analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

N. 490.349 N. 491.189.zip

Full analysis: https://app.any.run/tasks/43cee062-8f3a-4a3a-998b-1d24f67d7d3a
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: July 12, 2020, 08:13:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

2A245C0245809F4A33B5AAC894070519

SHA1:

C27F2ED5029418C7F786640FB929460B9F931671

SHA256:

FB7E8A99CF8CB30F829DB0794042232ACFE7324722CBEA89BA8B77CE2DCF1CAA

SSDEEP:

12288:5swwMW9MrSXLFCwBFzUojVHdSAZ1skrCgU8eq5cIkR9GB9PvBpIwP4NK+RTSFoFA:Hwg+XLtBFzUCVHdIkrCgU85BqGBWk4Nc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • DOC-2020-05-15T092742.441.exe (PID: 3040)

    • Application was dropped or rewritten from another process

      • DOC-2020-05-15T092742.441.exe (PID: 3040)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2964)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2964)

  • INFO

    • Manual execution by user

      • DOC-2020-05-15T092742.441.exe (PID: 3040)

    • Application launched itself

      • AcroRd32.exe (PID: 2932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: DOC-2020-05-15T092742.441/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2020:05:18 14:49:00
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe doc-2020-05-15t092742.441.exe acrord32.exe no specs acrord32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\N. 490.349 N. 491.189.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3040"C:\Users\admin\Desktop\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.exe" C:\Users\admin\Desktop\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Reader 9.0
Version:
9.0.0.2008061200
2932"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.pdf"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeDOC-2020-05-15T092742.441.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.7.20033.133275
2752"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --channel=2932.0.637666135 --type=renderer "C:\Users\admin\Desktop\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.pdf"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.7.20033.133275
Total events
406
Read events
371
Write events
35
Delete events
0

Modification events

(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2964) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\131\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\N. 490.349 N. 491.189.zip
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
(PID) Process:(2964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
4
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2964.48513\DOC-2020-05-15T092742.441\acrord32.dllexecutable
MD5:6060F7DC35C4D43728D5CA5286327C01
SHA256:8A07C265A20279D4B60DA2CC26F2BB041730C90C6D3ECA64A8DD9F4A032D85D3
2964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2964.48513\DOC000(54)\DOC000(54).exeexecutable
MD5:E16DD9FAECA97B4C185426E5672BECBA
SHA256:C21BFC263890F02763F56B4E9F5CF9113656CF09D7864B53EC2FD2024BDADD60
3040DOC-2020-05-15T092742.441.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\dis[1].gifhtml
MD5:7BBBF2015E0575388B4F2DE42065F699
SHA256:5882AB797F622B87B4836F71D7EABEEE4D61AFAF65F6CF4118E5985DE11AE029
3040DOC-2020-05-15T092742.441.exeC:\Users\admin\Desktop\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.pdfpdf
MD5:92C27C5DE0EF3119D447769750496222
SHA256:2BC7ED201C7AF3E57A20EEC4099E242631734FA37B50FA4BCE194751F497F7C8
2964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2964.48513\DOC000(54)\acrord32.dllexecutable
MD5:F888BB77AF9018A617B8A74D739AC29F
SHA256:1F4C6010859130CE9DF006AA169CE1840624DE8DA5FEE845F209C2A7D6B606A8
2964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2964.48513\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.exeexecutable
MD5:E16DD9FAECA97B4C185426E5672BECBA
SHA256:C21BFC263890F02763F56B4E9F5CF9113656CF09D7864B53EC2FD2024BDADD60
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
124
TCP/UDP connections
105
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
167.88.180.198:80
http://167.88.180.198/dis.dat
CA
html
89 b
malicious
3040
DOC-2020-05-15T092742.441.exe
GET
404
52.7.9.69:443
https://cloud.acrobat.com/appmeasurement.js
US
text
66 b
whitelisted
3040
DOC-2020-05-15T092742.441.exe
GET
404
52.7.9.69:443
https://cloud.acrobat.com/appmeasurement.js
US
text
66 b
whitelisted
3040
DOC-2020-05-15T092742.441.exe
GET
200
167.88.180.198:80
http://167.88.180.198/dis.dat
CA
html
89 b
malicious
GET
304
2.16.177.91:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278.zip
unknown
whitelisted
3040
DOC-2020-05-15T092742.441.exe
GET
404
52.7.9.69:443
https://cloud.acrobat.com/appmeasurement.js
US
text
66 b
whitelisted
3040
DOC-2020-05-15T092742.441.exe
GET
404
52.7.9.69:443
https://cloud.acrobat.com/appmeasurement.js
US
text
66 b
whitelisted
3040
DOC-2020-05-15T092742.441.exe
GET
404
52.7.9.69:443
https://cloud.acrobat.com/appmeasurement.js
US
text
66 b
whitelisted
3040
DOC-2020-05-15T092742.441.exe
GET
404
52.7.9.69:443
https://cloud.acrobat.com/appmeasurement.js
US
text
66 b
whitelisted
3040
DOC-2020-05-15T092742.441.exe
GET
404
52.7.9.69:443
https://cloud.acrobat.com/appmeasurement.js
US
text
66 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3040
DOC-2020-05-15T092742.441.exe
167.88.180.198:80
CA
malicious
167.88.180.198:80
CA
malicious
52.7.9.69:443
cloud.acrobat.com
Amazon.com, Inc.
US
unknown
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
34.224.183.8:443
cloud.acrobat.com
Amazon.com, Inc.
US
unknown
3.226.128.10:443
cloud.acrobat.com
US
unknown
2.16.177.91:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted
34.202.87.85:443
cloud.acrobat.com
Amazon.com, Inc.
US
unknown
2.16.177.113:80
ardownload.adobe.com
Akamai International B.V.
suspicious
52.73.1.97:443
cloud.acrobat.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
cloud.acrobat.com
  • 52.7.9.69
  • 18.214.119.207
  • 34.226.158.12
  • 34.233.62.27
  • 34.202.87.85
  • 34.204.131.124
  • 52.73.1.97
  • 3.226.128.10
  • 34.224.183.8
  • 34.199.147.197
  • 3.92.230.82
  • 3.217.245.43
  • 52.22.230.93
  • 52.44.210.24
  • 3.218.27.162
  • 52.23.117.214
  • 52.3.63.148
  • 52.45.86.89
  • 54.152.49.194
  • 54.165.145.36
  • 34.236.72.146
  • 34.197.30.181
  • 3.223.252.77
  • 52.206.37.116
  • 54.156.244.56
  • 3.232.170.116
  • 52.86.78.194
  • 34.232.49.24
whitelisted
acroipm2.adobe.com
  • 2.16.177.91
  • 2.16.177.50
whitelisted
armmf.adobe.com
  • 2.18.233.74
whitelisted
ardownload.adobe.com
  • 2.16.177.113
  • 2.16.177.114
whitelisted

Threats

PID
Process
Class
Message
3040
DOC-2020-05-15T092742.441.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
3040
DOC-2020-05-15T092742.441.exe
A Network Trojan was detected
ET TROJAN Request for Malicious .dat File
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
A Network Trojan was detected
ET TROJAN Request for Malicious .dat File
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
N. 490.349 N. 491.189.zip