analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Minecraft_TeamExtreme_1.12.2.rar

Full analysis: https://app.any.run/tasks/18fa7a4c-0555-49fa-aa13-edeec1c9f471
Verdict: Malicious activity
Analysis date: October 20, 2020, 08:38:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

41F7B389B6546F743E7C20CC6620DD1E

SHA1:

3C47C73FDA7F895C47F0AA8203B00E13BB6B75AB

SHA256:

0803CCE1CC4C7DB24E30C546116FAC4F7218BCA2EE5FF1141EAC81290C3906EA

SSDEEP:

98304:WY/ANpM/oc5Tf5NNPzWVgqgL/c85olfDoiVh:WYIYAc5Tfb1WVgqM08mFoa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Minecraft.exe (PID: 2224)
      • Minecraft.exe (PID: 2700)
      • app.exe (PID: 3860)
      • windowsvc.exe (PID: 4020)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 3168)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2624)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3768)
      • Minecraft.exe (PID: 2700)
      • cmd.exe (PID: 2244)
      • windowsvc.exe (PID: 4020)

    • Executes scripts

      • Minecraft.exe (PID: 2700)
      • cmd.exe (PID: 2244)
      • windowsvc.exe (PID: 4020)

    • Executes JAVA applets

      • app.exe (PID: 3860)

    • Creates files in the user directory

      • cmd.exe (PID: 2244)
      • javaw.exe (PID: 2328)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2292)
      • WScript.exe (PID: 3244)

  • INFO

    • Manual execution by user

      • Minecraft.exe (PID: 2700)
      • Minecraft.exe (PID: 2224)
      • taskmgr.exe (PID: 3572)
      • verclsid.exe (PID: 2804)
      • windowsvc.exe (PID: 4020)
      • chrome.exe (PID: 2564)

    • Reads the hosts file

      • chrome.exe (PID: 2564)
      • chrome.exe (PID: 3592)

    • Application launched itself

      • chrome.exe (PID: 2564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
89
Monitored processes
44
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe minecraft.exe no specs minecraft.exe wscript.exe no specs app.exe no specs cmd.exe javaw.exe wscript.exe no specs cmd.exe schtasks.exe no specs taskmgr.exe no specs verclsid.exe no specs windowsvc.exe wscript.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3768"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Minecraft_TeamExtreme_1.12.2.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2224"C:\Users\admin\Desktop\Minecraft.exe" C:\Users\admin\Desktop\Minecraft.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2700"C:\Users\admin\Desktop\Minecraft.exe" C:\Users\admin\Desktop\Minecraft.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2292"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\RarSFX0\run.vbs" C:\Windows\System32\WScript.exeMinecraft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3860"C:\Users\admin\AppData\Local\Temp\RarSFX0\app.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\app.exeWScript.exe
User:
admin
Company:
TeamExtreme
Integrity Level:
HIGH
Description:
1.8.1 Minecraft Launcher
Exit code:
0
Version:
3.5.1
2244cmd /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\sch.bat" "C:\Windows\System32\cmd.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2328"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -Xms256m -Xmx512m -jar "C:\Users\admin\AppData\Local\Temp\RarSFX0\app.exe"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
app.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3244"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\getadmin.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3168"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\RarSFX0\sch.bat" payload C:\Users\admin\AppData\Local\Temp\RarSFX0\ C:\Windows\System32\cmd.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2624C:\Windows\system32\schtasks.exe /F /Create /TN "Microsoft x64 Framework Visual C++" /SC ONLOGON /TR C:\Users\admin\AppData\Roaming\Microsoft\Windows\Release\WindowsController.exe /RL HIGHESTC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 231
Read events
3 087
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
66
Text files
106
Unknown types
7

Dropped files

PID
Process
Filename
Type
2328javaw.exeC:\Users\admin\AppData\Local\Temp\imageio1105602099691704918.tmp
MD5:
SHA256:
2328javaw.exeC:\Users\admin\AppData\Local\Temp\imageio6711793204984012761.tmp
MD5:
SHA256:
2328javaw.exeC:\Users\admin\AppData\Local\Temp\imageio2840065571031111589.tmp
MD5:
SHA256:
2328javaw.exeC:\Users\admin\AppData\Local\Temp\imageio4507240911262294794.tmp
MD5:
SHA256:
2328javaw.exeC:\Users\admin\AppData\Local\Temp\imageio239763250966024734.tmp
MD5:
SHA256:
2328javaw.exeC:\Users\admin\AppData\Local\Temp\imageio864298219010677600.tmp
MD5:
SHA256:
2328javaw.exeC:\Users\admin\AppData\Local\Temp\imageio6088074444757520115.tmp
MD5:
SHA256:
2700Minecraft.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\run.vbstext
MD5:9CDB5D9BAC91239F88365326D894051E
SHA256:3EEEE4D3C424F7708A3A2C77EE573844D2EC87A7866BC5F91E9944F23836B304
2244cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Release\windowsvc.exeexecutable
MD5:64CF2216A40BCD65AA58E4E69A2B313C
SHA256:F8377A71DE6DFADD63425D850F7860DAFE4FE3A869D05F5855D3DFDBD7FC2C1F
4020windowsvc.exeC:\Users\admin\AppData\Local\Temp\RarSFX1\xmrig-asm.libobj
MD5:614911F9DBC4D9176832067BD227FF12
SHA256:FD192D1E1E2700108FAEDB1ABADD357B312C034FD1CC196B93185840FAF26F8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
74
DNS requests
43
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2328
javaw.exe
GET
404
198.54.115.64:80
http://teamextrememc.com/failsafe/launcherversion.txt
US
html
315 b
malicious
3592
chrome.exe
GET
302
67.199.248.11:80
http://bit.ly/
US
html
154 b
shared
2328
javaw.exe
GET
200
198.54.115.64:80
http://teamextrememc.com/failsafe/url.txt
US
text
36 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3592
chrome.exe
216.58.210.4:443
www.google.com
Google Inc.
US
whitelisted
216.58.207.42:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2328
javaw.exe
162.125.66.15:443
dl.dropboxusercontent.com
Dropbox, Inc.
DE
malicious
3592
chrome.exe
216.58.205.227:443
www.gstatic.com
Google Inc.
US
whitelisted
3592
chrome.exe
216.58.212.173:443
accounts.google.com
Google Inc.
US
whitelisted
2328
javaw.exe
198.54.115.64:80
teamextrememc.com
Namecheap, Inc.
US
malicious
3592
chrome.exe
172.217.22.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2328
javaw.exe
52.216.176.45:443
s3.amazonaws.com
Amazon.com, Inc.
US
unknown
3592
chrome.exe
216.58.206.3:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3592
chrome.exe
172.217.22.110:443
apis.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
dl.dropboxusercontent.com
  • 162.125.66.15
shared
teamextrememc.com
  • 198.54.115.64
malicious
dl.dropbox.com
  • 162.125.66.15
shared
s3.amazonaws.com
  • 52.216.176.45
shared
clientservices.googleapis.com
  • 172.217.22.3
whitelisted
accounts.google.com
  • 216.58.212.173
shared
www.google.com
  • 216.58.210.4
whitelisted
fonts.googleapis.com
  • 216.58.207.42
whitelisted
www.gstatic.com
  • 216.58.205.227
whitelisted
fonts.gstatic.com
  • 216.58.206.3
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Minecraft_TeamExtreme_1.12.2.rar