analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

84f8b_dados68974942045.zip(1).zip

Full analysis: https://app.any.run/tasks/6db8d93e-8833-49b3-a6b4-ffa625da29ba
Verdict: Malicious activity
Threats:

Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil.

Analysis date: March 31, 2020, 09:11:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
metamorfo
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

BE8B6D5BD7E3B915912C96BBA911E1C9

SHA1:

FC046B207A296560F4E9B0FC9A642927AED032A1

SHA256:

D9D72853EB1D4B49ED2589D810E01F8AF35147CBD972B3DBA2D4FB99DF79D326

SSDEEP:

1536:tBpAC14D2/mT6/3suTZu0OsXDPQcqC57cdz9iw9q5+y+X3ECbqh4cZVQ7/wOeqGD:ZADZTysuTk7IzsCkzQww+y00xfjqvo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2628)
      • NPIE.EXE (PID: 1812)
    • Application was dropped or rewritten from another process

      • NPIE.EXE (PID: 1812)
    • Loads dropped or rewritten executable

      • NPIE.EXE (PID: 1812)
      • SearchProtocolHost.exe (PID: 3548)
    • METAMORFO was detected

      • NPIE.EXE (PID: 1812)
    • Connects to CnC server

      • NPIE.EXE (PID: 1812)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3996)
      • msiexec.exe (PID: 2120)
      • MsiExec.exe (PID: 3216)
    • Reads Environment values

      • NPIE.EXE (PID: 1812)
    • Uses REG.EXE to modify Windows registry

      • MsiExec.exe (PID: 3216)
    • Reads Internet Cache Settings

      • MsiExec.exe (PID: 3216)
  • INFO

    • Application launched itself

      • msiexec.exe (PID: 2120)
    • Manual execution by user

      • msiexec.exe (PID: 2496)
      • WinRAR.exe (PID: 2232)
      • WinRAR.exe (PID: 3996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2020:03:31 11:09:08
ZipCRC: 0x5a1064eb
ZipCompressedSize: 126213
ZipUncompressedSize: 126192
ZipFileName: 84f8b_dados68974942045.zip
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winrar.exe winrar.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe reg.exe #METAMORFO npie.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2564"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\84f8b_dados68974942045.zip(1).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3996"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\84f8b_dados68974942045.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2232"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\84f8b_dados68974942045.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2496"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\dados3213.msi" C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2120C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3216C:\Windows\system32\MsiExec.exe -Embedding 4D81A3D0C185AADF1871573C56A5C024C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2628"C:\Windows\System32\reg.exe" add "HKCU\software\Microsoft\Windows\CurrentVersion\RunOnce" /v NPIE /t reg_sz /d C:\Users\admin\Documents\NPIE\NPIE.EXEC:\Windows\System32\reg.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1812"C:\Users\admin\Documents\NPIE\NPIE.EXE" C:\Users\admin\Documents\NPIE\NPIE.EXE
MsiExec.exe
User:
admin
Company:
Avira Operations GmbH & Co. KG
Integrity Level:
MEDIUM
Description:
Avira
Version:
1.2.144.30330
3548"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 277
Read events
2 174
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
3
Text files
18
Unknown types
3

Dropped files

PID
Process
Filename
Type
2564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2564.23577\84f8b_dados68974942045.zip
MD5:
SHA256:
2120msiexec.exeC:\Windows\Installer\MSIF527.tmp
MD5:
SHA256:
2120msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF08C58177B0CDA565.TMP
MD5:
SHA256:
3216MsiExec.exeC:\Users\admin\Documents\NPIE\Avira.OE.NativeCore.dll
MD5:
SHA256:
3216MsiExec.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\video2[1].tarcompressed
MD5:8BD367E3E35A0EE2A2EF3DE33AE21214
SHA256:9CF4C726E46022622BDB48772A88F061468D7DF5C1BB94C503D3119B83F5230B
3996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3996.25084\dados3213.msiexecutable
MD5:A658DA0BF1A0EBD663044708CFCEA350
SHA256:50F1F2F411B11A5529E7F7AC6590ED8FF8AB86ECC7F80F2CAF2EE2944DF07CBC
3216MsiExec.exeC:\Users\admin\Documents\NPIE_NPIE_NPIE.zipcompressed
MD5:8BD367E3E35A0EE2A2EF3DE33AE21214
SHA256:9CF4C726E46022622BDB48772A88F061468D7DF5C1BB94C503D3119B83F5230B
2120msiexec.exeC:\Windows\Installer\a6f40f.ipibinary
MD5:73AAEABADF291AD97F87105563416814
SHA256:0640B94444AAD6E6D958BA5A4370EA6CF7FA4D675C47215C2F8ABE67C2B8624E
2120msiexec.exeC:\Windows\Installer\a6f40d.msiexecutable
MD5:A658DA0BF1A0EBD663044708CFCEA350
SHA256:50F1F2F411B11A5529E7F7AC6590ED8FF8AB86ECC7F80F2CAF2EE2944DF07CBC
3216MsiExec.exeC:\Users\admin\Documents\NPIE\Celuer um Gri (1).gifimage
MD5:6CD55D30CC8628605A70C309ACDFCB6A
SHA256:8CD26A84018DBA116F50F7D3131AE74F4842257E4A98B183D49C3AF2843D0FE3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1812
NPIE.EXE
POST
5.57.226.202:80
http://novamultimidea.webcindario.com/covid19/
ES
malicious
3216
MsiExec.exe
GET
200
187.17.111.35:80
http://moggiempilhadeiras.com.br/js/video2.Tar
BR
compressed
13.0 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1812
NPIE.EXE
5.57.226.202:80
novamultimidea.webcindario.com
ServiHosting Networks S.L.
ES
malicious
3216
MsiExec.exe
187.17.111.35:80
moggiempilhadeiras.com.br
Universo Online S.A.
BR
malicious

DNS requests

Domain
IP
Reputation
moggiempilhadeiras.com.br
  • 187.17.111.35
malicious
novamultimidea.webcindario.com
  • 5.57.226.202
malicious

Threats

PID
Process
Class
Message
1812
NPIE.EXE
Potentially Bad Traffic
ET INFO Suspicious POST Request with Possible COVID-19 URI M1
1 ETPRO signatures available at the full report
No debug info