AD67F47B9940D61F6AB0E7A98F28D
3824Q30097~1.EXEC:\temp\ext11896\idq.dllexecutable
MD5:4BEAAED700C332B307B86741C69B15C0
SHA256:66B346F1152DFE3EAE996AA7C688486F254CEEACBC424FB42298C660783D5558
1252Q300972I.EXEC:\temp\ext17442\hotfix.exeexecutable
MD5:9C874267F506CC52B80205E7D7ED28EB
SHA256:DE2AC0953E938FB9E1F7B19253AD5858E9B4B0C41381035AB2F04826E41FC016
1252Q300972I.EXEC:\temp\ext17442\idq.dllexecutable
MD5:CCDD5B6E0E4D47FA270838BBA6B1AD65
SHA256:49CE9E82A7246E24B8A2721114067B12101355755F540CA6519EDA5312C745C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
W32.CodeRed.Worm.C.zip