analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

updatekas.zip

Full analysis: https://app.any.run/tasks/46394b76-fe32-41aa-9749-0e4d039b3bd3
Verdict: Malicious activity
Analysis date: July 07, 2021, 14:40:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1E4F6FEA32E12EA5806D9C08976A6D2A

SHA1:

09434BA2C13250B4CA61E863E3AF714F1015DFE4

SHA256:

E601C1D200BE641F1384C80B3D280C5A907947AAC067B3737B671E214374382F

SSDEEP:

6144:4Xn7hl6tHfTlSvPGuZI5GErHE0InQKCj6fpHLIT1aXi18/:g1ATwOm25VIMepH0JfC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • updatekas.exe (PID: 2932)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3692)
      • updatekas.exe (PID: 2932)

    • Checks supported languages

      • updatekas.exe (PID: 2932)
      • WinRAR.exe (PID: 3692)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3692)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3692)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3692)

  • INFO

    • Manual execution by user

      • updatekas.exe (PID: 2932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2021:07:07 19:49:15
ZipCRC: 0xf45366fd
ZipCompressedSize: 234104
ZipUncompressedSize: 262144
ZipFileName: updatekas.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe updatekas.exe

Process information

PID
CMD
Path
Indicators
Parent process
3692"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\updatekas.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2932"C:\Users\admin\Desktop\updatekas.exe" C:\Users\admin\Desktop\updatekas.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
This is production version
Version:
1.1.39
Modules
Images
c:\users\admin\desktop\updatekas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
Total events
7 607
Read events
7 596
Write events
11
Delete events
0

Modification events

(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3692) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3692) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\updatekas.zip
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3692.19671\updatekas.exeexecutable
MD5:DFC25E0EA7429AF7713993BA8B849325
SHA256:03B842F01C0FCFFE65528C0CDA2B41426A01F1E005DA63BDAE4CE96AA0469A76
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
32
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
binary
9.91 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
binary
11.2 Kb
whitelisted
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/YGkwa4MXjfWSuERyWQYP_A_4/aapLKTSZ439A-0g3nqJr3Q
US
binary
11.2 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
binary
5.77 Kb
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AIQWwBRSWwfx2JCxD0aw30k_2657/I-4-aBwqaCFG5rMUT0QDpg
US
crx
18.6 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
binary
7.10 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA
US
binary
9.91 Kb
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
crx
242 Kb
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTQ3QUFYQzF5VF9DcWNsa0ZkMGdTQmdvQQ/1.0.0.8_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
US
crx
2.85 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
142.250.185.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
142.250.181.228:443
www.google.com
Google Inc.
US
whitelisted
142.250.184.202:443
fonts.googleapis.com
Google Inc.
US
whitelisted
142.250.186.163:443
www.gstatic.com
Google Inc.
US
whitelisted
142.250.185.109:443
accounts.google.com
Google Inc.
US
suspicious
216.58.212.174:443
ogs.google.com
Google Inc.
US
whitelisted
216.58.212.142:443
apis.google.com
Google Inc.
US
whitelisted
142.250.184.206:443
clients2.google.com
Google Inc.
US
whitelisted
142.250.74.195:443
fonts.gstatic.com
Google Inc.
US
whitelisted
142.250.186.110:443
encrypted-tbn0.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 142.250.185.131
whitelisted
www.google.com
  • 142.250.181.228
whitelisted
accounts.google.com
  • 142.250.185.109
shared
clients2.google.com
  • 142.250.184.206
whitelisted
fonts.googleapis.com
  • 142.250.184.202
whitelisted
www.gstatic.com
  • 142.250.186.163
whitelisted
fonts.gstatic.com
  • 142.250.74.195
whitelisted
apis.google.com
  • 216.58.212.142
whitelisted
ogs.google.com
  • 216.58.212.174
whitelisted
update.googleapis.com
  • 172.217.16.131
whitelisted

Threats

No threats detected
Process
Message
updatekas.exe
OWQkNSJRVWfjjAfhyvYaEWaKXZmvsleHiKWmYp
updatekas.exe
LRsVtoOcLkJkMcJOHHlSdBocgEomDVQYYQUuHfIQKasHrZDTwVfyUZjJSFJAF
updatekas.exe
lPwsCGQOdTMYSqUTehbJRACLDnhtLLJLwXcZlEmipMGokeFHeBTAYegk
updatekas.exe
kiAKYFqrMpXStSoIWqmIrPfYpSeHSNoblIJwvw
updatekas.exe
ETsVwMBMueBXYRbizkwEmBbxWcqbMZYjDcGqLNhlBzznEuCjgOkqAn
updatekas.exe
dAIVZpVLZZGrFERXNStmMBfzWXPQaoktxaqyLrfwCHcnQDqYxdgyDekUCa
updatekas.exe
gswTMwiyFCuQhkuyBXXRYuJLyWJnGBuYC
updatekas.exe
AqrcdIficuEgYfKwqZRztGJTVoJjKucdasAelyHKguz
updatekas.exe
mUQpqlFBUUfVyLzmtwTmSuzTEAoydiNCMFDTbiwzKfQ
updatekas.exe
qperDYDoykBvEJfdVqHHJXCIjKsAjqc
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
updatekas.zip