analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Avira Antivir quarantine.zip

Full analysis: https://app.any.run/tasks/d18c2d28-3126-40a9-bdce-b59f87706423
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: November 08, 2018, 12:18:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
xmrig
miner
ransomware
scarab
supportfiless24
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A57C22CAD840C964739B776B5F36AFC2

SHA1:

AEAC53417EE8090762003F6935B575241B3A13DD

SHA256:

DB9FADB36630ED9E37F1394BEE68E1DDF9E56E910CB674247D603A322DC4344E

SSDEEP:

393216:lgDX+otw58T7kcCAmRpR/UhuQohIdxRncxVYQNFYTL:lgDXRk8T7kcCAmRH/UhuQKIdxSDYQNFq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cl.exe (PID: 2364)
      • clifgood.exe (PID: 568)
      • cl_32.exe (PID: 2848)
      • syst.exe (PID: 3748)
      • syst.exe (PID: 756)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 120)
    • Deletes shadow copies

      • cmd.exe (PID: 1584)
      • cmd.exe (PID: 2228)
    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 4044)
    • Changes the autorun value in the registry

      • mshta.exe (PID: 3216)
  • SUSPICIOUS

    • Creates files in the program directory

      • cl.exe (PID: 2364)
      • cl_32.exe (PID: 2848)
      • syst.exe (PID: 756)
    • Executable content was dropped or overwritten

      • cl.exe (PID: 2364)
      • WinRAR.exe (PID: 1804)
      • cl_32.exe (PID: 2848)
      • cmd.exe (PID: 3844)
    • Creates files in the user directory

      • cmd.exe (PID: 3844)
    • Starts CMD.EXE for commands execution

      • syst.exe (PID: 3748)
      • mshta.exe (PID: 2920)
    • Starts itself from another location

      • syst.exe (PID: 3748)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • syst.exe (PID: 756)
      • syst.exe (PID: 3748)
    • Creates files like Ransomware instruction

      • syst.exe (PID: 756)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • syst.exe (PID: 756)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • cl.exe (PID: 2364)
      • cl_32.exe (PID: 2848)
      • syst.exe (PID: 756)
    • Drop XMRig executable file

      • WinRAR.exe (PID: 1804)
      • cl_32.exe (PID: 2848)
    • Reads internet explorer settings

      • mshta.exe (PID: 2920)
      • mshta.exe (PID: 3552)
      • mshta.exe (PID: 3216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: syst.exe
ZipUncompressedSize: 193536
ZipCompressedSize: 87479
ZipCRC: 0x6178dc40
ZipModifyDate: 2018:11:08 12:20:17
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
86
Monitored processes
22
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe cl.exe searchprotocolhost.exe no specs clifgood.exe cl_32.exe syst.exe cmd.exe syst.exe no specs mshta.exe no specs mshta.exe mshta.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wbadmin.exe no specs wmic.exe no specs vssadmin.exe no specs bcdedit.exe no specs bcdedit.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1804"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Avira Antivir quarantine.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2364"C:\Users\admin\Desktop\cl.exe" C:\Users\admin\Desktop\cl.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z SFX
Exit code:
0
Version:
18.05
120"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
568"C:\Users\admin\Desktop\clifgood.exe" C:\Users\admin\Desktop\clifgood.exe
explorer.exe
User:
admin
Company:
www.xmrig.com
Integrity Level:
HIGH
Description:
XMRig CPU miner
Exit code:
2
Version:
2.6.2
2848"C:\Users\admin\Desktop\cl_32.exe" C:\Users\admin\Desktop\cl_32.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z SFX
Exit code:
0
Version:
18.05
3748"C:\Users\admin\Desktop\syst.exe" C:\Users\admin\Desktop\syst.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3844"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\admin\Desktop\syst.exe" "C:\Users\admin\AppData\Roaming\syst.exe"C:\Windows\system32\cmd.exe
syst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
756"C:\Users\admin\AppData\Roaming\syst.exe" C:\Users\admin\AppData\Roaming\syst.exesyst.exe
User:
admin
Integrity Level:
HIGH
3552mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('syst.exe');close()}catch(e){}},10);"C:\Windows\system32\mshta.exesyst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3216mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('syst.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\ipvvAmdL',i);}catch(e){}},10);"C:\Windows\system32\mshta.exe
syst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
5 845
Read events
1 380
Write events
0
Delete events
0

Modification events

No data
Executable files
37
Suspicious files
2 790
Text files
931
Unknown types
109

Dropped files

PID
Process
Filename
Type
2364cl.exeC:\Users\admin\Desktop\ProgramData\System\check.vbstext
MD5:75FEE7C4B06BF68CB68BD4DD29DDD178
SHA256:3CC1E3F50B669936AFFAE42B8B9F9E9B976F7BAAC06DF7EFE25813444F3C5A05
2364cl.exeC:\Users\admin\Desktop\ProgramData\System\dl.vbstext
MD5:1EF587CB1B2B0D0EFB38D617982D62E7
SHA256:AAC3C1326E983F71D73836E4F7E9FAF8533CBEAC9766EDBB435F1F91AA1EC054
2364cl.exeC:\Users\admin\Desktop\ProgramData\System\ran.battext
MD5:D60D9510319C611E407EEBC5F151BE64
SHA256:50B9F057A6435F82037E564F1EC5544E4BCE0D0983C27D3142B12A100526F7C6
2364cl.exeC:\Users\admin\Desktop\ProgramData\System\dl.battext
MD5:CA28809299FE2E6B49139816ED46B79B
SHA256:C1DE5A06C48E89BBA80034E074F77C998066AD42A4C9C648FE9EFF760EE55E16
2364cl.exeC:\Users\admin\Desktop\Users\Public\Downloads\Sysobb\anvir_eng\Languages\anvir_Czech.txttext
MD5:BB43FBEA0167A4A8C430EC197E141D59
SHA256:E3D6267637A9ED8AC77623519AE40A1C13820F038ED4EDF9F584ECE60D43964D
2364cl.exeC:\Users\admin\Desktop\ProgramData\System\close.vbstext
MD5:920DCF488A1BBBA775BC7126DCBA748D
SHA256:14ADED9D5BB399B7007E0DA7422C0ED086C6640C0B0DC88EF7C6159B7191246C
2364cl.exeC:\Users\admin\Desktop\ProgramData\System\x86\dl.vbstext
MD5:17C965E3C5BA52D46EFE2ED93CE1B053
SHA256:4F21EE521A724AC171E9923FAEA8B3FCEEBC167562BC61CBD2A65FAD39336FB2
2364cl.exeC:\Users\admin\Desktop\ProgramData\System\ds.battext
MD5:4302D21BF68418BE4778347BCDC353CF
SHA256:A05ED81545726DE1553E3A02383479AEC04672D99AD050C5B6F3EAFC15F23F4F
2364cl.exeC:\Users\admin\Desktop\ProgramData\System\ran.vbstext
MD5:0D9C60C4605B23DF73A7DA34DB5F1916
SHA256:9589938774539B602535FD6E1AEA14C66D06DA9255BAFDB5794C9AD54F15EC15
2364cl.exeC:\Users\admin\Desktop\ProgramData\System\x86\config.txttext
MD5:6F50BED0E5684B78212D5CD3BEB07A23
SHA256:69BDA6F0572CF42ED9FB4AC6B1361E074C884DE486BDD9E5A2FA1B9F855EB1D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info