analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Complete.Internet.Repair.5.2.3.4118.rar |
| Full analysis: | https://app.any.run/tasks/cb851f33-1389-45a3-90b1-987fd0c3bc41 |
| Verdict: | Malicious activity |
| Analysis date: | May 30, 2020, 01:51:41 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v4, os: Win32 |
| MD5: | 1B6BD2A8576FFCE710CA0A43A0609529 |
| SHA1: | 638B4F2D36621BAF7D9DAE9D5D6F139A48BDD466 |
| SHA256: | 00C1DE69DA0C024798E4432D693FDAA9B5F0D45B79BAAC5B15FF4398DD9715B3 |
| SSDEEP: | 98304:Sg3TLBeoGIv53PdRzjNXOtgiwVsfQggEf/d1Mx9XJElA4Y++R2fzsneIXMUW4:3n0op53PdtUtgMFgEfwx9XJElA4Y++Wm |
MALICIOUS
Application was dropped or rewritten from another process
- ComIntRep_4118_Setup.exe (PID: 2160)
- ComIntRep_4118_Setup.exe (PID: 3448)
- ComIntRep.exe (PID: 3936)
- ComIntRep.exe (PID: 684)
- ComIntRep.exe (PID: 1796)
- ComIntRep.exe (PID: 3276)
- WuSetupV.exe (PID: 3232)
Actions looks like stealing of personal data
- ComIntRep.exe (PID: 3936)
Registers / Runs the DLL via REGSVR32.EXE
- ComIntRep.exe (PID: 3936)
- ComIntRep.exe (PID: 3276)
Uses NET.EXE to stop Windows Update service
- cmd.exe (PID: 2328)
Modifies Windows security services settings
- ComIntRep.exe (PID: 3936)
Starts NET.EXE for service management
- cmd.exe (PID: 2328)
- cmd.exe (PID: 2796)
- cmd.exe (PID: 3860)
- cmd.exe (PID: 2480)
- cmd.exe (PID: 3208)
- cmd.exe (PID: 780)
- cmd.exe (PID: 2212)
- cmd.exe (PID: 1904)
- cmd.exe (PID: 2728)
- cmd.exe (PID: 2608)
Tries to delete the host file
- ComIntRep.exe (PID: 3936)
Writes to the hosts file
- ComIntRep.exe (PID: 3936)
Changes settings of System certificates
- ComIntRep.exe (PID: 3936)
- WuSetupV.exe (PID: 3232)
SUSPICIOUS
Executable content was dropped or overwritten
- ComIntRep_4118_Setup.exe (PID: 2160)
- ComIntRep_4118_Setup.exe (PID: 3448)
- WinRAR.exe (PID: 3636)
- ComIntRep_4118_Setup.tmp (PID: 1476)
Reads Windows owner or organization settings
- ComIntRep_4118_Setup.tmp (PID: 1476)
Reads the Windows organization settings
- ComIntRep_4118_Setup.tmp (PID: 1476)
Creates files in the user directory
- ComIntRep_4118_Setup.tmp (PID: 1476)
- ComIntRep.exe (PID: 3936)
- ComIntRep.exe (PID: 3276)
Reads Internet Cache Settings
- ComIntRep.exe (PID: 3936)
- ComIntRep.exe (PID: 3276)
Uses IPCONFIG.EXE to discover IP address
- cmd.exe (PID: 3012)
- cmd.exe (PID: 2336)
- cmd.exe (PID: 3524)
- cmd.exe (PID: 2304)
- cmd.exe (PID: 1784)
- cmd.exe (PID: 2732)
- cmd.exe (PID: 2344)
- cmd.exe (PID: 3160)
Uses NETSH.EXE for network configuration
- cmd.exe (PID: 3628)
- cmd.exe (PID: 3732)
- cmd.exe (PID: 1888)
- cmd.exe (PID: 2928)
- cmd.exe (PID: 4084)
- cmd.exe (PID: 2192)
- cmd.exe (PID: 1636)
- cmd.exe (PID: 2884)
- cmd.exe (PID: 2748)
- cmd.exe (PID: 3244)
- cmd.exe (PID: 2644)
- cmd.exe (PID: 3684)
- cmd.exe (PID: 2556)
- cmd.exe (PID: 3152)
Starts CMD.EXE for commands execution
- ComIntRep.exe (PID: 3936)
- ComIntRep.exe (PID: 3276)
Creates COM task schedule object
- regsvr32.exe (PID: 2852)
- regsvr32.exe (PID: 2452)
- regsvr32.exe (PID: 2796)
- regsvr32.exe (PID: 2720)
- regsvr32.exe (PID: 3684)
- regsvr32.exe (PID: 1896)
- regsvr32.exe (PID: 1396)
- regsvr32.exe (PID: 3724)
- regsvr32.exe (PID: 3764)
- regsvr32.exe (PID: 864)
- regsvr32.exe (PID: 788)
- regsvr32.exe (PID: 4056)
- regsvr32.exe (PID: 2576)
- regsvr32.exe (PID: 2280)
- regsvr32.exe (PID: 1724)
- regsvr32.exe (PID: 3056)
- regsvr32.exe (PID: 1012)
- regsvr32.exe (PID: 3116)
- regsvr32.exe (PID: 3704)
- regsvr32.exe (PID: 2912)
- regsvr32.exe (PID: 3520)
Modifies the open verb of a shell class
- regsvr32.exe (PID: 2172)
- regsvr32.exe (PID: 2208)
- regsvr32.exe (PID: 2452)
- regsvr32.exe (PID: 3628)
- regsvr32.exe (PID: 3812)
Starts SC.EXE for service management
- cmd.exe (PID: 3432)
- cmd.exe (PID: 2696)
- cmd.exe (PID: 2652)
- cmd.exe (PID: 2896)
- cmd.exe (PID: 3344)
- cmd.exe (PID: 3356)
- cmd.exe (PID: 2244)
Removes files from Windows directory
- ComIntRep.exe (PID: 3936)
Creates or modifies windows services
- ComIntRep.exe (PID: 3936)
- ComIntRep.exe (PID: 3276)
Creates files in the Windows directory
- ComIntRep.exe (PID: 3936)
- regsvr32.exe (PID: 2456)
Creates files in the driver directory
- ComIntRep.exe (PID: 3936)
Adds / modifies Windows certificates
- ComIntRep.exe (PID: 3936)
Executed as Windows Service
- vssvc.exe (PID: 3460)
INFO
Application was dropped or rewritten from another process
- ComIntRep_4118_Setup.tmp (PID: 1476)
- ComIntRep_4118_Setup.tmp (PID: 3264)
Manual execution by user
- ComIntRep_4118_Setup.exe (PID: 2160)
- ComIntRep.exe (PID: 3936)
- ComIntRep.exe (PID: 684)
- ComIntRep.exe (PID: 1796)
- ComIntRep.exe (PID: 3276)
Creates a software uninstall entry
- ComIntRep_4118_Setup.tmp (PID: 1476)
Creates files in the program directory
- ComIntRep_4118_Setup.tmp (PID: 1476)
Reads settings of System Certificates
- ComIntRep.exe (PID: 3936)
Reads the hosts file
- ComIntRep.exe (PID: 3936)
Low-level read access rights to disk partition
- vssvc.exe (PID: 3460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v-4.x) (58.3) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (41.6) |
EXIF
ZIP
| CompressedSize: | 1163735 |
|---|---|
| UncompressedSize: | 2129968 |
| OperatingSystem: | Win32 |
| ModifyDate: | 2020:05:27 14:32:09 |
| PackingMethod: | Normal |
| ArchivedFileName: | Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\ComIntRep.exe |
Total processes
578
Monitored processes
474
Malicious processes
10
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3636 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Complete.Internet.Repair.5.2.3.4118.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
| 2160 | "C:\Users\admin\Desktop\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Setup.exe" | C:\Users\admin\Desktop\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Setup.exe | explorer.exe | |
User: admin Company: Rizonesoft Integrity Level: MEDIUM Description: Complete Internet Repair Setup Exit code: 0 Version: | ||||
| 3264 | "C:\Users\admin\AppData\Local\Temp\is-0LPJU.tmp\ComIntRep_4118_Setup.tmp" /SL5="$101D6,2700781,780288,C:\Users\admin\Desktop\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Setup.exe" | C:\Users\admin\AppData\Local\Temp\is-0LPJU.tmp\ComIntRep_4118_Setup.tmp | — | ComIntRep_4118_Setup.exe |
User: admin Company: Rizonesoft Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
| 3448 | "C:\Users\admin\Desktop\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Setup.exe" /SPAWNWND=$101E6 /NOTIFYWND=$101D6 | C:\Users\admin\Desktop\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Setup.exe | ComIntRep_4118_Setup.tmp | |
User: admin Company: Rizonesoft Integrity Level: HIGH Description: Complete Internet Repair Setup Exit code: 0 Version: | ||||
| 1476 | "C:\Users\admin\AppData\Local\Temp\is-9MVU6.tmp\ComIntRep_4118_Setup.tmp" /SL5="$201EA,2700781,780288,C:\Users\admin\Desktop\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Setup.exe" /SPAWNWND=$101E6 /NOTIFYWND=$101D6 | C:\Users\admin\AppData\Local\Temp\is-9MVU6.tmp\ComIntRep_4118_Setup.tmp | ComIntRep_4118_Setup.exe | |
User: admin Company: Rizonesoft Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
| 684 | "C:\Program Files\Rizonesoft\Complete Internet Repair\ComIntRep.exe" | C:\Program Files\Rizonesoft\Complete Internet Repair\ComIntRep.exe | — | explorer.exe |
User: admin Company: Rizonesoft Integrity Level: MEDIUM Description: Complete Internet Repair Exit code: 3221226540 Version: 5.2.3.4118 | ||||
| 3936 | "C:\Program Files\Rizonesoft\Complete Internet Repair\ComIntRep.exe" | C:\Program Files\Rizonesoft\Complete Internet Repair\ComIntRep.exe | explorer.exe | |
User: admin Company: Rizonesoft Integrity Level: HIGH Description: Complete Internet Repair Exit code: 0 Version: 5.2.3.4118 | ||||
| 3732 | C:\Windows\system32\cmd.exe /c netsh interface ipv4 reset all | C:\Windows\system32\cmd.exe | — | ComIntRep.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 1152 | netsh interface ipv4 reset all | C:\Windows\system32\netsh.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 4084 | C:\Windows\system32\cmd.exe /c netsh interface ipv6 reset all | C:\Windows\system32\cmd.exe | — | ComIntRep.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
Total events
18 728
Read events
1 898
Write events
0
Delete events
0
Modification events
Executable files
8
Suspicious files
4
Text files
783
Unknown types
17
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3636.35599\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\Language\ComIntRep\ar.ini | text | |
MD5:2F5532074B50A8F52A370A25A23E57A2 | SHA256:CA965D5CA8CA58ED2FC46B6757D53E10B0D5E339EA85BA84546E7900FC5F1811 | |||
| 3636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3636.35599\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\Docs\Readme.txt | text | |
MD5:DEB3B27ABF446F710DC4DE991BC43590 | SHA256:F236D25AEE5DB8A40DCBF18F61AE483CF6EB6EDE654D1F7F71D8863ADEBAA3EF | |||
| 3636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3636.35599\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\ComIntRep.ini | text | |
MD5:57AA793C2D183162FDAF566880418850 | SHA256:26F95EBF450E957328B80CA912C9BAA1A53C5A40949EB03E9DF05CB4D7B11F47 | |||
| 3636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3636.35599\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\Language\ComIntRep\fr.ini | text | |
MD5:7AE482A3E7A8A2FECA155537C87DC4B4 | SHA256:1C5FAC36B04BF67CEE52160101D0E791A1B8D70ACBC8A93FAA42C6DA80F539FC | |||
| 3636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3636.35599\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\Language\ComIntRep\es.ini | text | |
MD5:88584E1B1E6418D68B9880809ECC3B3C | SHA256:8D2EA56EB19C552600A706FA7A53A37E4E40F0A686B59F585B725C2B8550DFF5 | |||
| 3636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3636.35599\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\Language\ComIntRep\en.ini | text | |
MD5:B74A87F59FC943AEA5A3E2AFAE131722 | SHA256:A5717E3BFBAEE175FF4F9E146A524A2ADE14AE34D958E504356A7B7F163502D5 | |||
| 3636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3636.35599\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\Language\ComIntRep\pt-BR.ini | text | |
MD5:5B3D1F76385C03D830D134E53F66CDBF | SHA256:831E9EAE637F1EBFA167A9A8C3A2F306642B5D33DCA338919E61525B06109758 | |||
| 3636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3636.35599\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\Language\ComIntRep\hu.ini | text | |
MD5:195FF9E014266B784BE50101F76E6CE1 | SHA256:4F5E18E2044A4F0DA7FBC11C394E643FE30EE814E53E4545437C97AEF396DF89 | |||
| 3636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3636.35599\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\Language\ComIntRep\zh-CN.ini | text | |
MD5:D659B17C4F4C5652D7DEC783C4C61F49 | SHA256:DF5FACC71CD7A4B5B1B05E4EB698F4B92F789AE82D1DB3EAB909C35DB563CC04 | |||
| 3636 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3636.35599\Complete.Internet.Repair.5.2.3.4118.KaranPC\ComIntRep_4118_Portable\Language\ComIntRep\el.ini | text | |
MD5:0AD4BC5E5F116D38AF513B3C70B5C42F | SHA256:CE8EB7B07C014B1247EC9DB9B717393B9433C0DB2F455D2280DDFBE8E34BD9E3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
7
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/wsus3setup.cab?2005300155 | US | — | — | whitelisted |
— | — | HEAD | 200 | 205.185.216.42:80 | http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?2005300155 | US | — | — | whitelisted |
— | — | GET | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/WuSetupHandler.cab?2005300155 | US | compressed | 61.9 Kb | whitelisted |
3936 | ComIntRep.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd | US | der | 315 b | whitelisted |
— | — | GET | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/wsus3setup.cab?2005300155 | US | compressed | 32.9 Kb | whitelisted |
3936 | ComIntRep.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D | US | der | 471 b | whitelisted |
— | — | HEAD | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~x86~~7.6.7600.320.cab?2005300155 | US | compressed | 61.9 Kb | whitelisted |
— | — | HEAD | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~x86~~7.6.7600.320.cab?2005300155 | US | compressed | 116 Kb | whitelisted |
— | — | GET | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~x86~~7.6.7600.320.cab?2005300155 | US | compressed | 2.21 Mb | whitelisted |
— | — | GET | 200 | 13.107.4.50:80 | http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~x86~~7.6.7600.320.cab?2005300155 | US | compressed | 458 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3936 | ComIntRep.exe | 151.139.128.11:443 | www.rizonesoft.com | Highwinds Network Group, Inc. | US | malicious |
3276 | ComIntRep.exe | 151.139.128.11:443 | www.rizonesoft.com | Highwinds Network Group, Inc. | US | malicious |
3936 | ComIntRep.exe | 151.139.128.14:80 | ocsp.comodoca.com | Highwinds Network Group, Inc. | US | suspicious |
— | — | 40.90.247.210:443 | www.update.microsoft.com | Microsoft Corporation | US | malicious |
— | — | 13.107.4.50:80 | ds.download.windowsupdate.com | Microsoft Corporation | US | whitelisted |
— | — | 205.185.216.42:80 | download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.rizonesoft.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
download.windowsupdate.com |
| whitelisted |
www.update.microsoft.com |
| whitelisted |
ds.download.windowsupdate.com |
| whitelisted |