analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SoftAnalisis.zip

Full analysis: https://app.any.run/tasks/5614e3ad-f0cc-45c4-b397-792de40d11de
Verdict: Malicious activity
Analysis date: October 04, 2022, 20:29:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

50ACFB00ADC3C10AEE8A32B513D7ABE8

SHA1:

ECB67A5D0A9EC5CAD64A3FF54CE5C7D89393F5A5

SHA256:

ED8EA86A2023FD79B817CBACC14DE71E38FAC1063EAD66FDCFF19232F96B9AF3

SSDEEP:

196608:eVeIq39QG8NOlOdsWNJQ1x1ubA3ENnW00dWAiEBjpF:QwQG8v/MXoAdjbiapF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3264)

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 3264)

    • Application was dropped or rewritten from another process

      • setup.exe (PID: 3700)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3264)
      • setup.exe (PID: 3700)
      • dfsvc.exe (PID: 1748)

    • Checks supported languages

      • WinRAR.exe (PID: 3264)
      • dfsvc.exe (PID: 1748)
      • setup.exe (PID: 3700)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3264)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3264)

    • Reads internet explorer settings

      • dfsvc.exe (PID: 1748)

    • Reads Environment values

      • dfsvc.exe (PID: 1748)

    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 3264)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3264)

    • Checks supported languages

      • rundll32.exe (PID: 2612)
      • rundll32.exe (PID: 2912)

    • Reads the computer name

      • rundll32.exe (PID: 2612)
      • rundll32.exe (PID: 2912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe setup.exe no specs dfsvc.exe rundll32.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3264"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SoftAnalisis.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3700"C:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\setup.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
0
Version:
16.0.31206.173 built by: D16.10
1748"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Version:
4.0.30319.34209 built by: FX452RTMGDR
2612"rundll32.exe" dfshim.dll,ShOpenVerbApplication C:\Users\admin\AppData\Local\Temp\Rar$DIa3264.4277\SEG_ApplicationLayer.applicationC:\Windows\system32\rundll32.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2912"rundll32.exe" dfshim.dll,ShOpenVerbApplication C:\Users\admin\AppData\Local\Temp\Rar$DIa3264.4775\SEG_ApplicationLayer.applicationC:\Windows\system32\rundll32.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 911
Read events
1 852
Write events
0
Delete events
0

Modification events

No data
Executable files
39
Suspicious files
1
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
3264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.C1Excel.4.dll.deployexecutable
MD5:61B27A959E979EA10FA3A97750438BD1
SHA256:D1280087DE8BB8731864C8AC86BF10F5296024D18ED717BE677D3B0F308D1320
3264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1Command.4.dll.deployexecutable
MD5:7AFBEAE74D48A698FE615AAB231A590E
SHA256:60D9770DF7CB1966D9F2013F93F68DC7AA63EB5EBC1916F4AA543E1D943A9EA2
3264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\CommonDataLayer.dll.deployexecutable
MD5:3445E6B09828E2CDFD95A49C84DC29C2
SHA256:417C1AC4EAEBB7BA0BFB5F954F048EED4A42E33D3CD9CA6869F767FB79C550B8
3264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1Schedule.4.dll.deployexecutable
MD5:4F7B631B0E046180D2CBC3CC2B37CBBB
SHA256:715EA72DFD8967EDA389523F422795A8F9DF388755131127715E1EA1802B07B5
3264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1Sizer.4.dll.deployexecutable
MD5:00E0F11EA946B7BACE40740C2779AC22
SHA256:3813BB937A91CA24EF3FA28579B2852F9E8ACC6C2C9F97EF7EF576BC7C1E69D6
3264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1List.4.dll.deployexecutable
MD5:596806B394E776BF161EB0BD7FC93FB5
SHA256:1B45C1A9F42990D1F46971DEE75C3A72D2E6BB2AE53EA8F201390E7343F59051
3264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1InputPanel.4.dll.deployexecutable
MD5:6161AE9A14F7EEC828643F03A940362D
SHA256:E01A7735F8EF4A4DA3C3E20BE6B86004ED5425C4686E75FC805D57411FF22B84
3264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\CON_DataLayer.dll.deployexecutable
MD5:111B1EC2AB9A7AD6D3298CADA6992457
SHA256:7A651A8026A7EFC06CFB247C6591AB8580B76881F1CFCB47669FDCCFCA0C9F19
3264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1Ribbon.4.dll.deployexecutable
MD5:C36E1F4970D5CC74E342D9FE172A904B
SHA256:BD4971C519A3E5A375F16F1256F80F5A61452E22C2F3C15767B2DE301E55FEAD
3264WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3264.3177\SoftAnalisis\Application Files\SEG_ApplicationLayer_1_0_0_2\C1.Win.C1Input.4.dll.deployexecutable
MD5:254B7A48B05675961F63008CF028438E
SHA256:1F5C6FE80B9CFE0C990095DD77171C386D04BDDB07E88399CD41B81C14E68B55
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1748
dfsvc.exe
GET
20.81.178.30:80
http://apps.x-pertec.com/SoftAnalisis/Application%20Files/SEG_ApplicationLayer_1_0_0_1/SEG_ApplicationLayer.exe.manifest
US
unknown
1748
dfsvc.exe
GET
200
20.81.178.30:80
http://apps.x-pertec.com/SoftAnalisis/SEG_ApplicationLayer.application
US
xml
2.18 Kb
unknown
1748
dfsvc.exe
GET
200
20.81.178.30:80
http://apps.x-pertec.com/SoftAnalisis/SEG_ApplicationLayer.application
US
xml
2.18 Kb
unknown
1748
dfsvc.exe
GET
200
20.81.178.30:80
http://apps.x-pertec.com/SoftAnalisis/Application%20Files/SEG_ApplicationLayer_1_0_0_1/SEG_ApplicationLayer.exe.manifest
US
xml
34.0 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1748
dfsvc.exe
20.81.178.30:80
apps.x-pertec.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
apps.x-pertec.com
  • 20.81.178.30
unknown

Threats

No threats detected
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SoftAnalisis.zip