analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

pf.zip

Full analysis: https://app.any.run/tasks/48756484-1224-43e5-b094-537761ec1942
Verdict: Malicious activity
Analysis date: November 22, 2020, 13:03:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

90B901191FB837ECD03B591D2CEEFD9A

SHA1:

BF200150DD3F4F61898B44F53F6756C804821094

SHA256:

F4C1D831719DEFF3F583396038B9181B316E509AC410132BFA4EE2334C3121F6

SSDEEP:

49152:TmPNJDnvx4+Zf95vAH3W0l79GFmZS0bn3VLIPLS0Le:6Fr4+Zfh0t9RZS0bn3BSB6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables Windows Defender

      • msiexec.exe (PID: 2964)

    • Loads dropped or rewritten executable

      • services.exe (PID: 644)
      • svchost.exe (PID: 456)

    • Application was injected by another process

      • svchost.exe (PID: 1028)
      • svchost.exe (PID: 424)
      • svchost.exe (PID: 456)
      • winlogon.exe (PID: 372)

    • Runs injected code in another process

      • svchost.exe (PID: 460)
      • services.exe (PID: 644)
      • svchost.exe (PID: 456)

    • Loads the Task Scheduler COM API

      • sppsvc.exe (PID: 1104)

    • Uses SVCHOST.EXE for hidden code execution

      • svchost.exe (PID: 1028)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2696)
      • msiexec.exe (PID: 2964)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 2964)
      • svchost.exe (PID: 456)
      • svchost.exe (PID: 424)
      • mscorsvw.exe (PID: 1944)
      • mscorsvw.exe (PID: 2824)
      • WMIADAP.EXE (PID: 2004)
      • svchost.exe (PID: 1028)

    • Drops a file that was compiled in debug mode

      • msiexec.exe (PID: 2964)
      • svchost.exe (PID: 456)

    • Creates a directory in Program Files

      • msiexec.exe (PID: 2964)

    • Reads Environment values

      • MsiExec.exe (PID: 1352)

    • Creates files in the user directory

      • powershell.exe (PID: 3000)

    • Creates or modifies windows services

      • svchost.exe (PID: 456)
      • netsh.exe (PID: 2056)

    • Creates files in the driver directory

      • svchost.exe (PID: 456)

    • Uses NETSH.EXE for network configuration

      • MsiExec.exe (PID: 1736)

    • Executes PowerShell scripts

      • MsiExec.exe (PID: 1736)

    • Drops a file with too old compile date

      • svchost.exe (PID: 456)

    • Removes files from Windows directory

      • svchost.exe (PID: 456)
      • svchost.exe (PID: 424)
      • svchost.exe (PID: 1028)
      • WMIADAP.EXE (PID: 2004)

    • Starts SC.EXE for service management

      • services.exe (PID: 644)

    • Low-level read access rights to disk partition

      • svchost.exe (PID: 424)

  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 1352)

    • Manual execution by user

      • msiexec.exe (PID: 2176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: M0021.cab
ZipUncompressedSize: 1920389
ZipCompressedSize: 1885603
ZipCRC: 0xdc9b30a2
ZipModifyDate: 2020:11:22 21:38:19
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
53
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject winrar.exe msiexec.exe no specs msiexec.exe msiexec.exe msiexec.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs takeown.exe no specs cacls.exe no specs takeown.exe no specs cacls.exe no specs takeown.exe no specs cacls.exe no specs takeown.exe no specs cacls.exe no specs powershell.exe no specs services.exe no specs svchost.exe no specs svchost.exe svchost.exe svchost.exe taskhost.exe no specs winlogon.exe mscorsvw.exe no specs mscorsvw.exe no specs sppsvc.exe no specs powercfg.exe no specs sc.exe no specs wmiadap.exe no specs svchost.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2696"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\pf.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2176"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\6.msi" C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2964C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1352C:\Windows\syswow64\MsiExec.exe -Embedding DF0FF1F891B6A720E9C78151C2592EF3C:\Windows\syswow64\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1736C:\Windows\syswow64\MsiExec.exe -Embedding 38C4768EC0B229C089DC8CDB53D4BAF7 E Global\MSI0000C:\Windows\syswow64\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2932"C:\Windows\SysWOW64\netsh.exe" interface ipv6 installC:\Windows\SysWOW64\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1460"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianyeC:\Windows\SysWOW64\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2888"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1C:\Windows\SysWOW64\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2780"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCPC:\Windows\SysWOW64\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2596"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCPC:\Windows\SysWOW64\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
18 306
Read events
16 649
Write events
1 631
Delete events
26

Modification events

(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2696) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\pf.zip
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2696) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:@C:\Windows\System32\msimsg.dll,-34
Value:
Windows Installer Package
(PID) Process:(2696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
Executable files
6
Suspicious files
31
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2964msiexec.exeC:\Windows\Installer\MSI6CDF.tmp
MD5:
SHA256:
2964msiexec.exeC:\Windows\Installer\MSI6D0F.tmp
MD5:
SHA256:
2964msiexec.exeC:\Windows\Installer\MSI6D2F.tmp
MD5:
SHA256:
2964msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFFA96E4BA66BDF2A8.TMP
MD5:
SHA256:
2964msiexec.exeC:\Config.Msi\186540.rbs
MD5:
SHA256:
2964msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFC2A6D4A18E956473.TMP
MD5:
SHA256:
2964msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF163B0130CD53AACE.TMP
MD5:
SHA256:
3000powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UNIRVML18TXRDXAGXLCU.temp
MD5:
SHA256:
456svchost.exeC:\Windows\System32\drivers\dump_VMBUS.sys
MD5:
SHA256:
456svchost.exeC:\Windows\system32\MsE6E0D97CApp.dll
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
96
TCP/UDP connections
17 456
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2352
svchost.exe
HEAD
200
107.191.53.95:19119
http://107.191.53.95:19119/0BC8EC41.moe
JP
unknown
2352
svchost.exe
HEAD
200
172.106.32.32:19232
http://172.106.32.32:19232/0BC8EC41.moe
US
unknown
2352
svchost.exe
HEAD
200
1.248.75.8:17182
http://1.248.75.8:17182/0BC8EC41.moe
KR
malicious
2352
svchost.exe
HEAD
200
149.28.193.205:19487
http://149.28.193.205:19487/0BC8EC41.moe
US
malicious
2352
svchost.exe
HEAD
200
58.229.194.122:11627
http://58.229.194.122:11627/0BC8EC41.moe
KR
unknown
2352
svchost.exe
HEAD
200
58.229.194.121:11532
http://58.229.194.121:11532/0BC8EC41.moe
KR
malicious
2352
svchost.exe
HEAD
200
45.76.155.140:13317
http://45.76.155.140:13317/0BC8EC41.moe
SG
suspicious
2352
svchost.exe
HEAD
200
58.229.194.122:11627
http://58.229.194.122:11627/0BC8EC41.moe
KR
unknown
2352
svchost.exe
HEAD
200
149.28.193.205:19487
http://149.28.193.205:19487/0BC8EC41.moe
US
malicious
2352
svchost.exe
HEAD
200
45.32.155.0:14217
http://45.32.155.0:14217/0BC8EC41.moe
DE
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
424
svchost.exe
45.76.155.140:25739
Choopa, LLC
SG
suspicious
424
svchost.exe
51.105.208.173:80
time.windows.com
Microsoft Corporation
GB
unknown
1028
svchost.exe
119.164.218.229:14711
CHINA UNICOM China169 Backbone
CN
unknown
424
svchost.exe
45.32.155.0:25739
Choopa, LLC
DE
suspicious
424
svchost.exe
8.8.8.8:53
Google Inc.
US
whitelisted
424
svchost.exe
45.32.155.0:10121
Choopa, LLC
DE
suspicious
424
svchost.exe
59.120.154.13:11605
Data Communication Business Group
TW
malicious
1028
svchost.exe
175.188.188.205:13167
China Networks Inter-Exchange
CN
suspicious
1028
svchost.exe
45.76.204.9:25739
Choopa, LLC
JP
unknown
424
svchost.exe
175.188.188.205:19486
China Networks Inter-Exchange
CN
suspicious

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted
time.windows.com
  • 51.105.208.173
whitelisted
Rpc.1qw.us
  • 7.38.158.0
  • 81.170.221.229
  • 7.82.158.140
  • 3.100.25.6
  • 70.67.218.112
  • 111.34.196.205
unknown

Threats

PID
Process
Class
Message
424
svchost.exe
A Network Trojan was detected
LOADER [PTsecurity] PhantomNugget
424
svchost.exe
A Network Trojan was detected
LOADER [PTsecurity] PhantomNugget
1028
svchost.exe
A Network Trojan was detected
LOADER [PTsecurity] PhantomNugget
2352
svchost.exe
Misc activity
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
2352
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2352
svchost.exe
Misc Attack
ET CINS Active Threat Intelligence Poor Reputation IP group 1
2352
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2352
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2352
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2352
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
Process
Message
MsiExec.exe
[AVX_CRT_Fix][C:\Windows\Installer\MSI6934.tmp] CPU: __isa_available = 5
MsiExec.exe
[AVX_CRT_Fix][C:\Windows\Installer\MSI6CDF.tmp] CPU: __isa_available = 5
MsiExec.exe
[AVX_CRT_Fix][C:\Windows\Installer\MSI6D0F.tmp] CPU: __isa_available = 5
MsiExec.exe
[AVX_CRT_Fix][C:\Windows\Installer\MSI6D2F.tmp] CPU: __isa_available = 5
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
pf.zip