analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

893f233ae06cf17b20b2dca9bf3c7dd3-sample.zip

Full analysis: https://app.any.run/tasks/fcffd34c-cf5f-4ad0-a874-a20456868f6f
Verdict: Malicious activity
Analysis date: April 15, 2019, 03:03:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D57F40325EEF4014DAD5DC12709DA284

SHA1:

E4338ADF8376373C3DF2F74FA75C45AF5C5B52C1

SHA256:

FE6D8C293D4E6729B493EDBE1ABA63CA0AD6535C0CA8B2E87C8EE7BB5A13A247

SSDEEP:

3072:/UA5Eq2IywVN3hs/Fh9JU2flt/POnLbogbVwzxbmehvEA30NOGaYo3a8vI32o:/Eq2IyU3hs/T9jdtO7wJmehvEA30eZ3m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 53559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exe (PID: 3308)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2664)
      • 53559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exe (PID: 3308)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • 53559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exe (PID: 3308)
    • Creates files in the program directory

      • 53559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exe (PID: 3308)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 53559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exe
ZipUncompressedSize: 295210
ZipCompressedSize: 154418
ZipCRC: 0x31680c49
ZipModifyDate: 2019:04:15 03:02:17
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe 53559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exe

Process information

PID
CMD
Path
Indicators
Parent process
2664"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\893f233ae06cf17b20b2dca9bf3c7dd3-sample.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3308"C:\Users\admin\AppData\Local\Temp\Rar$EXb2664.42314\53559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2664.42314\53559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Total events
434
Read events
421
Write events
13
Delete events
0

Modification events

(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2664) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\893f233ae06cf17b20b2dca9bf3c7dd3-sample.zip
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2664) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
203
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
330853559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htmexecutable
MD5:1620544749DE4E313CF02481DDA249B4
SHA256:B09B7D37EA702FE0D0B10C636C4315CD44F0DA7D47F45DC36871493F5B0DDBB7
330853559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leame.htmexecutable
MD5:9C21C025AB653F7B161C24F62C17FD2D
SHA256:12FBBC5D4FE624989D389924A507B735923515E3A6435F98EC4CA22DC6A8B857
330853559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Benioku.htmexecutable
MD5:3A1B86BE85A45651D23D6D5E91792FB7
SHA256:5F134606A0FBA2828548088FD309AE7A265422377AB30E1E0F6BB545D8A253FA
330853559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\IrakHau.htmexecutable
MD5:B6DAB2502EC3308AA70E7BFD1D1937C9
SHA256:5CC09B31451F502CC047ED41D009D87104F8F459FD643A03BFD8E39F8BC744B2
330853559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leggimi.htmexecutable
MD5:3E24AC9FDB38338E54857B9DE736DD37
SHA256:48AB5A26E2F4DEF22DCE17B95CFCAA7B8AEF8DD44AEE05DF153F5C38AB9D73CE
330853559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.iniexecutable
MD5:D0350ECE0FBDB94D85A87B8CC599D5FA
SHA256:A7AB66AAD883DAB5EF6E4843D92722D31AD76C16D47F413890766261B5D9F350
2664WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2664.42314\53559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exeexecutable
MD5:4C320E563C8A2209546D3F03F0BE1EE0
SHA256:53559C1ECF0788F93BF1A99AD234B8D70ED8E35FEC257D5D717AF6EE02993C90
330853559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\AppCenter_R.aappexecutable
MD5:46DD37DF40A4B2AEE9DC5240D1C0BE2E
SHA256:DD8A8B880FDC0BD8AE0E9E173F08A25CC6E6C9615C30AD6DCC19C3EDAE5CA733
330853559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LueMinut.htmexecutable
MD5:AA6D53B082DF5B5C7656E62B23821D59
SHA256:C58C631FBCC15DD9BE57A5B4A6DD3E0CAFB4AE74A5CC02ED892660CA24FA6959
330853559c1ecf0788f93bf1a99ad234b8d70ed8e35fec257d5d717af6ee02993c90.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htmexecutable
MD5:33E91A390CC5E5AA6871062EE7574B55
SHA256:1837FE17A6E09C720C2F0D2E0A44BB100F159D8A7F80592D543BCC31A48F7DAB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info