analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2bf3cdbd5a8a87f24c2776e8cb22025f.zip

Full analysis: https://app.any.run/tasks/9a93adf2-f5f2-492f-829c-3934732ccf73
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 13:11:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FB7C1ED144069A5437422848B6D1475A

SHA1:

FC4B9AACBFA26E4EF1F130813612645E8B25833D

SHA256:

E54842056A3AE134CF5BE1ABAC6BBD5A52031C30D62D252FF68EB0EDE02B10A4

SSDEEP:

192:K8sloFC4E5+sDpA8DmBgZOAH0lwd3lm1AqM5UB6tP9tJ6DkbD:nkmG5jDZs6RqM5UB6P3JDP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 2472)
      • vbc.exe (PID: 3404)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3056)
      • EQNEDT32.EXE (PID: 3260)

    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 3056)

    • Changes settings of System certificates

      • vbc.exe (PID: 2472)
      • vbc.exe (PID: 3404)

    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 1168)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2960)
      • OUTLOOK.EXE (PID: 3512)
      • EQNEDT32.EXE (PID: 3056)
      • vbc.exe (PID: 2472)
      • EQNEDT32.EXE (PID: 3260)
      • vbc.exe (PID: 3404)

    • Reads the computer name

      • WinRAR.exe (PID: 2960)
      • OUTLOOK.EXE (PID: 3512)
      • EQNEDT32.EXE (PID: 3056)
      • vbc.exe (PID: 2472)
      • vbc.exe (PID: 3404)
      • EQNEDT32.EXE (PID: 3260)

    • Searches for installed software

      • OUTLOOK.EXE (PID: 3512)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3512)
      • vbc.exe (PID: 2472)
      • vbc.exe (PID: 3404)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3056)

    • Executed via COM

      • EQNEDT32.EXE (PID: 3056)
      • EQNEDT32.EXE (PID: 3260)

    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 3056)

    • Adds / modifies Windows certificates

      • vbc.exe (PID: 2472)
      • vbc.exe (PID: 3404)

  • INFO

    • Checks supported languages

      • firefox.exe (PID: 3312)
      • firefox.exe (PID: 2460)
      • firefox.exe (PID: 2032)
      • firefox.exe (PID: 3408)
      • firefox.exe (PID: 2040)
      • WINWORD.EXE (PID: 3664)
      • firefox.exe (PID: 1616)
      • firefox.exe (PID: 2680)
      • firefox.exe (PID: 2584)
      • WINWORD.EXE (PID: 532)
      • taskmgr.exe (PID: 3732)
      • taskmgr.exe (PID: 1632)
      • mmc.exe (PID: 1168)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2960)
      • firefox.exe (PID: 2460)

    • Manual execution by user

      • OUTLOOK.EXE (PID: 3512)
      • firefox.exe (PID: 3312)
      • WINWORD.EXE (PID: 3664)
      • taskmgr.exe (PID: 3732)
      • WINWORD.EXE (PID: 532)
      • taskmgr.exe (PID: 1632)
      • mmc.exe (PID: 3348)
      • mmc.exe (PID: 1168)

    • Application launched itself

      • firefox.exe (PID: 3312)
      • firefox.exe (PID: 2460)

    • Reads the computer name

      • firefox.exe (PID: 2460)
      • firefox.exe (PID: 3408)
      • firefox.exe (PID: 2032)
      • firefox.exe (PID: 1616)
      • firefox.exe (PID: 2680)
      • firefox.exe (PID: 2584)
      • WINWORD.EXE (PID: 3664)
      • firefox.exe (PID: 2040)
      • taskmgr.exe (PID: 3732)
      • WINWORD.EXE (PID: 532)
      • taskmgr.exe (PID: 1632)
      • mmc.exe (PID: 1168)

    • Reads CPU info

      • firefox.exe (PID: 2460)

    • Creates files in the program directory

      • firefox.exe (PID: 2460)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3512)
      • WINWORD.EXE (PID: 3664)
      • WINWORD.EXE (PID: 532)

    • Reads the date of Windows installation

      • firefox.exe (PID: 2460)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3664)
      • firefox.exe (PID: 2460)
      • WINWORD.EXE (PID: 532)

    • Reads settings of System Certificates

      • vbc.exe (PID: 2472)
      • vbc.exe (PID: 3404)

    • Checks Windows Trust Settings

      • vbc.exe (PID: 2472)
      • vbc.exe (PID: 3404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2022:06:27 09:56:05
ZipCRC: 0x6bf6ca99
ZipCompressedSize: 10567
ZipUncompressedSize: 18343
ZipFileName: 2bf3cdbd5a8a87f24c2776e8cb22025f
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
20
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs outlook.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winword.exe eqnedt32.exe vbc.exe taskmgr.exe no specs winword.exe eqnedt32.exe no specs vbc.exe taskmgr.exe no specs mmc.exe no specs mmc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\2bf3cdbd5a8a87f24c2776e8cb22025f.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3512"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\2bf3cdbd5a8a87f24c2776e8cb22025f.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
3312"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeExplorer.EXE
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
83.0
2460"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
83.0
3408"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.0.1067482257\1907281272" -parentBuildID 20201112153044 -prefsHandle 1112 -prefMapHandle 1104 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 1188 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
83.0
2032"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.6.976462448\56224468" -childID 1 -isForBrowser -prefsHandle 3156 -prefMapHandle 3152 -prefsLen 245 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 3168 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
83.0
1616"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.13.342334620\1812218549" -childID 2 -isForBrowser -prefsHandle 2300 -prefMapHandle 2640 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 2236 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
83.0
2584"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.20.34379849\1796469445" -childID 3 -isForBrowser -prefsHandle 3572 -prefMapHandle 1376 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 3604 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
83.0
2680"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.21.106554328\1585817401" -childID 4 -isForBrowser -prefsHandle 3592 -prefMapHandle 3576 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 3636 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
83.0
2040"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.34.90643518\220154026" -childID 5 -isForBrowser -prefsHandle 4120 -prefMapHandle 4112 -prefsLen 9137 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 4132 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
83.0
Total events
33 444
Read events
31 301
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
149
Text files
66
Unknown types
49

Dropped files

PID
Process
Filename
Type
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR38B5.tmp.cvr
MD5:
SHA256:
3512OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\OP352E64\Quote Requriment parts Request.docxdocument
MD5:721E81DBE3567352883F94F314363526
SHA256:E60FA5029C0585CA1CEC14FF90566EFFFAC46A2F5A03856588801ED7CA3B9055
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:6A54A0137B9ABBD86863D24D1638DF7D
SHA256:90953A9C2EC49F692C2A7EB4B7C93379BDAEFCFB256C5B3EEA32762CB692E2B4
2960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2960.15867\2bf3cdbd5a8a87f24c2776e8cb22025feml
MD5:2BF3CDBD5A8A87F24C2776E8CB22025F
SHA256:7EEEC6F1A7A55F8A421BB1BA8FC41E3B527D80B09E98B56FC1E57D14C75C4A0D
3512OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmpdocument
MD5:813FFC3E8EF79F48DC2743E658E4265C
SHA256:195776F0A218760B3215EE5317F238682EBB5E90ACF5A0982AECED9CD8E765FB
3512OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\~DF37F76A6A60ECDD95.TMPgmc
MD5:912F9A103CE60EA33FD65A457900E602
SHA256:E6F5BBD7BA124F2281C961FC6B314D24B2E52198E464CDA3F3682918CB46EDE0
2460firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3512OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmpbinary
MD5:7DD0B3D21C2CE522062796356AECC40F
SHA256:028778BD3E1270AC1D9421045C88DAF0E55F7433F540D9ACA3D38A3D59E68356
3512OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:51A4748E0882D7D7661EC396B1795237
SHA256:E764540903E6BF7930ED2FDB98267C6272D16F81891FF17DE0E4B3F7520826D2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
48
DNS requests
106
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3512
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
2460
firefox.exe
POST
200
142.250.185.67:80
http://ocsp.pki.goog/gts1c3
US
der
472 b
whitelisted
2460
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt
US
text
8 b
whitelisted
3664
WINWORD.EXE
OPTIONS
200
35.177.103.98:80
http://35.177.103.98/dhl/
GB
suspicious
2460
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2460
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2460
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
828
svchost.exe
PROPFIND
301
35.177.103.98:80
http://35.177.103.98/dhl
GB
html
337 b
suspicious
2460
firefox.exe
POST
200
142.250.185.67:80
http://ocsp.pki.goog/gts1c3
US
der
472 b
whitelisted
2460
firefox.exe
POST
200
142.250.185.67:80
http://ocsp.pki.goog/gts1c3
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2460
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2460
firefox.exe
34.107.221.82:80
detectportal.firefox.com
US
whitelisted
3512
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
2460
firefox.exe
142.251.36.42:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2460
firefox.exe
44.225.149.74:443
push.services.mozilla.com
University of California, San Diego
US
unknown
2460
firefox.exe
143.204.89.63:443
firefox.settings.services.mozilla.com
US
suspicious
2460
firefox.exe
52.40.106.245:443
location.services.mozilla.com
Amazon.com, Inc.
US
unknown
2460
firefox.exe
143.204.89.127:443
content-signature-2.cdn.mozilla.net
US
suspicious
2460
firefox.exe
142.250.184.195:443
fonts.gstatic.com
Google Inc.
US
whitelisted
2460
firefox.exe
142.250.185.67:443
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 93.184.216.34
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted
firefox.settings.services.mozilla.com
  • 143.204.89.63
  • 143.204.89.68
  • 143.204.89.95
  • 143.204.89.103
whitelisted
location.services.mozilla.com
  • 52.40.106.245
  • 34.208.249.219
  • 34.209.127.219
  • 54.189.127.149
  • 52.36.164.126
  • 35.163.114.24
whitelisted
locprod2-elb-us-west-2.prod.mozaws.net
  • 35.163.114.24
  • 52.36.164.126
  • 54.189.127.149
  • 34.209.127.219
  • 34.208.249.219
  • 52.40.106.245
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
2460
firefox.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
2460
firefox.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
2460
firefox.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
2460
firefox.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
3664
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
3664
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
3664
WINWORD.EXE
Potentially Bad Traffic
ET INFO Suspicious Request for Doc to IP Address with Terse Headers
3664
WINWORD.EXE
Potentially Bad Traffic
ET INFO Possible RTF File With Obfuscated Version Header
3664
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
3056
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2bf3cdbd5a8a87f24c2776e8cb22025f.zip