Malware analysis 2.zip Malicious activity | ANY.RUN

Add for printing

File name:	2.zip
Full analysis:	https://app.any.run/tasks/d9fa6cb7-be3c-44c7-8990-e9afd2c4add0
Verdict:	Malicious activity
Analysis date:	January 11, 2019, 07:30:13
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	48158C4908DDCB2411C9E3C1613E56FC
SHA1:	1B7376E407B3A84A0CC518B1CDF7EBDD87CD4479
SHA256:	F2963BA302BAAA602FEB4A66455607C6DCA15174C11264056898B24F3001D76A
SSDEEP:	49152:xkHckII3rcYuJapvRcATqJ8dBMmiAMBT432JHrFK6yrQ8tI9qq8KLUGfiEmgmb:xockN7pZBD88Uj9ok9qofiBtb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Setup(password=spytech).exe (PID: 2328)
  - driver-setup.exe (PID: 2164)
  - npf_mgm.exe (PID: 1200)
  - sysdiag.exe (PID: 3992)
- Loads dropped or rewritten executable
  - Setup(password=spytech).exe (PID: 2328)
  - driver-setup.exe (PID: 2164)
  - sysdiag.exe (PID: 3992)
  - explorer.exe (PID: 116)
  - iexplore.exe (PID: 3788)
  - iexplore.exe (PID: 2388)
  - WinRAR.exe (PID: 2900)
- UAC/LUA settings modification
  - Setup(password=spytech).exe (PID: 2328)
- Changes the autorun value in the registry
  - sysdiag.exe (PID: 3992)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Setup(password=spytech).exe (PID: 2328)
  - driver-setup.exe (PID: 2164)
- Creates files in the program directory
  - Setup(password=spytech).exe (PID: 2328)
  - driver-setup.exe (PID: 2164)
- Creates files in the Windows directory
  - Setup(password=spytech).exe (PID: 2328)
  - driver-setup.exe (PID: 2164)
- Creates files in the driver directory
  - driver-setup.exe (PID: 2164)
- Creates executable files which already exist in Windows
  - Setup(password=spytech).exe (PID: 2328)
- Creates a software uninstall entry
  - Setup(password=spytech).exe (PID: 2328)
- Starts Internet Explorer
  - Setup(password=spytech).exe (PID: 2328)
- Check for Java to be installed
  - iexplore.exe (PID: 3788)
INFO
- Changes internet zones settings
  - iexplore.exe (PID: 3788)
- Reads internet explorer settings
  - iexplore.exe (PID: 2388)
- Application launched itself
  - iexplore.exe (PID: 3788)
- Creates files in the user directory
  - iexplore.exe (PID: 2388)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	SpyAgent's 10 Step Guide to Total Stealth.url
ZipUncompressedSize:	176
ZipCompressedSize:	123
ZipCRC:	0x8ea1cfb9
ZipModifyDate:	2001:10:15 17:00:18
ZipCompression:	Deflated
ZipBitFlag:	-
ZipRequiredVersion:	20

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2900	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2.zip"	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
2328	"C:\Users\admin\Desktop\Setup(password=spytech).exe"	C:\Users\admin\Desktop\Setup(password=spytech).exe		explorer.exe
User: admin Integrity Level: HIGH Exit code: 0
2164	"C:\PROGRA~1\SYSCON~1\driver-setup.exe" -s	C:\PROGRA~1\SYSCON~1\driver-setup.exe		Setup(password=spytech).exe
User: admin Integrity Level: HIGH Exit code: 0
1200	"C:\Program Files\WinConfig\npf_mgm.exe" -r	C:\Program Files\WinConfig\npf_mgm.exe	—	driver-setup.exe
User: admin Company: CACE Technologies Integrity Level: HIGH Description: npf_mgm Exit code: 0 Version: 3, 1, 0, 27
3788	"C:\Program Files\Internet Explorer\iexplore.exe" http://www.spytech-web.com/spyagent/stealthguide	C:\Program Files\Internet Explorer\iexplore.exe		Setup(password=spytech).exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3992	"C:\Program Files\sysconfig\sysdiag.exe"	C:\Program Files\sysconfig\sysdiag.exe		Setup(password=spytech).exe
User: admin Integrity Level: HIGH
2388	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3788 CREDAT:79873	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
116	C:\Windows\Explorer.EXE	C:\Windows\explorer.exe	—	—
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

5 664

Read events

3 973

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

129

Unknown types

Dropped files

PID	Process	Filename		Type
2900	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb2900.35436\Setup(password=spytech).exe		—
		MD5:—	SHA256:—
2328	Setup(password=spytech).exe	C:\Users\admin\AppData\Local\Temp\~vis0000\miscdata.xyz		—
		MD5:—	SHA256:—
2328	Setup(password=spytech).exe	C:\Users\admin\AppData\Local\Temp\~vis0000\sidesplash.bmp		image
		MD5:C2B817930BFB31304C52DE7552767017	SHA256:0C3EA61F357590CC4AF11A6780F2255EA376970F26512B698724512F9788CA90
2328	Setup(password=spytech).exe	C:\Users\admin\AppData\Local\Temp\~vis0000\uninstal.log		text
		MD5:6340F298B15A7AC60C4E9D3F8F68DC77	SHA256:F6E574ACFD8449810E6D06E820859D44EC0A0C7128BF2C52970A9637914E8B77
2328	Setup(password=spytech).exe	C:\Users\admin\AppData\Local\Temp\~vis0000\mainsplash.bmp		image
		MD5:FC472B4B08065BBFCD14C51E9B1B62EE	SHA256:596EB1BBEBD7FCCFBF99D1C40E79E264493CBEF9BF10204C325722F7756EAAE3
2328	Setup(password=spytech).exe	C:\Users\admin\AppData\Local\Temp\~vis0000\rollback.log		text
		MD5:BD22C444351CA08A282D00841BDE7E64	SHA256:4876AEB65CC35F6C079DFDDD77B313AF6E4806AEAF7DEB1CB60843C5F8D61CB2
116	explorer.exe	C:\Users\admin\Desktop\Setup(password=spytech).exe		executable
		MD5:16D51E066C3C6D00958586DE6F902395	SHA256:00EF4B30031766EB014C90C995F37732850B1AD6BCC2F34D0BBA1CBBBEF81C83
2328	Setup(password=spytech).exe	C:\Users\admin\AppData\Local\Temp\~vis0000\r0000000.000		binary
		MD5:3B0C38972C97F10AD92CBA030AB642A8	SHA256:34FC3175F97293D3A2C3126ED216B099071624D0ABEAE5359381CC75A4374B3B
2328	Setup(password=spytech).exe	C:\Program Files\sysconfig\sysk32.dll		executable
		MD5:7839E928C00E24EBB958A80E47426155	SHA256:22B33B884E17FB6C872621DA6BB272F3C8EA271CA6F9C4E88EF1D6ACE25A7404
2328	Setup(password=spytech).exe	C:\Users\admin\AppData\Local\Temp\~vis0000\rebootnt.exe		executable
		MD5:C459E252866435ED8B928D1509C28DE2	SHA256:4887FF02F8E45F5E03E351CB5156111659CC1B04FDCA9DAE3BD75CB99381DEDE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2388	iexplore.exe	GET	301	184.154.69.210:80	http://www.spytech-web.com/spyagent/stealthguide	US	html	257 b	malicious
3788	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3788	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
2388	iexplore.exe	184.154.69.210:80	www.spytech-web.com	SingleHop, Inc.	US	malicious
2388	iexplore.exe	184.154.69.210:443	www.spytech-web.com	SingleHop, Inc.	US	malicious

DNS requests

Domain	IP	Reputation
www.spytech-web.com	184.154.69.210	malicious
www.bing.com	204.79.197.200 13.107.21.200	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

2.zip

48158C4908DDCB2411C9E3C1613E56FC

1B7376E407B3A84A0CC518B1CDF7EBDD87CD4479

F2963BA302BAAA602FEB4A66455607C6DCA15174C11264056898B24F3001D76A

49152:xkHckII3rcYuJapvRcATqJ8dBMmiAMBT432JHrFK6yrQ8tI9qq8KLUGfiEmgmb:xockN7pZBD88Uj9ok9qofiBtb

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

UAC/LUA settings modification

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the program directory

Creates files in the Windows directory

Creates files in the driver directory

Creates executable files which already exist in Windows

Creates a software uninstall entry

Starts Internet Explorer

Check for Java to be installed

INFO

Changes internet zones settings

Reads internet explorer settings

Application launched itself

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings