File name:

pf.zip

Full analysis: https://app.any.run/tasks/48756484-1224-43e5-b094-537761ec1942
Verdict: Malicious activity
Analysis date: November 22, 2020, 13:03:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

90B901191FB837ECD03B591D2CEEFD9A

SHA1:

BF200150DD3F4F61898B44F53F6756C804821094

SHA256:

F4C1D831719DEFF3F583396038B9181B316E509AC410132BFA4EE2334C3121F6

SSDEEP:

49152:TmPNJDnvx4+Zf95vAH3W0l79GFmZS0bn3VLIPLS0Le:6Fr4+Zfh0t9RZS0bn3BSB6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables Windows Defender

      • msiexec.exe (PID: 2964)

    • Loads dropped or rewritten executable

      • services.exe (PID: 644)
      • svchost.exe (PID: 456)

    • Runs injected code in another process

      • svchost.exe (PID: 460)
      • svchost.exe (PID: 456)
      • services.exe (PID: 644)

    • Application was injected by another process

      • svchost.exe (PID: 424)
      • svchost.exe (PID: 1028)
      • svchost.exe (PID: 456)
      • winlogon.exe (PID: 372)

    • Loads the Task Scheduler COM API

      • sppsvc.exe (PID: 1104)

    • Uses SVCHOST.EXE for hidden code execution

      • svchost.exe (PID: 1028)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2696)
      • msiexec.exe (PID: 2964)

    • Reads Environment values

      • MsiExec.exe (PID: 1352)

    • Creates or modifies windows services

      • netsh.exe (PID: 2056)
      • svchost.exe (PID: 456)

    • Creates files in the user directory

      • powershell.exe (PID: 3000)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 2964)
      • svchost.exe (PID: 456)
      • svchost.exe (PID: 424)
      • mscorsvw.exe (PID: 1944)
      • mscorsvw.exe (PID: 2824)
      • WMIADAP.EXE (PID: 2004)
      • svchost.exe (PID: 1028)

    • Drops a file with too old compile date

      • svchost.exe (PID: 456)

    • Uses NETSH.EXE for network configuration

      • MsiExec.exe (PID: 1736)

    • Removes files from Windows directory

      • svchost.exe (PID: 456)
      • svchost.exe (PID: 424)
      • svchost.exe (PID: 1028)
      • WMIADAP.EXE (PID: 2004)

    • Drops a file that was compiled in debug mode

      • svchost.exe (PID: 456)
      • msiexec.exe (PID: 2964)

    • Creates a directory in Program Files

      • msiexec.exe (PID: 2964)

    • Executes PowerShell scripts

      • MsiExec.exe (PID: 1736)

    • Creates files in the driver directory

      • svchost.exe (PID: 456)

    • Starts SC.EXE for service management

      • services.exe (PID: 644)

    • Low-level read access rights to disk partition

      • svchost.exe (PID: 424)

  • INFO

    • Manual execution by user

      • msiexec.exe (PID: 2176)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 1352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:11:22 21:38:19
ZipCRC: 0xdc9b30a2
ZipCompressedSize: 1885603
ZipUncompressedSize: 1920389
ZipFileName: M0021.cab
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
53
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject winrar.exe msiexec.exe no specs msiexec.exe msiexec.exe msiexec.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs takeown.exe no specs cacls.exe no specs takeown.exe no specs cacls.exe no specs takeown.exe no specs cacls.exe no specs takeown.exe no specs cacls.exe no specs powershell.exe no specs services.exe no specs svchost.exe no specs svchost.exe svchost.exe svchost.exe taskhost.exe no specs winlogon.exe mscorsvw.exe no specs mscorsvw.exe no specs sppsvc.exe no specs powercfg.exe no specs sc.exe no specs wmiadap.exe no specs svchost.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=blockC:\Windows\SysWOW64\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\syswow64\netsh.exe
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
372winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\winlogon.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winsta.dll
424"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceC:\Windows\SysWOW64\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
456C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
460"C:\Windows\SysWOW64\svchost.exe" -k NetworkServiceC:\Windows\SysWOW64\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
644C:\Windows\system32\services.exeC:\Windows\System32\services.exewininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Services and Controller app
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\services.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
684"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCPC:\Windows\SysWOW64\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
684"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exeC:\Windows\SysWOW64\takeown.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Takes ownership of a file
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\peerdistsh.dll
c:\windows\syswow64\wlanutil.dll
c:\windows\syswow64\wlancfg.dll
c:\windows\syswow64\p2p.dll
c:\windows\syswow64\polstore.dll
c:\windows\syswow64\activeds.dll
c:\windows\syswow64\userenv.dll
912"taskhost.exe"C:\Windows\system32\taskhost.exeservices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
996"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:NC:\Windows\SysWOW64\cacls.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
18 306
Read events
16 649
Write events
1 631
Delete events
26

Modification events

(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2696) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\pf.zip
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2696) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:@C:\Windows\System32\msimsg.dll,-34
Value:
Windows Installer Package
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
Executable files
6
Suspicious files
31
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2964msiexec.exeC:\Windows\Installer\MSI6CDF.tmp
MD5:
SHA256:
2964msiexec.exeC:\Windows\Installer\MSI6D0F.tmp
MD5:
SHA256:
2964msiexec.exeC:\Windows\Installer\MSI6D2F.tmp
MD5:
SHA256:
2964msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFFA96E4BA66BDF2A8.TMP
MD5:
SHA256:
2964msiexec.exeC:\Config.Msi\186540.rbs
MD5:
SHA256:
2964msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFC2A6D4A18E956473.TMP
MD5:
SHA256:
2964msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF163B0130CD53AACE.TMP
MD5:
SHA256:
3000powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UNIRVML18TXRDXAGXLCU.temp
MD5:
SHA256:
456svchost.exeC:\Windows\System32\drivers\dump_VMBUS.sys
MD5:
SHA256:
456svchost.exeC:\Windows\system32\MsE6E0D97CApp.dll
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
96
TCP/UDP connections
17 456
DNS requests
5
Threats
82

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2352
svchost.exe
HEAD
200
58.229.194.122:11627
http://58.229.194.122:11627/0BC8EC41.moe
KR
unknown
2352
svchost.exe
HEAD
200
1.248.75.9:18035
http://1.248.75.9:18035/0BC8EC41.moe
KR
malicious
2352
svchost.exe
HEAD
200
172.106.32.32:19232
http://172.106.32.32:19232/0BC8EC41.moe
US
unknown
2352
svchost.exe
HEAD
200
45.76.155.140:13317
http://45.76.155.140:13317/0BC8EC41.moe
SG
suspicious
2352
svchost.exe
HEAD
200
63.209.0.101:19667
http://63.209.0.101:19667/0BC8EC41.moe
US
suspicious
2352
svchost.exe
HEAD
200
108.61.215.112:10688
http://108.61.215.112:10688/0BC8EC41.moe
US
unknown
2352
svchost.exe
HEAD
200
107.191.53.95:19119
http://107.191.53.95:19119/0BC8EC41.moe
JP
unknown
2352
svchost.exe
HEAD
200
45.32.155.0:14217
http://45.32.155.0:14217/0BC8EC41.moe
DE
suspicious
2352
svchost.exe
HEAD
200
45.76.155.140:13317
http://45.76.155.140:13317/0BC8EC41.moe
SG
suspicious
424
svchost.exe
GET
200
59.120.154.13:11605
http://59.120.154.13:11605/BB732D8A.moe
TW
binary
1.64 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
424
svchost.exe
51.105.208.173:80
time.windows.com
Microsoft Corporation
GB
unknown
424
svchost.exe
45.32.155.0:10121
Choopa, LLC
DE
suspicious
424
svchost.exe
45.32.155.0:25739
Choopa, LLC
DE
suspicious
424
svchost.exe
59.120.154.13:11605
Data Communication Business Group
TW
malicious
424
svchost.exe
45.76.155.140:25739
Choopa, LLC
SG
suspicious
1028
svchost.exe
119.164.218.229:14711
CHINA UNICOM China169 Backbone
CN
unknown
424
svchost.exe
175.188.188.205:19486
China Networks Inter-Exchange
CN
suspicious
1028
svchost.exe
175.188.188.205:13167
China Networks Inter-Exchange
CN
suspicious
1028
svchost.exe
45.76.204.9:25739
Choopa, LLC
JP
unknown
2316
svchost.exe
108.61.216.239:443
Choopa, LLC
US
unknown

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted
time.windows.com
  • 51.105.208.173
whitelisted
Rpc.1qw.us
  • 7.38.158.0
  • 81.170.221.229
  • 7.82.158.140
  • 3.100.25.6
  • 70.67.218.112
  • 111.34.196.205
unknown

Threats

PID
Process
Class
Message
424
svchost.exe
A Network Trojan was detected
LOADER [PTsecurity] PhantomNugget
424
svchost.exe
A Network Trojan was detected
LOADER [PTsecurity] PhantomNugget
1028
svchost.exe
A Network Trojan was detected
LOADER [PTsecurity] PhantomNugget
2352
svchost.exe
Misc activity
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
2352
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2352
svchost.exe
Misc Attack
ET CINS Active Threat Intelligence Poor Reputation IP group 1
2352
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2352
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2352
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2352
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
Process
Message
MsiExec.exe
[AVX_CRT_Fix][C:\Windows\Installer\MSI6934.tmp] CPU: __isa_available = 5
MsiExec.exe
[AVX_CRT_Fix][C:\Windows\Installer\MSI6CDF.tmp] CPU: __isa_available = 5
MsiExec.exe
[AVX_CRT_Fix][C:\Windows\Installer\MSI6D0F.tmp] CPU: __isa_available = 5
MsiExec.exe
[AVX_CRT_Fix][C:\Windows\Installer\MSI6D2F.tmp] CPU: __isa_available = 5
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pf.zip