analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

part_9e99badafa05569ca4989ffb833074222d9b5ef526641fc57139613b4dd09b4c.zip

Full analysis: https://app.any.run/tasks/73635928-d293-4917-b049-f5aa58cfd6d0
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: April 23, 2019, 10:45:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

39B38B1BBC6C768639F18741AC98E86F

SHA1:

44BB33AFA5260A1B6DDAC499820AE277EB026412

SHA256:

DFEFFDE2A0EF06F3EA95475FB57FBCE77F1DC073E33A9B14F6A06E7B69384C70

SSDEEP:

6144:3sk+hjTQkA7zbdllAAYfzS0VdgW0wM16Rf88WMOg19p:8kk0rpYLSYqIMYZMo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • explorer.exe (PID: 2544)
      • enquiry-POL2387IBMB654.exe (PID: 2812)
      • explorer.exe (PID: 2668)
      • explorer.exe (PID: 2564)
      • enquiry-POL2387IBMB654.exe (PID: 360)
      • explorer.exe (PID: 1576)
      • explorer.exe (PID: 1752)
      • explorer.exe (PID: 3020)
    • Writes to a start menu file

      • explorer.exe (PID: 2544)
      • explorer.exe (PID: 3020)
    • Actions looks like stealing of personal data

      • explorer.exe (PID: 2564)
    • Changes settings of System certificates

      • explorer.exe (PID: 2564)
  • SUSPICIOUS

    • Creates files in the user directory

      • enquiry-POL2387IBMB654.exe (PID: 2812)
      • explorer.exe (PID: 2544)
      • explorer.exe (PID: 3020)
    • Loads DLL from Mozilla Firefox

      • explorer.exe (PID: 2564)
    • Executable content was dropped or overwritten

      • enquiry-POL2387IBMB654.exe (PID: 2812)
    • Creates executable files which already exist in Windows

      • enquiry-POL2387IBMB654.exe (PID: 2812)
    • Starts itself from another location

      • enquiry-POL2387IBMB654.exe (PID: 2812)
      • enquiry-POL2387IBMB654.exe (PID: 360)
    • Checks for external IP

      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1576)
    • Application launched itself

      • explorer.exe (PID: 2544)
      • explorer.exe (PID: 3020)
    • Adds / modifies Windows certificates

      • explorer.exe (PID: 2564)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: enquiry-POL2387IBMB654.iso
ZipUncompressedSize: 667648
ZipCompressedSize: 350173
ZipCRC: 0xd730ea7b
ZipModifyDate: 2019:04:23 09:38:15
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
12
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs isoburn.exe no specs winrar.exe no specs enquiry-pol2387ibmb654.exe explorer.exe explorer.exe explorer.exe no specs taskmgr.exe no specs enquiry-pol2387ibmb654.exe no specs explorer.exe explorer.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\part_9e99badafa05569ca4989ffb833074222d9b5ef526641fc57139613b4dd09b4c.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
704"C:\Windows\System32\isoburn.exe" "C:\Users\admin\Desktop\enquiry-POL2387IBMB654.iso"C:\Windows\System32\isoburn.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Disc Image Burning Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3184"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\enquiry-POL2387IBMB654.iso" C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2812"C:\Users\admin\Desktop\enquiry-POL2387IBMB654.exe" C:\Users\admin\Desktop\enquiry-POL2387IBMB654.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2544"C:\Users\admin\AppData\Roaming\windows\explorer.exe"C:\Users\admin\AppData\Roaming\windows\explorer.exe
enquiry-POL2387IBMB654.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2564"C:\Users\admin\AppData\Roaming\windows\explorer.exe"C:\Users\admin\AppData\Roaming\windows\explorer.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
2668"C:\Users\admin\AppData\Roaming\windows\explorer.exe" 2 2564 1342453C:\Users\admin\AppData\Roaming\windows\explorer.exeexplorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
2372"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
360"C:\Users\admin\Desktop\enquiry-POL2387IBMB654.exe" C:\Users\admin\Desktop\enquiry-POL2387IBMB654.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3020"C:\Users\admin\AppData\Roaming\windows\explorer.exe"C:\Users\admin\AppData\Roaming\windows\explorer.exe
enquiry-POL2387IBMB654.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
803
Read events
747
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2844.37154\enquiry-POL2387IBMB654.iso
MD5:
SHA256:
3184WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3184.40679\enquiry-POL2387IBMB654.exe
MD5:
SHA256:
2812enquiry-POL2387IBMB654.exeC:\Users\admin\AppData\Roaming\windows\explorer.exe:ZoneIdentifier
MD5:
SHA256:
360enquiry-POL2387IBMB654.exeC:\Users\admin\AppData\Roaming\windows\explorer.exe:ZoneIdentifier
MD5:
SHA256:
3020explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.vbstext
MD5:9C03460D338DAB1D95C79A5256BB0D61
SHA256:3FA218C5828C7F2970BC88E0928E63033761994DA86AA0E93FAAE923B97A82E1
2812enquiry-POL2387IBMB654.exeC:\Users\admin\AppData\Roaming\windows\explorer.exeexecutable
MD5:266181A714E195C2ACB9A1DE3C046869
SHA256:F525394B2636C84DD9EBA3D996504D7A61D0B34B536E17CE71F203F736E1859D
2544explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.vbstext
MD5:9C03460D338DAB1D95C79A5256BB0D61
SHA256:3FA218C5828C7F2970BC88E0928E63033761994DA86AA0E93FAAE923B97A82E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2564
explorer.exe
GET
200
216.146.43.70:80
http://checkip.dyndns.org/
US
html
106 b
shared
1576
explorer.exe
GET
200
216.146.43.70:80
http://checkip.dyndns.org/
US
html
106 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
explorer.exe
217.70.178.9:587
mail.gandi.net
GANDI SAS
FR
malicious
216.146.43.70:80
checkip.dyndns.org
Dynamic Network Services, Inc.
US
shared

DNS requests

Domain
IP
Reputation
checkip.dyndns.org
  • 216.146.43.70
  • 216.146.43.71
  • 131.186.113.70
shared
mail.gandi.net
  • 217.70.178.9
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
2564
explorer.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
2564
explorer.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] External IP Check checkip.dyndns.org
2564
explorer.exe
Potentially Bad Traffic
ET POLICY DynDNS CheckIp External IP Address Server Response
2564
explorer.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
1576
explorer.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
1576
explorer.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] External IP Check checkip.dyndns.org
1576
explorer.exe
Potentially Bad Traffic
ET POLICY DynDNS CheckIp External IP Address Server Response
2 ETPRO signatures available at the full report
No debug info