File name:

sweetspecter.zip

Full analysis: https://app.any.run/tasks/9150c845-a113-4dd7-bbc2-d29e1b1b2453
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: June 14, 2024, 06:58:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
remote
rat
gh0st
sweetspecter
t9000
backdoor
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

D3B13760394FCDC4ED391853E5F5FFA4

SHA1:

D31C83A6CFFB1A7D9A018A0B56D220CC6D797645

SHA256:

DE9D8EFA2CDC8531F90F537E384C98548FBA093311425D4362D8E57740FEA237

SSDEEP:

6144:BtQPVgLh4yd+fnHqBsJ7q/jVL52rsnjjgHq0KR4TUjT:BtQPVYeBnHq66L52rsnjjgHqnR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3988)

    • SWEETSPECTER has been detected (YARA)

      • igfxcfg.exe (PID: 1200)

    • T9000 has been detected (YARA)

      • igfxcfg.exe (PID: 1200)

    • GH0ST has been detected (SURICATA)

      • igfxcfg.exe (PID: 1200)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • igfxcfg.exe (PID: 1200)

  • INFO

    • Manual execution by a user

      • igfxcfg.exe (PID: 1200)
      • wmpnscfg.exe (PID: 1064)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3988)

    • Checks supported languages

      • igfxcfg.exe (PID: 1200)
      • wmpnscfg.exe (PID: 1064)

    • Reads the computer name

      • igfxcfg.exe (PID: 1200)
      • wmpnscfg.exe (PID: 1064)

    • Reads the machine GUID from the registry

      • igfxcfg.exe (PID: 1200)

    • Reads CPU info

      • igfxcfg.exe (PID: 1200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:06:13 06:31:44
ZipCRC: 0xca1f89b1
ZipCompressedSize: 93930
ZipUncompressedSize: 94904
ZipFileName: AclUI.Lib
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #GH0ST igfxcfg.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1064"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1200"C:\Users\admin\Desktop\sweetspecter\igfxcfg.exe" C:\Users\admin\Desktop\sweetspecter\igfxcfg.exe
explorer.exe
User:
admin
Company:
Intel Corporation
Integrity Level:
MEDIUM
Description:
igfxTray Module
Version:
7.15.10.2104
Modules
Images
c:\users\admin\desktop\sweetspecter\igfxcfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\sweetspecter\hccutils.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3988"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\sweetspecter.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
3 187
Read events
3 161
Write events
26
Delete events
0

Modification events

(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\sweetspecter.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3988WinRAR.exeC:\Users\admin\Desktop\sweetspecter\hccutils.dllexecutable
MD5:CFD26F1694178A0F6DF3A92FA9B24644
SHA256:0B980E7A5DD5DF0D6F07AABD6E7E9FC2E3C9E156EF8C0A62A0E20CD23C333373
3988WinRAR.exeC:\Users\admin\Desktop\sweetspecter\AclUI.Libbinary
MD5:4789DA75A62BB00B078EAAA373C67552
SHA256:8198C8B5EAF43B726594DF62127BCB1A4E0E46CF5CB9FA170B8D4AC2A4DAD179
3988WinRAR.exeC:\Users\admin\Desktop\sweetspecter\igfxcfg.exeexecutable
MD5:606B4DD104477ED8AE0C4DCCA2A06F48
SHA256:21A5818822A0B2D52A068D1E3339ED4C767F4D83B081BF17B837E9B6E112EE61
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
2
Threats
10

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
1200
igfxcfg.exe
156.235.99.47:443
home.microsoft-ns1.com
PEGTECHINC
US
unknown

DNS requests

Domain
IP
Reputation
home.microsoft-ns1.com
  • 156.235.99.47
malicious

Threats

PID
Process
Class
Message
1200
igfxcfg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT.Gen Keep-Alive Server Response (SweetSpecter)
1200
igfxcfg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT.Gen Keep-Alive Server Response (SweetSpecter)
1200
igfxcfg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT.Gen Keep-Alive Server Response (SweetSpecter)
1200
igfxcfg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT.Gen Keep-Alive Server Response (SweetSpecter)
1200
igfxcfg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT.Gen Keep-Alive Server Response (SweetSpecter)
1200
igfxcfg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT.Gen Keep-Alive Server Response (SweetSpecter)
1200
igfxcfg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT.Gen Keep-Alive Server Response (SweetSpecter)
1200
igfxcfg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT.Gen Keep-Alive Server Response (SweetSpecter)
1200
igfxcfg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT.Gen Keep-Alive Server Response (SweetSpecter)
1200
igfxcfg.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT.Gen Keep-Alive Server Response (SweetSpecter)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sweetspecter.zip