File name:

Wedisk (2).zip

Full analysis: https://app.any.run/tasks/96ae0278-c4d9-4c09-91bc-ea94d01d466d
Verdict: Malicious activity
Analysis date: April 07, 2020, 05:22:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

BE04716A2718DD387220592959235455

SHA1:

266F72070447ACC18A00199AA28135877A332861

SHA256:

DBDD8FC2774ADBF7105042EF93E888ADEAE2BD63E3A15E62D9A3E7BECF8D6A67

SSDEEP:

12288:sTYAIOIHnBeFbK9AggtY3FuV5sG5k5EE7YEFW2qb:sTTSnoFPgVEKwa7YEUdb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • detect.exe (PID: 1744)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2460)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Manual execution by user

      • taskmgr.exe (PID: 1944)
      • detect.exe (PID: 1744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:07:01 23:36:25
ZipCRC: 0x2fd6d282
ZipCompressedSize: 92530
ZipUncompressedSize: 190464
ZipFileName: conkeeper.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs detect.exe taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1744"C:\Users\admin\Desktop\detect.exe" C:\Users\admin\Desktop\detect.exe
explorer.exe
User:
admin
Company:
iMBC
Integrity Level:
HIGH
Description:
Conkeeper
Exit code:
0
Version:
1.0.0.7
Modules
Images
c:\users\admin\desktop\detect.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1944"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2460"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3840"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Wedisk (2).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
487
Read events
466
Write events
21
Delete events
0

Modification events

(PID) Process:(3840) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3840) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3840) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3840) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Wedisk (2).zip
(PID) Process:(3840) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3840) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3840) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3840) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3840) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF240100003A000000E40400002F020000
(PID) Process:(3840) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3840.31128\conkeeper.dll
MD5:
SHA256:
3840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3840.31128\conkeeper64.dll
MD5:
SHA256:
3840WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3840.31128\detect.exe
MD5:
SHA256:
1744detect.exeC:\Users\admin\AppData\Local\Conkeeper\chk.dattext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
2
Threats
6

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1744
detect.exe
211.233.27.53:443
fil.conkeeper.co.kr
LG DACOM Corporation
KR
suspicious
1744
detect.exe
211.233.27.57:443
fil.conkeeper.co.kr
LG DACOM Corporation
KR
suspicious

DNS requests

Domain
IP
Reputation
fil.conkeeper.co.kr
  • 211.233.27.53
  • 211.233.27.57
suspicious

Threats

PID
Process
Class
Message
1744
detect.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
1744
detect.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
1744
detect.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
1744
detect.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
1744
detect.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
1744
detect.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Wedisk (2).zip