analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample_94.zip

Full analysis: https://app.any.run/tasks/d48df9ca-255e-4096-8eee-c0141785130b
Verdict: Malicious activity
Analysis date: June 12, 2019, 10:32:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1F48BEB69EC05428AC249AA81DAA49E8

SHA1:

8ED51ACC1C4D7A12A4F03D89CCB4680F40EFB6C0

SHA256:

E043741BF9594CB48DD3304CE3DC239CFB498E5CA25008A61A6E1B80ADE066E5

SSDEEP:

1536:/+YxNvKRA/2UjK8mbkP8AzFHy2tmWm/3Kv:2a1H+U4tAzh3mWmfy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • sample_94.exe (PID: 3580)
      • lsass.exe (PID: 2604)

    • Changes settings of System certificates

      • lsass.exe (PID: 2604)

    • Changes the autorun value in the registry

      • sample_94.exe (PID: 3580)
      • lsass.exe (PID: 2604)

    • Changes the login/logoff helper path in the registry

      • sample_94.exe (PID: 3580)
      • lsass.exe (PID: 2604)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2932)
      • sample_94.exe (PID: 3580)

    • Creates files in the user directory

      • sample_94.exe (PID: 3580)
      • lsass.exe (PID: 2604)

    • Uses NETSH.EXE for network configuration

      • sample_94.exe (PID: 3580)

    • Adds / modifies Windows certificates

      • lsass.exe (PID: 2604)

  • INFO

    • Manual execution by user

      • sample_94.exe (PID: 3580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: sample_94/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2018:05:01 18:48:22
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe sample_94.exe netsh.exe no specs lsass.exe

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample_94.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3580"C:\Users\admin\Desktop\sample.exe\sample_94.exe" C:\Users\admin\Desktop\sample.exe\sample_94.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2288netsh advfirewall firewall add rule name="ImgBurn" dir=in action=allow description="Multimedia suite" program="C:\Users\admin\AppData\Roaming\Microsoft\lsass.exe" enable=yesC:\Windows\system32\netsh.exesample_94.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2604 /k C:\Users\admin\Desktop\sample.exe\sample_94.exeC:\Users\admin\AppData\Roaming\Microsoft\lsass.exe
sample_94.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.00
Total events
609
Read events
463
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2604lsass.exeC:\Users\admin\AppData\Roaming\Microsoft\SrqKvPRubxbSxF.tmp
MD5:
SHA256:
2604lsass.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\geoiptool_com[1].txthtml
MD5:6373E31C132C5554C7CD81469FEED908
SHA256:8A4155304EB0DBDFDB0A51BC62AFD7C645421D088B635A4745AFE92D6B18B690
2932WinRAR.exeC:\Users\admin\Desktop\sample.exe\sample_94executable
MD5:F536047A1FB17B7A962F0AE91CB8F838
SHA256:8D21CB631C8CAF7F62F60BBB7C77FED05A698A6A9084478DC8FD00E946826BA6
3580sample_94.exeC:\Users\admin\AppData\Roaming\Microsoft\lsass.exeexecutable
MD5:F536047A1FB17B7A962F0AE91CB8F838
SHA256:8D21CB631C8CAF7F62F60BBB7C77FED05A698A6A9084478DC8FD00E946826BA6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2604
lsass.exe
GET
301
158.69.67.193:80
http://www.geoiptool.com/
CA
html
184 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2604
lsass.exe
158.69.67.193:443
www.geoiptool.com
OVH SAS
CA
suspicious
2604
lsass.exe
158.69.67.193:80
www.geoiptool.com
OVH SAS
CA
suspicious

DNS requests

Domain
IP
Reputation
www.geoiptool.com
  • 158.69.67.193
malicious
geoiptool.com
  • 158.69.67.193
whitelisted
thexrhostbooter82.no-ip.info
unknown

Threats

PID
Process
Class
Message
2604
lsass.exe
Potential Corporate Privacy Violation
ET POLICY Geo Location IP info online service (geoiptool.com)
2604
lsass.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample_94.zip