File name:

W32.CodeRed.Worm.C.zip

Full analysis: https://app.any.run/tasks/0af1faaa-03f4-4a91-bf4f-b2bbec0ef467
Verdict: Malicious activity
Analysis date: February 08, 2022, 10:57:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

48957F52B0AE0505FD529727C724A65B

SHA1:

508D1E38089893D3E14640D01AA4D88E14634810

SHA256:

D9CC91B4FD61349877A38793FF4633BE0D7DBD1BB820AE38FEF905184282F355

SSDEEP:

12288:Xy5qOW9Wacj4dEKMOJ4RKGW+egZXfFK4vIpcqpRnZ:JF9ujnK74Y7rgfZvpqpRnZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Q300972I.EXE (PID: 1252)
      • hotfix.exe (PID: 2956)
      • Q30097~1.EXE (PID: 3824)
      • hotfix.exe (PID: 2620)

    • Drops executable file immediately after starts

      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3728)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3728)
      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)

    • Checks supported languages

      • WinRAR.exe (PID: 3728)
      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 3728)
      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)

    • Drops a file that was compiled in debug mode

      • Q300972I.EXE (PID: 1252)
      • Q30097~1.EXE (PID: 3824)

  • INFO

    • Manual execution by user

      • Q300972I.EXE (PID: 1252)
      • rundll32.exe (PID: 2328)
      • Q30097~1.EXE (PID: 3824)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3728)

    • Checks supported languages

      • rundll32.exe (PID: 2328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: .DS_Store
ZipUncompressedSize: 6148
ZipCompressedSize: 194
ZipCRC: 0x49a732f0
ZipModifyDate: 2019:01:08 21:16:29
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe q300972i.exe hotfix.exe no specs q30097~1.exe hotfix.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1252"C:\Users\admin\Desktop\PATCH\NT4\Q300972I.EXE" C:\Users\admin\Desktop\PATCH\NT4\Q300972I.EXE
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
740
2328"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\I-Worm.CodeRed.BINC:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2620c:\temp\ext11896\hotfix.exec:\temp\ext11896\hotfix.exeQ30097~1.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows 2000 Setup Hotfix Utility
Exit code:
3221226540
Version:
5.00.2195.4055
2956c:\temp\ext17442\hotfix.exec:\temp\ext17442\hotfix.exeQ300972I.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows NT Setup Hotfix Utility
Exit code:
3221226540
Version:
4.00
3728"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\W32.CodeRed.Worm.C.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3824"C:\Users\admin\Desktop\PATCH\WINK\Q30097~1.EXE" C:\Users\admin\Desktop\PATCH\WINK\Q30097~1.EXE
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
740
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
3
Text files
2
Unknown types
6

Dropped files

PID
Process
Filename
Type
3824Q30097~1.EXEC:\temp\ext11896\sp3.catcat
MD5:A15D238CDF326EBE60C3EDAF8B2E3E31
SHA256:DB7EE8BCF4C8A309FDE386291921478A4294265707196E71B25B26CB0DF0A024
3728WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3728.2371\.DS_Storeds_store
MD5:41ABFAC0BC5D57E4652FDE6600E59631
SHA256:DDC4DF3B5EF6F9038A8886CC18D344E33B36910A0D3BFF2F1384C593A3552EFC
1252Q300972I.EXEC:\temp\ext17442\hotfix.exeexecutable
MD5:9C874267F506CC52B80205E7D7ED28EB
SHA256:DE2AC0953E938FB9E1F7B19253AD5858E9B4B0C41381035AB2F04826E41FC016
3824Q30097~1.EXEC:\temp\ext11896\symbols\dll\idq.dbgbinary
MD5:362BC53C4CBF7DBF3DEFB406AF15FD9D
SHA256:9364960AE28CF4077E8285FD244AAA999CA2D4564783E033200B05142CA00609
3824Q30097~1.EXEC:\temp\ext11896\spmsg.dllexecutable
MD5:E09FD2341049231B28C499122FDAE695
SHA256:279B9011624C782CE35D9D2AB0E9CC53731B3090F20F0FF5EB25C976C72FDB04
3824Q30097~1.EXEC:\temp\ext11896\hotfix.infini
MD5:6D8107BA74195C5B73FDDF29391EAFFC
SHA256:2F3A70F47E59C4E557BE2F61CFA5DA196A2D6A4D7791019409A53390CDCD485C
3824Q30097~1.EXEC:\temp\ext11896\symbols\dll\idq.pdbpdb
MD5:C97790ADDA0CEBE34DB30D5C99880988
SHA256:30638DDEBDB747E047D2BE922E784E37698BF9F896F7BDBD6A5F08DA55823CF6
3728WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3728.2371\I-Worm.CodeRed.BINbs
MD5:5EDC2375E7ACA69F8C1A8D77C4FFFF18
SHA256:D0A22DC80900DD2F71730150B7647014244EDF7FB5F7F1E90AF078EEF1359196
3824Q30097~1.EXEC:\temp\ext11896\idq.dllexecutable
MD5:4BEAAED700C332B307B86741C69B15C0
SHA256:66B346F1152DFE3EAE996AA7C688486F254CEEACBC424FB42298C660783D5558
3728WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3728.2371\PATCH\NT4\Q300972I.EXEexecutable
MD5:F1A8D75B76C0091EB6EB4271B12BF897
SHA256:AEDF60C10F8CC74D70EEE2E70515EBAC57932AC99619493EBB9F8BB29382FAD3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
W32.CodeRed.Worm.C.zip