File name:

dcu.zip

Full analysis: https://app.any.run/tasks/8bcd4a5c-702c-46ee-879c-fc6449640937
Verdict: Malicious activity
Analysis date: August 13, 2019, 07:15:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C44028ABE60132EA783E4CDAEDF03699

SHA1:

25224A6BDE012D6C46F027C836819251FF75DEB8

SHA256:

FB2A703096CB982C16144DBEE3F19CD1AC2DED775CC48523F59E91E3E6986D9E

SSDEEP:

12288:tPxxL7lAfuoC4DsWv+Rgk2B7xg0RqP7HnOw9qqj4dL3uL3:5LxApCwv+OPlqP7Zr4LeD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DCU.exe (PID: 3080)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3744)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2956)

  • INFO

    • Manual execution by user

      • DCU.exe (PID: 3080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2015:01:20 12:00:00
ZipCRC: 0x4d8b6dc1
ZipCompressedSize: 422562
ZipUncompressedSize: 431104
ZipFileName: Drag'n'Crypt ULTRA/DCU-CMT.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs dcu.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\dcu.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3080"C:\Users\admin\Desktop\Drag'n'Crypt ULTRA\DCU.exe" C:\Users\admin\Desktop\Drag'n'Crypt ULTRA\DCU.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Drag'n'Crypt ULTRA
Exit code:
0
Version:
2.3.9
Modules
Images
c:\users\admin\desktop\drag'n'crypt ultra\dcu.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3744"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
790
Read events
777
Write events
13
Delete events
0

Modification events

(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2956) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\dcu.zip
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(3744) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
4
Suspicious files
0
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
2956WinRAR.exeC:\Users\admin\Desktop\Drag'n'Crypt ULTRA\DCU-CMT.exeexecutable
MD5:F07689E65ADA17A768B78B3178D3B78A
SHA256:9CD76A04278392AB3100BB09DCF929140C427A5900AF1B2E20AD647E306CFA78
2956WinRAR.exeC:\Users\admin\Desktop\Drag'n'Crypt ULTRA\French.lngtext
MD5:20EC0DB1A3FA854F454D149C98D60221
SHA256:0AC599E9098C47EFC46855CAA8FADCFF9BA555CFA11BA88EF1C852863A5ECA2B
2956WinRAR.exeC:\Users\admin\Desktop\Drag'n'Crypt ULTRA\DCU_icon.icoimage
MD5:542CA48957DF79893D45C9E987DD2DE4
SHA256:03C00C199CD8C85379B2BBB9731B8CDF52059A89FE270C5BC4AA6634D18D31B6
2956WinRAR.exeC:\Users\admin\Desktop\Drag'n'Crypt ULTRA\Hungarian.lngtext
MD5:CE395B1602140F4CC9843BF0F9FA831A
SHA256:23D663D0BF52DB895FE9F66C4A501E4C040997317CAA3FB859E7C50E92E9EA5B
2956WinRAR.exeC:\Users\admin\Desktop\Drag'n'Crypt ULTRA\dcu64.dllexecutable
MD5:B4FDF31A3C5F09805732B13A5B216196
SHA256:3B506BD0AB4ECD041E25E7A696A65F08EDF2DE1E445E24AA1FB90ABEA628B9E0
3080DCU.exeC:\Users\admin\Desktop\Drag'n'Crypt ULTRA\DCU.initext
MD5:
SHA256:
2956WinRAR.exeC:\Users\admin\Desktop\Drag'n'Crypt ULTRA\DCU.exeexecutable
MD5:C64649F23ED80F3910642FD1078AC3EF
SHA256:BF8BDD7C6064373FFBEED10049E527B6FE5C4EDF3FAC734E7E5EB92053194CFC
2956WinRAR.exeC:\Users\admin\Desktop\Drag'n'Crypt ULTRA\Deutsch.lngtext
MD5:52C7E9AAA352187D44C9DC9220A71B45
SHA256:EA766D3E700F1C5ADA1C59F3198F199ECF3EFD62C6C0BFAFBE6AED3E2549D434
2956WinRAR.exeC:\Users\admin\Desktop\Drag'n'Crypt ULTRA\dcu.dllexecutable
MD5:997F4AE6A27F95434656A8F4156E0B1A
SHA256:2BF881B6A78EC19E2E6E9B2996CEBDB0900E550CBBA7B01B160F26DA27638039
2956WinRAR.exeC:\Users\admin\Desktop\Drag'n'Crypt ULTRA\Lies.Mich.Zuerst.txttext
MD5:40CF51F0A2AC5E5B414E9210DB16AFC9
SHA256:DF5806BB2E51D8DCCDC1C592AF8B6734AE169DB1E8C6B103A2D145327D3856E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dcu.zip