File name:

simpleunlocker_release.zip

Full analysis: https://app.any.run/tasks/ff701892-bb93-4d53-9bf2-b37bf13ca79f
Verdict: Malicious activity
Analysis date: May 03, 2024, 19:51:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

FDA8602BCA41E95BEC1EB1CE49663F09

SHA1:

1EF9F09B6F6A466882677AED95F49DE927432FA5

SHA256:

DBB9E16F0F70EC6E3C758B170B40076FD969767455F6A9B55C0C9178496D8D20

SSDEEP:

98304:nAOgQnI2HuBQofDSrWPGS7xVcDPcX1M1K5/WcjsjMOufffScoTv1BF6vq7j1B15a:p11fWAV1eV8Wc0E/e34m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3972)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 3972)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3972)

    • Reads the Internet Settings

      • SU.exe (PID: 1488)

    • Reads security settings of Internet Explorer

      • SU.exe (PID: 1488)

    • Check the default browser

      • SU.exe (PID: 1488)

  • INFO

    • Manual execution by a user

      • SU.exe (PID: 1488)
      • SU.exe (PID: 336)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3972)

    • Checks supported languages

      • SU.exe (PID: 1488)

    • Reads the computer name

      • SU.exe (PID: 1488)

    • Reads the machine GUID from the registry

      • SU.exe (PID: 1488)

    • Reads Environment values

      • SU.exe (PID: 1488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:02:11 19:22:10
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: simpleunlocker_release/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe su.exe no specs su.exe

Process information

PID
CMD
Path
Indicators
Parent process
336"C:\Users\admin\Desktop\simpleunlocker_release\SU.exe" C:\Users\admin\Desktop\simpleunlocker_release\SU.exeexplorer.exe
User:
admin
Company:
[DS1NC] DesConnet
Integrity Level:
MEDIUM
Description:
SimpleUnlocker for Windows
Exit code:
3221226540
Version:
1.3.0.0
Modules
Images
c:\users\admin\desktop\simpleunlocker_release\su.exe
c:\windows\system32\ntdll.dll
1488"C:\Users\admin\Desktop\simpleunlocker_release\SU.exe" C:\Users\admin\Desktop\simpleunlocker_release\SU.exe
explorer.exe
User:
admin
Company:
[DS1NC] DesConnet
Integrity Level:
HIGH
Description:
SimpleUnlocker for Windows
Exit code:
1
Version:
1.3.0.0
Modules
Images
c:\users\admin\desktop\simpleunlocker_release\su.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3972"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\simpleunlocker_release.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
6 371
Read events
6 328
Write events
43
Delete events
0

Modification events

(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\simpleunlocker_release.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
27
Suspicious files
61
Text files
3
Unknown types
7

Dropped files

PID
Process
Filename
Type
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3972.26448\simpleunlocker_release\othersoftware\avz4\Base\backup.avzbinary
MD5:A07752DD10C0BF0E96F14FF082B1607C
SHA256:9F0050E66E461E52E53AE75B407506E9863D8A4D5256140FA279A6B705EFE710
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3972.26448\simpleunlocker_release\bin\EasyHook64Svc.exeexecutable
MD5:8352AD23D90FC8D982FE0FB4CE03CA77
SHA256:76AE3DA1149711AABEDA64195E87B1049A58DEE6E625AE0688DB4596B516C684
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3972.26448\simpleunlocker_release\bin\AntiGDI_Injector.exeexecutable
MD5:9505F2E3A19EF13A437D4D403B0242DF
SHA256:96C54111B24CA7936A883CD2EAD040CC8451FE8D3C0FF61A78303F79EBA7D20E
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3972.26448\simpleunlocker_release\bin\EasyHook64.dllexecutable
MD5:0F1D903E83D1E2FA71A1F957E4A32FD2
SHA256:14FBD6B2AA138C279DBCFE592388CBE22D6B261431DD03DEDFF01277668B0CC3
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3972.26448\simpleunlocker_release\bin\AntiGDI.dllexecutable
MD5:16168FD88CF4851F75D287CC86913669
SHA256:644B699E988E3FBE6E0277659799997054F7DB1EF1C8F923444DDFC87F325529
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3972.26448\simpleunlocker_release\bin\EasyHook32Svc.exeexecutable
MD5:62E4B079910DB4C8F7435E99EC55D513
SHA256:39361867B97155B16FE6F16F77B50B97B00393E16E0C23FAD8D2E34ADB72C8DB
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3972.26448\simpleunlocker_release\bin\EasyHook32.dllexecutable
MD5:96E29840AB54B7098F7C473751A64BE4
SHA256:1469B54D8C0B8ABF370C357D518B2BB68F51B7D49278E5EE2444AA2EA3180FDA
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3972.26448\simpleunlocker_release\othersoftware\avz4\avz.exeexecutable
MD5:DC6A72DB5A580DE52A06760341661C4E
SHA256:8CB34F88A720D337F726283052AE602E3E74C829E8A112283CFDBA8B60958482
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3972.26448\simpleunlocker_release\bin\su_updater.exeexecutable
MD5:4B0367E29EBD4BCCB801ED66A90A8BE2
SHA256:361192962446441227A66DFD3BADA598ED9F760135FB31BEB8FF73B35FDFC2C4
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3972.26448\simpleunlocker_release\bin\EasyLoad64.dllexecutable
MD5:BFAE38591215E8C2161795219A57135C
SHA256:960C791D60DA56641CEA12F4AE5C764E28CCBFB736854A8EFD5065152064C52D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1488
SU.exe
GET
523
104.21.1.131:80
http://simpleunlocker.ds1nc.ru/release/version.xml
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1488
SU.exe
104.21.1.131:80
simpleunlocker.ds1nc.ru
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
simpleunlocker.ds1nc.ru
  • 104.21.1.131
  • 172.67.129.68
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
simpleunlocker_release.zip