analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

勒索.zip

Full analysis: https://app.any.run/tasks/e298bd57-46d4-4ab7-b212-111a9dbd8cd8
Verdict: Malicious activity
Analysis date: October 14, 2019, 09:42:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
installcore
pup
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

440CC9EB487B0086F79B3676D85A22DD

SHA1:

AD277997D7DA19CC557708BD6B05EB4AB3E21AF1

SHA256:

F26B5521334C7A7B9E00C9E9B62C0DCF597282648A20CC8680A661440E0D2C1A

SSDEEP:

98304:S8m9V0BzQIGjmfuhz7v00lGssJdw8rndYMCfANPMcxGjzyWGje+f3+bh2uuCSOGm:RpszDbf8zny5INMSGjuWsf3wjiGR+vy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 1961176758.exe (PID: 3032)
      • 1961176758.exe (PID: 2644)
      • 1961176758.exe (PID: 2772)
      • 1961176758.exe (PID: 940)
      • 1961176758.exe (PID: 2260)
      • 1961176758.exe (PID: 2752)
    • INSTALLCORE was detected

      • 1961176758.exe (PID: 3032)
      • 1961176758.exe (PID: 940)
    • Connects to CnC server

      • 1961176758.exe (PID: 3032)
      • 1961176758.exe (PID: 940)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3940)
      • WinRAR.exe (PID: 2832)
    • Application launched itself

      • 1961176758.exe (PID: 2644)
      • 1961176758.exe (PID: 3032)
      • WinRAR.exe (PID: 3940)
      • 1961176758.exe (PID: 2260)
      • 1961176758.exe (PID: 940)
    • Reads Environment values

      • 1961176758.exe (PID: 3032)
      • 1961176758.exe (PID: 940)
    • Reads internet explorer settings

      • 1961176758.exe (PID: 3032)
      • 1961176758.exe (PID: 940)
  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 2832)
      • 1961176758.exe (PID: 2260)
      • WinRAR.exe (PID: 2576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: ????1234.zip
ZipUncompressedSize: 3145380
ZipCompressedSize: 3145380
ZipCRC: 0x212d8019
ZipModifyDate: 2019:10:08 17:44:04
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe 1961176758.exe no specs #INSTALLCORE 1961176758.exe 1961176758.exe no specs winrar.exe no specs winrar.exe winrar.exe no specs 1961176758.exe no specs #INSTALLCORE 1961176758.exe 1961176758.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\勒索.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2644"C:\Users\admin\AppData\Local\Temp\Rar$EXa3940.20237\1961176758.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3940.20237\1961176758.exeWinRAR.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Foma Setup
Exit code:
0
Version:
5.6.5.5
3032"C:\Users\admin\AppData\Local\Temp\Rar$EXa3940.20237\1961176758.exe" /RSF /ppn:VPluUxWrQDZtznaRkw /mnlC:\Users\admin\AppData\Local\Temp\Rar$EXa3940.20237\1961176758.exe
1961176758.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Foma Setup
Exit code:
4294967206
Version:
5.6.5.5
2772"C:\Users\admin\AppData\Local\Temp\Rar$EXa3940.20237\1961176758.exe" /RSF /ppn:VPluUxWrQDZtznaRkw /_ShowProgress /mnlC:\Users\admin\AppData\Local\Temp\Rar$EXa3940.20237\1961176758.exe1961176758.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Foma Setup
Exit code:
259
Version:
5.6.5.5
1556"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3940.22598\+_-d1234.zipC:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2832"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\勒索.zip" C:\Users\admin\Desktop\勒索\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2576"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\勒索\+_-d1234.zip" C:\Users\admin\Desktop\勒索\+_-d1234\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2260"C:\Users\admin\Desktop\勒索\1961176758.exe" C:\Users\admin\Desktop\勒索\1961176758.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Foma Setup
Exit code:
0
Version:
5.6.5.5
940"C:\Users\admin\Desktop\勒索\1961176758.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnlC:\Users\admin\Desktop\勒索\1961176758.exe
1961176758.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Foma Setup
Exit code:
4294967206
Version:
5.6.5.5
2752"C:\Users\admin\Desktop\勒索\1961176758.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /_ShowProgress /mnlC:\Users\admin\Desktop\勒索\1961176758.exe1961176758.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Foma Setup
Exit code:
259
Version:
5.6.5.5
Total events
1 670
Read events
1 562
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
9
Text files
154
Unknown types
0

Dropped files

PID
Process
Filename
Type
30321961176758.exeC:\Users\admin\AppData\Local\Temp\0039EB26.log
MD5:
SHA256:
3940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3940.20237\+_-d1234.zipcompressed
MD5:6BB792692D23E859662AE87D2B22125E
SHA256:11DD3BBAF201BA19DA81FC33C232AB0807DA613B991C75ECDC633963F99764C0
3940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3940.20237\1961176758.exeexecutable
MD5:448967DE111055B1A2976E4861B4A892
SHA256:3D28328E3C73D49356F80AEE27DBCA20C99ECB108A1F90E2B4E4372C4FC2F31E
30321961176758.exeC:\Users\admin\AppData\Local\Temp\inH379575015198\css\ie6_main.csstext
MD5:AD234E6A62580F62019C78B2A718DE00
SHA256:C4F2684F16C8E4553CC29C604A2F505399039638A34E652A7A1ACDEB157A0861
30321961176758.exeC:\Users\admin\AppData\Local\Temp\inH379575015198\csshover3.htchtml
MD5:52FA0DA50BF4B27EE625C80D36C67941
SHA256:E37E99DDFC73AC7BA774E23736B2EF429D9A0CB8C906453C75B14C029BDD5493
30321961176758.exeC:\Users\admin\AppData\Local\Temp\inH379575015198\css\_functions.scsstext
MD5:8F7259DE64F6DDF352BF461F44D34A81
SHA256:80EDC9D67172BC830D68D33F4547735FB072CADF3EF25AAB37A10B50DB87A069
30321961176758.exeC:\Users\admin\AppData\Local\Temp\inH379575015198\css\ie6_main.scsstext
MD5:D10348D17ADF8A90670696728F54562D
SHA256:E8A3D15CF32009B01B9145B6E62FF6CAA9C2981F81CE063578C73C7ADFF08DFC
30321961176758.exeC:\Users\admin\AppData\Local\Temp\inH379575015198\css\swAgent.csstext
MD5:2543E3AF757C7D7C8A26C7CF57795F60
SHA256:C38892A06C8F50C6386ED794AF4F1EA3E1897AD5F0C7E19594D9EA7B20CFB3F1
30321961176758.exeC:\Users\admin\AppData\Local\Temp\inH379575015198\css\helpers\_colors.scsstext
MD5:2DA278FBB61E370E0CC9F548E8154E1C
SHA256:857A73FC1DA7CF54525048AA60EC9E2F07328EE1D718A66E3B17186170BB5B5B
30321961176758.exeC:\Users\admin\AppData\Local\Temp\inH379575015198\css\helpers\_border.scsstext
MD5:681FB7EB197E8E7EBD89F828D1181FD6
SHA256:51E8AFA69ED6D92EB82F71939B0B8FD34EF23FAECEE457698238E5A4F28DF984
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3032
1961176758.exe
POST
200
52.214.73.247:80
http://dev.tosonamlasey.com/
IE
malicious
940
1961176758.exe
POST
200
52.214.73.247:80
http://dev.tosonamlasey.com/
IE
malicious
940
1961176758.exe
POST
200
52.214.73.247:80
http://dev.tosonamlasey.com/
IE
malicious
3032
1961176758.exe
POST
200
52.214.73.247:80
http://dev.tosonamlasey.com/
IE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3032
1961176758.exe
52.214.73.247:80
dev.tosonamlasey.com
Amazon.com, Inc.
IE
malicious
940
1961176758.exe
52.214.73.247:80
dev.tosonamlasey.com
Amazon.com, Inc.
IE
malicious

DNS requests

Domain
IP
Reputation
dev.tosonamlasey.com
  • 52.214.73.247
  • 52.30.49.225
malicious

Threats

PID
Process
Class
Message
3032
1961176758.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3032
1961176758.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
940
1961176758.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
940
1961176758.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
2 ETPRO signatures available at the full report
No debug info