analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

analyze.zip

Full analysis: https://app.any.run/tasks/61de7681-2dcb-441b-b763-f3f771ea63c5
Verdict: Malicious activity
Analysis date: October 20, 2020, 02:40:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

653BC28B0A9A3AD56DCCDDAAE143CCE7

SHA1:

DE93859A6A3A6850CAB1EF11E3AA5491F3A18262

SHA256:

F8DBD4F75EB3BF74F091F0AC2F7312FD15A15DF193B749FD8E73D3482AC62CCC

SSDEEP:

98304:9meZpw3w9E/1YYz2HcXKQpovegI7A0EIcoFZunq9:9mew3w9EdYl8aQpNsvoFZuq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • mbbServiceSetup.exe (PID: 316)
      • mbbService.exe (PID: 3976)
      • mbbServiceSetup.exe (PID: 3380)
      • preinstall.exe (PID: 3708)
      • CompareVersion.exe (PID: 3396)
      • mbbservice.exe (PID: 1968)
      • mbbServiceSetup.exe (PID: 2416)
      • mbbServiceSetup.exe (PID: 3332)
      • preinstall.exe (PID: 2836)
      • mbbService.exe (PID: 888)
      • CompareVersion.exe (PID: 2116)
      • AutoRun.exe (PID: 2400)
      • AutoRun.exe (PID: 888)
      • Uninstall.exe (PID: 2264)
      • mbbService.exe (PID: 576)
      • mbbservice.exe (PID: 3832)
      • DeleteFile.exe (PID: 1748)
      • Uninstall.exe (PID: 2244)
      • preinstall.exe (PID: 3652)
      • mbbServiceSetup.exe (PID: 2416)
      • preinstall.exe (PID: 3576)
      • mbbServiceSetup.exe (PID: 3960)
      • mbbservice.exe (PID: 3716)
      • mbbService.exe (PID: 2556)
      • CompareVersion.exe (PID: 1944)

    • Loads dropped or rewritten executable

      • mbbServiceSetup.exe (PID: 3380)
      • mbbServiceSetup.exe (PID: 3332)
      • Uninstall.exe (PID: 2264)
      • mbbServiceSetup.exe (PID: 2416)

  • SUSPICIOUS

    • Creates files in the program directory

      • mbbService.exe (PID: 3976)
      • mbbservice.exe (PID: 1968)
      • AutoRun.exe (PID: 888)
      • Uninstall.exe (PID: 2264)
      • mbbServiceSetup.exe (PID: 3380)
      • mbbService.exe (PID: 2556)
      • mbbservice.exe (PID: 3716)
      • mbbServiceSetup.exe (PID: 2416)

    • Creates a software uninstall entry

      • mbbServiceSetup.exe (PID: 3380)
      • mbbServiceSetup.exe (PID: 2416)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2792)
      • WinRAR.exe (PID: 2740)
      • mbbServiceSetup.exe (PID: 3380)
      • mbbServiceSetup.exe (PID: 3332)
      • Uninstall.exe (PID: 2264)
      • mbbServiceSetup.exe (PID: 2416)

    • Executed as Windows Service

      • mbbservice.exe (PID: 1968)
      • mbbservice.exe (PID: 3716)

    • Starts CMD.EXE for commands execution

      • DeleteFile.exe (PID: 1748)

  • INFO

    • Manual execution by user

      • Unzip.exe (PID: 3660)
      • WinRAR.exe (PID: 2792)
      • WINWORD.EXE (PID: 4048)
      • mbbServiceSetup.exe (PID: 3332)
      • mbbServiceSetup.exe (PID: 2416)
      • AutoRun.exe (PID: 888)
      • AutoRun.exe (PID: 2400)
      • Uninstall.exe (PID: 2244)
      • mbbService.exe (PID: 576)
      • Uninstall.exe (PID: 2264)
      • WinRAR.exe (PID: 4068)
      • WinRAR.exe (PID: 2364)
      • mbbServiceSetup.exe (PID: 3960)
      • mbbServiceSetup.exe (PID: 2416)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4048)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: analyze/ArConfig.dat
ZipUncompressedSize: 1594
ZipCompressedSize: 722
ZipCRC: 0x9217c55e
ZipModifyDate: 2016:03:24 17:57:07
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
96
Monitored processes
32
Malicious processes
6
Suspicious processes
5

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe unzip.exe no specs winrar.exe mbbservicesetup.exe no specs mbbservicesetup.exe preinstall.exe no specs compareversion.exe no specs mbbservice.exe no specs mbbservice.exe no specs winword.exe no specs mbbservicesetup.exe no specs mbbservicesetup.exe preinstall.exe no specs compareversion.exe no specs mbbservice.exe no specs autorun.exe no specs autorun.exe mbbservice.exe no specs uninstall.exe no specs uninstall.exe preinstall.exe no specs mbbservice.exe no specs deletefile.exe no specs cmd.exe no specs winrar.exe no specs winrar.exe no specs mbbservicesetup.exe no specs mbbservicesetup.exe preinstall.exe no specs compareversion.exe no specs mbbservice.exe no specs mbbservice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2740"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\analyze.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3660"C:\Users\admin\Desktop\analyze\Unzip.exe" C:\Users\admin\Desktop\analyze\Unzip.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
2792"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\analyze\MobileBrServ.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
316"C:\Users\admin\AppData\Local\Temp\Rar$EXa2792.49640\mbbServiceSetup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2792.49640\mbbServiceSetup.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3380"C:\Users\admin\AppData\Local\Temp\Rar$EXa2792.49640\mbbServiceSetup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2792.49640\mbbServiceSetup.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
3708"C:\Users\admin\AppData\Local\Temp\MobileBrServ\preinstall.exe" -C:\Users\admin\AppData\Local\Temp\Rar$EXa2792.49640\mbbServiceSetup.exe C:\Users\admin\AppData\Local\Temp\MobileBrServ\preinstall.exembbServiceSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
3396"C:\Users\admin\AppData\Local\Temp\MobileBrServ\CompareVersion.exe " -22.001.29.01.03,C:\Users\admin\AppData\Local\Temp\MobileBrServ\CompareVersion.exembbServiceSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3
3976"C:\Program Files\MobileBrServ\mbbService.exe" -installC:\Program Files\MobileBrServ\mbbService.exembbServiceSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
22.001.29.01.03
1968"C:\Program Files\MobileBrServ\mbbservice.exe" -serviceC:\Program Files\MobileBrServ\mbbservice.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
22.001.29.01.03
4048"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\enoughlinux.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
2 799
Read events
2 443
Write events
0
Delete events
0

Modification events

No data
Executable files
64
Suspicious files
12
Text files
511
Unknown types
109

Dropped files

PID
Process
Filename
Type
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\MacOS\HiLinkbinary
MD5:3B86F4ECEFE953FF2C6863D6B5BE8E32
SHA256:B7BAEB9629932B1D8B76AEF8F82E6939B4258B37E6B8AC3944B8077C1D75D10F
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\mbbserviceopen.app\Contents\MacOS\mbbserviceopenbinary
MD5:7C10A0C9795D87C9B96BF4FC2E62D40A
SHA256:413B36A1597829B6CC8FA75D8D4508CC596C1CB5AB725B183EEC8F0856AEEAC8
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\English.lproj\Logo.icnsimage
MD5:2A3ED0988F82466587F957A85AF5190B
SHA256:473793F76B4C4A3346D2ED9F4855C0CA868A9F46B4D7BC2CF4DBD7D13F420898
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\mbbserviceopen.app\Contents\Resources\English.lproj\InfoPlist.stringstext
MD5:D72878BB656F235C73B049056CD30DBA
SHA256:F1DCFF1F7CCD3FC1F1D311228CD568CAB6B9CCA62B12F8EB6D23566A4362481D
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\AUTORUN.INFini
MD5:6F995E3270D48B340203BBD809E22125
SHA256:663DA6AA17C250F0C1624C0E4B97FB63DDEAF152BEEAD253BF09D870A0A2D31D
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\mbbserviceopen.app\Contents\Resources\Logo.icnsimage
MD5:2A3ED0988F82466587F957A85AF5190B
SHA256:473793F76B4C4A3346D2ED9F4855C0CA868A9F46B4D7BC2CF4DBD7D13F420898
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\ArConfig.dattext
MD5:9EB7280524AA212D1DCA53EFE1C0501C
SHA256:340A386325A680C68F6CD30331061D6B233B29946AD136F62FE4B0D5B26A0D57
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\Installer.pngimage
MD5:0E9E279C003E7B59192C4096808A80F6
SHA256:F6ABB05685BD9C61FABF63905E37471262D0729A78FCE52CFFACC6F38DC57958
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\English.lproj\custom.stringstext
MD5:64FC9B3091DC6AC8070EE183583E0C54
SHA256:51880423A36197B329673D2D9BABD05A0E359D920BB557DDE8DCCFD2CB96C69D
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\English.lproj\InfoPlist.stringstext
MD5:2A40FBCE57C2DA3866B559285BCAE22F
SHA256:BD90AAB5CBEC49B11FEBC3F8056563488227BC08BD5F020F72B362C0157A314C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
analyze.zip