File name:

2.zip

Full analysis: https://app.any.run/tasks/d9fa6cb7-be3c-44c7-8990-e9afd2c4add0
Verdict: Malicious activity
Analysis date: January 11, 2019, 07:30:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

48158C4908DDCB2411C9E3C1613E56FC

SHA1:

1B7376E407B3A84A0CC518B1CDF7EBDD87CD4479

SHA256:

F2963BA302BAAA602FEB4A66455607C6DCA15174C11264056898B24F3001D76A

SSDEEP:

49152:xkHckII3rcYuJapvRcATqJ8dBMmiAMBT432JHrFK6yrQ8tI9qq8KLUGfiEmgmb:xockN7pZBD88Uj9ok9qofiBtb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Setup(password=spytech).exe (PID: 2328)
      • driver-setup.exe (PID: 2164)
      • sysdiag.exe (PID: 3992)
      • explorer.exe (PID: 116)
      • iexplore.exe (PID: 2388)
      • iexplore.exe (PID: 3788)
      • WinRAR.exe (PID: 2900)

    • Application was dropped or rewritten from another process

      • Setup(password=spytech).exe (PID: 2328)
      • driver-setup.exe (PID: 2164)
      • npf_mgm.exe (PID: 1200)
      • sysdiag.exe (PID: 3992)

    • UAC/LUA settings modification

      • Setup(password=spytech).exe (PID: 2328)

    • Changes the autorun value in the registry

      • sysdiag.exe (PID: 3992)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Setup(password=spytech).exe (PID: 2328)
      • driver-setup.exe (PID: 2164)

    • Creates executable files which already exist in Windows

      • Setup(password=spytech).exe (PID: 2328)

    • Creates files in the Windows directory

      • Setup(password=spytech).exe (PID: 2328)
      • driver-setup.exe (PID: 2164)

    • Creates files in the program directory

      • Setup(password=spytech).exe (PID: 2328)
      • driver-setup.exe (PID: 2164)

    • Creates files in the driver directory

      • driver-setup.exe (PID: 2164)

    • Creates a software uninstall entry

      • Setup(password=spytech).exe (PID: 2328)

    • Starts Internet Explorer

      • Setup(password=spytech).exe (PID: 2328)

    • Check for Java to be installed

      • iexplore.exe (PID: 3788)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3788)

    • Changes internet zones settings

      • iexplore.exe (PID: 3788)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2388)

    • Creates files in the user directory

      • iexplore.exe (PID: 2388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2001:10:15 17:00:18
ZipCRC: 0x8ea1cfb9
ZipCompressedSize: 123
ZipUncompressedSize: 176
ZipFileName: SpyAgent's 10 Step Guide to Total Stealth.url
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
8
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs setup(password=spytech).exe driver-setup.exe npf_mgm.exe no specs iexplore.exe sysdiag.exe iexplore.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1200"C:\Program Files\WinConfig\npf_mgm.exe" -rC:\Program Files\WinConfig\npf_mgm.exedriver-setup.exe
User:
admin
Company:
CACE Technologies
Integrity Level:
HIGH
Description:
npf_mgm
Exit code:
0
Version:
3, 1, 0, 27
Modules
Images
c:\program files\winconfig\npf_mgm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
2164"C:\PROGRA~1\SYSCON~1\driver-setup.exe" -sC:\PROGRA~1\SYSCON~1\driver-setup.exe
Setup(password=spytech).exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\clbcatq.dll
c:\users\admin\desktop\setup(password=spytech).exe
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
2328"C:\Users\admin\Desktop\Setup(password=spytech).exe" C:\Users\admin\Desktop\Setup(password=spytech).exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\setup(password=spytech).exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2388"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3788 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2900"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3788"C:\Program Files\Internet Explorer\iexplore.exe" http://www.spytech-web.com/spyagent/stealthguideC:\Program Files\Internet Explorer\iexplore.exe
Setup(password=spytech).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3992"C:\Program Files\sysconfig\sysdiag.exe" C:\Program Files\sysconfig\sysdiag.exe
Setup(password=spytech).exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\sysconfig\sysdiag.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
5 664
Read events
3 973
Write events
1 690
Delete events
1

Modification events

(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2900) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\2.zip
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(116) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(116) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
32
Suspicious files
7
Text files
129
Unknown types
16

Dropped files

PID
Process
Filename
Type
2900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2900.35436\Setup(password=spytech).exe
MD5:
SHA256:
2328Setup(password=spytech).exeC:\Users\admin\AppData\Local\Temp\~vis0000\miscdata.xyz
MD5:
SHA256:
116explorer.exeC:\Users\admin\Desktop\Setup(password=spytech).exeexecutable
MD5:
SHA256:
2328Setup(password=spytech).exeC:\Users\admin\AppData\Local\Temp\~vis0000\vise32ex.dllexecutable
MD5:343EEFB0F0136A8250E0C7A0430B1AD9
SHA256:0B42A3AC9B95F0A66DED56CB2184537EDA96CC9C949F56B9A19ACDDA935A69E6
2328Setup(password=spytech).exeC:\ProgramData\sa\saopts.dattext
MD5:
SHA256:
2328Setup(password=spytech).exeC:\Users\admin\AppData\Local\Temp\~vis0000\uninst32.exeexecutable
MD5:BD08B7DBDE9105E2D1E3BC8F754FD8D7
SHA256:D7AED3AC6E00A0AA4520AD19B1F6F6B79DDF66F3E651F71EA8A1B2E2AFFA3173
2328Setup(password=spytech).exeC:\Users\admin\AppData\Local\Temp\~vis0000\r0000000.000binary
MD5:
SHA256:
2328Setup(password=spytech).exeC:\Program Files\sysconfig\sysk32.dllexecutable
MD5:
SHA256:
2328Setup(password=spytech).exeC:\Program Files\sysconfig\services.exeexecutable
MD5:
SHA256:
2328Setup(password=spytech).exeC:\Program Files\sysconfig\NoStealth.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
17
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2388
iexplore.exe
GET
301
184.154.69.210:80
http://www.spytech-web.com/spyagent/stealthguide
US
html
257 b
malicious
3788
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2388
iexplore.exe
184.154.69.210:80
www.spytech-web.com
SingleHop, Inc.
US
malicious
3788
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2388
iexplore.exe
184.154.69.210:443
www.spytech-web.com
SingleHop, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.spytech-web.com
  • 184.154.69.210
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info