Malware analysis server.zip Malicious activity | ANY.RUN

Add for printing

File name:	server.zip
Full analysis:	https://app.any.run/tasks/fe090c76-5c09-4a62-8ede-21243519a141
Verdict:	Malicious activity
Analysis date:	September 11, 2019, 09:06:52
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	EED7CF8DA4C94FDA0FC0020E6F960758
SHA1:	8F42C462E845BE2443D249024706B259B73DF3B9
SHA256:	E524FD1489A3403729A0C6E4884C567C83FD089D2E24F732738C7068FC2C7AE5
SSDEEP:	196608:lvQ/jrtZBhZ99pJ2XFDWNVwApisJVHZt9fRmP:Ve/tZR99pOoNGH2fTmP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 752)
- Application was dropped or rewritten from another process
  - server.exe (PID: 2352)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3708)
INFO
- Manual execution by user
  - server.exe (PID: 2352)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (36.3)

EXIF

ZIP

ZipFileName:	server/
ZipUncompressedSize:	-
ZipCompressedSize:	2
ZipCRC:	0x00000000
ZipModifyDate:	2019:07:01 09:54:21
ZipCompression:	Deflated
ZipBitFlag:	-
ZipRequiredVersion:	20

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

36

Monitored processes

3

Malicious processes

2

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3708	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\server.zip"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
752	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"	C:\Windows\System32\SearchProtocolHost.exe	—	SearchIndexer.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255)
2352	"C:\Users\admin\Desktop\server\server.exe"	C:\Users\admin\Desktop\server\server.exe	—	explorer.exe
User: admin Company: 西南资源网 Integrity Level: MEDIUM Description: 专用网络打字比赛-服务端 Version: 6.3.6.0

Add for printing

Total events

997

Read events

940

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

11

Suspicious files

1

Text files

23

Unknown types

6

Dropped files

PID	Process	Filename		Type
3708	WinRAR.exe	C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦--++¦+=-d.txt		text
		MD5:95BC788F77E2AF4B11DBE6774FAB0B1B	SHA256:35A0DEEC992EBFA2985BB71DDDBA4FCAC13AB89278E32C9DE48C69D67E65F9E1
3708	WinRAR.exe	C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-+·¦º--¦=.txt		text
		MD5:C15F42A2F27EA615D38574D06970CACE	SHA256:41D8F6C594E8C142AF5545F7078F15EE74FBF2F6480DF0F867F6B2F0C5634B84
3708	WinRAR.exe	C:\Users\admin\Desktop\server\addtools\ClientIme.exe		executable
		MD5:1C6DC05AFA3120DF2FF7285D0728FED5	SHA256:B4EC8E9A15A30B86BFB1577CD45C99A55CFC252D72999529D658E1FCEF1E299E
3708	WinRAR.exe	C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-86¦µ-++¦+=-d.txt		text
		MD5:ABD97704804A3A858D6230FFD93BE6F6	SHA256:59F7576E2E92A8118DA15623217086DD170B3258080C8C38AA2C74644185E3AE
3708	WinRAR.exe	C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-86¦µ+²+¦+=-d.txt		text
		MD5:B90D18038F29D723E8AB9B01D294BDC2	SHA256:E49E8145ACB8FAB6F4A3AF60E22D587CB016B6003F95B3559A9DEA475FB695A3
3708	WinRAR.exe	C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-+²+¦+=-d.txt		text
		MD5:17524920BCC6CF7C102CE2658775D5D8	SHA256:9104C718C02D35E78CA609E63B2CA3D370080D61CAA40C39CF28553C90C83E92
3708	WinRAR.exe	C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+++G\-++¦+++G.txt		text
		MD5:45C65E2B0141495D4BB0C9B053790C8A	SHA256:0069AB1203B570CB910EA3BBBA0A442C1E43A1DE546052AA168C85D618E24554
3708	WinRAR.exe	C:\Users\admin\Desktop\server\addtools\++++¦ñ+¯-¦+˜.txt		text
		MD5:026D5F782C65EDC729FE7BBA018B7736	SHA256:B0BC386DFA047E140E7240DD920E64CACC41B4F0B97EE1A2C3C6FFF494327893
3708	WinRAR.exe	C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\-(¦¦\P1.mp3		mp3
		MD5:E2131F7A6585B50475726818CE629F1A	SHA256:7A4FA34A54ABEC469598E92EB9DE0546B8D9D3F80C0CADC4F8ADCE6CB3002D1E
3708	WinRAR.exe	C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-86¦µ+++·+·+¦.txt		text
		MD5:AC654775A4D6A08D348CEF2D68129A91	SHA256:125A0557CD04B0140D38EF66F0F929B2E037830482ACC8B5F3808D5BFBDD88DF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

0

TCP/UDP connections

0

DNS requests

0

Threats

0

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

server.zip

EED7CF8DA4C94FDA0FC0020E6F960758

8F42C462E845BE2443D249024706B259B73DF3B9

E524FD1489A3403729A0C6E4884C567C83FD089D2E24F732738C7068FC2C7AE5

196608:lvQ/jrtZBhZ99pJ2XFDWNVwApisJVHZt9fRmP:Ve/tZR99pOoNGH2fTmP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Manual execution by user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings