analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SoftAnalisis.zip

Full analysis: https://app.any.run/tasks/0c45224c-f384-44c3-8f1a-d5c398e97399
Verdict: Malicious activity
Analysis date: October 04, 2022, 20:46:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

50ACFB00ADC3C10AEE8A32B513D7ABE8

SHA1:

ECB67A5D0A9EC5CAD64A3FF54CE5C7D89393F5A5

SHA256:

ED8EA86A2023FD79B817CBACC14DE71E38FAC1063EAD66FDCFF19232F96B9AF3

SSDEEP:

196608:eVeIq39QG8NOlOdsWNJQ1x1ubA3ENnW00dWAiEBjpF:QwQG8v/MXoAdjbiapF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 3472)

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3472)

    • Application was dropped or rewritten from another process

      • setup.exe (PID: 1880)

  • SUSPICIOUS

    • Checks supported languages

      • dfsvc.exe (PID: 3784)
      • WinRAR.exe (PID: 3472)
      • setup.exe (PID: 1880)

    • Reads the computer name

      • WinRAR.exe (PID: 3472)
      • dfsvc.exe (PID: 3784)
      • setup.exe (PID: 1880)

    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 3472)

    • Reads Environment values

      • dfsvc.exe (PID: 3784)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3472)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3472)

    • Reads internet explorer settings

      • dfsvc.exe (PID: 3784)

  • INFO

    • Checks supported languages

      • rundll32.exe (PID: 1596)

    • Reads the computer name

      • rundll32.exe (PID: 1596)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winrar.exe rundll32.exe no specs dfsvc.exe setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3472"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SoftAnalisis.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
1596"rundll32.exe" dfshim.dll,ShOpenVerbApplication C:\Users\admin\AppData\Local\Temp\Rar$DIa3472.8363\SEG_ApplicationLayer.applicationC:\Windows\system32\rundll32.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3784"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Version:
4.0.30319.34209 built by: FX452RTMGDR
1880"C:\Users\admin\AppData\Local\Temp\Rar$EXa3472.11908\SoftAnalisis\setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3472.11908\SoftAnalisis\setup.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
0
Version:
16.0.31206.173 built by: D16.10
Total events
1 785
Read events
1 726
Write events
0
Delete events
0

Modification events

No data
Executable files
39
Suspicious files
1
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
3472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3472.11908\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1FlexGrid.4.dll.deployexecutable
MD5:895DF8EB310F9D46964D4391290774CD
SHA256:9F7A914859C67A6A34145020238F4161DD07E5A5837DB02C7C344368405F90FD
3472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3472.11908\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1InputPanel.4.dll.deployexecutable
MD5:6161AE9A14F7EEC828643F03A940362D
SHA256:E01A7735F8EF4A4DA3C3E20BE6B86004ED5425C4686E75FC805D57411FF22B84
3472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3472.11908\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.C1Excel.4.dll.deployexecutable
MD5:61B27A959E979EA10FA3A97750438BD1
SHA256:D1280087DE8BB8731864C8AC86BF10F5296024D18ED717BE677D3B0F308D1320
3472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3472.11908\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\CommonApplication.dll.deployexecutable
MD5:C8DF57832FD5422534A69FD82E4BDA8C
SHA256:9756AD0A34004A627DD4101D3F45021F06FB0D5928C7BA2FAF9050B72CEBBD5E
3472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3472.11908\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1Chart.4.dll.deployexecutable
MD5:D24645C631DE441E51E51211C4DF4269
SHA256:A347966760955CDB368EEF9122E979949F6D66BF1C36A159AA6C3F744843F76D
3784dfsvc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\6DLW9JGQ.logtext
MD5:65234269F3AAAA3F19E9900060C98D04
SHA256:0A88FD6BC3B64C2EF67C1F551166A8D6BF743F000AF9FB26E13ADFBAF3A1724D
3472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3472.11908\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1Input.4.dll.deployexecutable
MD5:254B7A48B05675961F63008CF028438E
SHA256:1F5C6FE80B9CFE0C990095DD77171C386D04BDDB07E88399CD41B81C14E68B55
3472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3472.11908\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1Sizer.4.dll.deployexecutable
MD5:00E0F11EA946B7BACE40740C2779AC22
SHA256:3813BB937A91CA24EF3FA28579B2852F9E8ACC6C2C9F97EF7EF576BC7C1E69D6
3784dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\Q30PHD1Z.RJG\5LGYP4M5.XH8.applicationxml
MD5:A69578C0A99D5628030A2BDAC72C3B0C
SHA256:828343C09014978D8DBC228602A94471270D94618AE14BEE813A8901FB1A3597
3472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3472.11908\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\CommonDataLayer.dll.deployexecutable
MD5:3445E6B09828E2CDFD95A49C84DC29C2
SHA256:417C1AC4EAEBB7BA0BFB5F954F048EED4A42E33D3CD9CA6869F767FB79C550B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3784
dfsvc.exe
20.81.178.30:80
apps.x-pertec.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
apps.x-pertec.com
  • 20.81.178.30
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SoftAnalisis.zip