| File name: | Nowy Archiwum WinRARa.rar |
| Full analysis: | https://app.any.run/tasks/d8fa154a-6529-43f4-b853-e76c7084d392 |
| Verdict: | Malicious activity |
| Analysis date: | December 02, 2023, 22:59:13 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 98F66EB46A4AF8DCE663EC1BBE267951 |
| SHA1: | 33E56EABEC6353F46C3CCCEF5D74A2046FE7528D |
| SHA256: | 0075E6B24E2A0F1F555E121652C598CD3F011C4B39B1A14CB3A5BDE2F807DA40 |
| SSDEEP: | 98304:aUCztZPXIWNDUCztoTMYfJafum581wPuyBc7OByRTipXbKk4lVPUUYTEs7SbQwqG:6VNqWTQ |
MALICIOUS
Adds path to the Windows Defender exclusion list
- Launcher.exe (PID: 2184)
Drops the executable file immediately after the start
- Launcher.exe (PID: 2184)
Create files in the Startup directory
- Launcher.exe (PID: 2184)
SUSPICIOUS
Write to the desktop.ini file (may be used to cloak folders)
- WinRAR.exe (PID: 3476)
Reads the Internet Settings
- Launcher.exe (PID: 2184)
- instagram Checker by xRisky.exe (PID: 3796)
- Windows Services.exe (PID: 3208)
Script adds exclusion path to Windows Defender
- Launcher.exe (PID: 2184)
Starts POWERSHELL.EXE for commands execution
- Launcher.exe (PID: 2184)
Powershell version downgrade attack
- powershell.exe (PID: 1840)
The process creates files with name similar to system file names
- Launcher.exe (PID: 2184)
INFO
Checks supported languages
- instagram Checker by xRisky.exe (PID: 3796)
- Launcher.exe (PID: 2184)
- Windows Services.exe (PID: 3208)
- Runtime Explorer.exe (PID: 2716)
- InstaServ.exe (PID: 3216)
- Runtime Explorer.exe (PID: 2548)
- Runtime Explorer.exe (PID: 3996)
- Secure System Shell.exe (PID: 3880)
Reads the computer name
- instagram Checker by xRisky.exe (PID: 3796)
- Launcher.exe (PID: 2184)
- Windows Services.exe (PID: 3208)
- Secure System Shell.exe (PID: 3880)
- InstaServ.exe (PID: 3216)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3476)
Reads the machine GUID from the registry
- instagram Checker by xRisky.exe (PID: 3796)
- Launcher.exe (PID: 2184)
- Windows Services.exe (PID: 3208)
- Runtime Explorer.exe (PID: 2716)
- InstaServ.exe (PID: 3216)
- Secure System Shell.exe (PID: 3880)
- Runtime Explorer.exe (PID: 3996)
- Runtime Explorer.exe (PID: 2548)
Creates files or folders in the user directory
- Launcher.exe (PID: 2184)
Create files in a temporary directory
- Runtime Explorer.exe (PID: 2548)
- Runtime Explorer.exe (PID: 2716)
- Runtime Explorer.exe (PID: 3996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
50
Monitored processes
10
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1840 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Launcher.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2184 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\instagram Checker by xRisky\database\Launcher.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\instagram Checker by xRisky\database\Launcher.exe | instagram Checker by xRisky.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Launcher Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2548 | "C:\Windows\IMF\Runtime Explorer.exe" | C:\Windows\IMF\Runtime Explorer.exe | — | Windows Services.exe | |||||||||||
User: admin Company: Microsoft Windows Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 2716 | "C:\Windows\IMF\Runtime Explorer.exe" | C:\Windows\IMF\Runtime Explorer.exe | — | Windows Services.exe | |||||||||||
User: admin Company: Microsoft Windows Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 3208 | "C:\Windows\IMF\Windows Services.exe" {Arguments If Needed} | C:\Windows\IMF\Windows Services.exe | — | Launcher.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Windows Services Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3216 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\instagram Checker by xRisky\database\InstaServ.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\instagram Checker by xRisky\database\InstaServ.exe | instagram Checker by xRisky.exe | ||||||||||||
User: admin Company: instagram Checker by xRisky Integrity Level: HIGH Description: instagram Checker by xRisky Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3476 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Nowy Archiwum WinRARa.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3796 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\instagram Checker by xRisky\instagram Checker by xRisky.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\instagram Checker by xRisky\instagram Checker by xRisky.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Launcher Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3880 | "C:\Windows\IMF\Secure System Shell.exe" | C:\Windows\IMF\Secure System Shell.exe | — | Windows Services.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Secure System Shell Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3996 | "C:\Windows\IMF\Runtime Explorer.exe" | C:\Windows\IMF\Runtime Explorer.exe | — | Windows Services.exe | |||||||||||
User: admin Company: Microsoft Windows Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
Total events
5 371
Read events
5 251
Write events
119
Delete events
1
Modification events
| (PID) Process: | (3476) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
20
Suspicious files
18
Text files
16
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\Best Instagram Bot 4.1\Application Files\98p.ico.deploy | image | |
MD5:A098B32EBC940D092779E2E488036D68 | SHA256:4AC78EA8F26FCB0CE273E96BE03018A73390EFEFE00A37480F9371712BE072C3 | |||
| 3476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\Best Instagram Bot 4.1\Application Files\Best Instagram Bot 4.1.exe.deploy | executable | |
MD5:1E19AE66589289B2F70CB9577A00A734 | SHA256:79D4571372CF510FD73D489D776D82D0B5651A05E9032CA3DA865F152F42BBDF | |||
| 3476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\Best Instagram Bot 4.1\Application Files\Best Instagram Bot 4.1.exe.manifest | xml | |
MD5:B6C12A703D50AB80F2B73B1F897DB3FF | SHA256:6E292BB22F8EDDA3D73F6C87131497095FAE25AC38C4844BCFEE2543ADF3FFBD | |||
| 3476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\Best Instagram Bot 4.1\usersys\Ionic.Zip.dll | executable | |
MD5:F6933BF7CEE0FD6C80CDF207FF15A523 | SHA256:17BB0C9BE45289A2BE56A5F5A68EC9891D7792B886E0054BC86D57FE84D01C89 | |||
| 3476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\Best Instagram Bot 4.1\usersys\Application Files\Best Instagram Bot 4.1.exe.deploy | executable | |
MD5:1E19AE66589289B2F70CB9577A00A734 | SHA256:79D4571372CF510FD73D489D776D82D0B5651A05E9032CA3DA865F152F42BBDF | |||
| 3476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\Best Instagram Bot 4.1\usersys\Launcher.exe | executable | |
MD5:C6D4C881112022EB30725978ECD7C6EC | SHA256:0D87B9B141A592711C52E7409EC64DE3AB296CDDC890BE761D9AF57CEA381B32 | |||
| 3476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\Best Instagram Bot 4.1\usersys\st.exe | executable | |
MD5:40F8224C5960D8C0801BD7755202D73D | SHA256:21EACAF07E639A88EFC2AB36B30FB0948D14DE4EACF4165B4CAE1AAA58D0289E | |||
| 3476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\Best Instagram Bot 4.1\usersys\LICENCE.dat | compressed | |
MD5:43A46B3D4965C8E4FDA4B5161C2DAD5C | SHA256:301CE5C90623271D88AA32EB0E3C3C988C26F08246981065DF2E303F7FFB60A3 | |||
| 3476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\instagram Checker by xRisky\database\edbres00002.jrs | gmc | |
MD5:B6D81B360A5672D80C27430F39153E2C | SHA256:30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58 | |||
| 3476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3476.44954\instagram Checker by xRisky\database\edb.log | binary | |
MD5:24430D611ECE37D56F789F1EF5E18A38 | SHA256:8F7492FC0C14C45FB2647F379DA0C92D69367EB6BD7E9667E6C84A47E28EF60D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |