File name:

优化工具.rar

Full analysis: https://app.any.run/tasks/97376959-ecfa-47a5-98f0-086eda355c06
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: April 14, 2024, 04:40:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
purplefox
backdoor
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AA0D47B5CC00E17456B1373A6866F1D3

SHA1:

4D562D38A1B8C64C4203D7D8D26853302CB70E66

SHA256:

085D6FF7FCEDCF4DAB56C2B04E1AD0A17A550EC380E53942203AE283F8ECED5E

SSDEEP:

98304:yA2M8EqPdCEsAnl1nLp6ukfR6TqIc7Ny7V82zge0KmmQqpzDZR9ytUbnZJ/mUmAE:Mp/yUkkIUCfITe1j5w55qMBiBL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4008)
      • 优化工具.exe (PID: 3276)
      • 1.msi (PID: 2336)
      • sg.tmp (PID: 2040)

    • Connects to the CnC server

      • sdiagnhost.exe (PID: 2692)

    • PURPLEFOX has been detected (SURICATA)

      • sdiagnhost.exe (PID: 2692)

  • SUSPICIOUS

    • Reads the BIOS version

      • goopdate.exe (PID: 3964)
      • goopdate.exe (PID: 3516)
      • goopdate.exe (PID: 2904)
      • goopdate.exe (PID: 680)

    • Read startup parameters

      • goopdate.exe (PID: 3964)
      • goopdate.exe (PID: 3516)
      • goopdate.exe (PID: 2904)
      • goopdate.exe (PID: 680)

    • Executable content was dropped or overwritten

      • 优化工具.exe (PID: 3276)
      • 1.msi (PID: 2336)
      • sg.tmp (PID: 2040)

    • The process creates files with name similar to system file names

      • 优化工具.exe (PID: 3276)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 4008)

    • Starts application with an unusual extension

      • 优化工具.exe (PID: 3276)
      • 优化工具.exe (PID: 2432)
      • 优化工具.exe (PID: 3724)
      • 优化工具.exe (PID: 1556)
      • 1.msi (PID: 2336)

    • Connects to unusual port

      • sdiagnhost.exe (PID: 2692)

    • Starts CMD.EXE for commands execution

      • 1.msi (PID: 2336)

    • Creates or modifies Windows services

      • sdiagnhost.exe (PID: 1772)

    • Application launched itself

      • 1.msi (PID: 2336)

  • INFO

    • Checks supported languages

      • 优化工具.exe (PID: 3276)
      • goopdate.exe (PID: 3964)
      • 优化工具.exe (PID: 3724)
      • sdiagnhost.exe (PID: 1740)
      • sdiagnhost.exe (PID: 2692)
      • goopdate.exe (PID: 3516)
      • goopdate.exe (PID: 2904)
      • sdiagnhost.exe (PID: 1112)
      • 优化工具.exe (PID: 1556)
      • 优化工具.exe (PID: 2432)
      • sdiagnhost.exe (PID: 1772)
      • 1.msi (PID: 2336)
      • goopdate.exe (PID: 680)
      • 1.msi (PID: 3976)
      • sg.tmp (PID: 2040)
      • autorun.exe (PID: 1484)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4008)

    • Reads the computer name

      • 优化工具.exe (PID: 3724)
      • 优化工具.exe (PID: 3276)
      • sdiagnhost.exe (PID: 2692)
      • 优化工具.exe (PID: 2432)
      • sdiagnhost.exe (PID: 1112)
      • sdiagnhost.exe (PID: 1740)
      • 1.msi (PID: 2336)
      • sdiagnhost.exe (PID: 1772)
      • 优化工具.exe (PID: 1556)
      • 1.msi (PID: 3976)
      • sg.tmp (PID: 2040)
      • autorun.exe (PID: 1484)

    • Reads the machine GUID from the registry

      • sdiagnhost.exe (PID: 2692)
      • sdiagnhost.exe (PID: 1112)
      • sdiagnhost.exe (PID: 1740)
      • sdiagnhost.exe (PID: 1772)
      • 1.msi (PID: 2336)

    • Reads CPU info

      • sdiagnhost.exe (PID: 2692)

    • Manual execution by a user

      • 优化工具.exe (PID: 3724)
      • 优化工具.exe (PID: 2432)
      • taskmgr.exe (PID: 3068)
      • 优化工具.exe (PID: 1556)

    • Create files in a temporary directory

      • 1.msi (PID: 2336)
      • 1.msi (PID: 3976)
      • sg.tmp (PID: 2040)

    • Process checks whether UAC notifications are on

      • goopdate.exe (PID: 680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
22
Malicious processes
7
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe 优化工具.exe goopdate.exe no specs #PURPLEFOX sdiagnhost.exe 1.msi no specs 优化工具.exe no specs goopdate.exe no specs sdiagnhost.exe no specs 1.msi no specs taskmgr.exe no specs 优化工具.exe no specs goopdate.exe no specs sdiagnhost.exe no specs 1.msi no specs 优化工具.exe goopdate.exe no specs sdiagnhost.exe no specs 1.msi cmd.exe no specs 1.msi no specs sg.tmp autorun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\\1.msiC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\1.msi优化工具.exe
User:
admin
Company:
Longtion 软件公司。
Integrity Level:
MEDIUM
Description:
AutoRun Pro Enterprise II
Exit code:
3221226540
Version:
6.0.5.155
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\recent\1.msi
c:\windows\system32\ntdll.dll
680C:\PHP5433\goopdate.exeC:\PHP5433\goopdate.exe优化工具.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Installer
Exit code:
3938922
Version:
1.3.36.361
Modules
Images
c:\php5433\goopdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1112C:\PHP5433\sdiagnhost.exeC:\PHP5433\sdiagnhost.exegoopdate.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\php5433\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
1484"C:\Users\admin\AppData\Local\Temp\~260705556319499373\autorun.exe" C:\Users\admin\AppData\Local\Temp\~260705556319499373\autorun.exe1.msi
User:
admin
Company:
Longtion 软件公司。
Integrity Level:
HIGH
Description:
AutoRun Pro Enterprise II
Version:
6.0.5.155
Modules
Images
c:\users\admin\appdata\local\temp\~260705556319499373\autorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1556"C:\Users\admin\Desktop\优化工具.exe" C:\Users\admin\Desktop\优化工具.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\优化工具.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
1740C:\PHP5433\sdiagnhost.exeC:\PHP5433\sdiagnhost.exegoopdate.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\php5433\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
1772C:\PHP5433\sdiagnhost.exeC:\PHP5433\sdiagnhost.exegoopdate.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\php5433\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
1808C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\\1.msiC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\1.msi优化工具.exe
User:
admin
Company:
Longtion 软件公司。
Integrity Level:
MEDIUM
Description:
AutoRun Pro Enterprise II
Exit code:
3221226540
Version:
6.0.5.155
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\recent\1.msi
c:\windows\system32\ntdll.dll
1816cmd.exe /c setC:\Windows\System32\cmd.exe1.msi
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1976C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\\1.msiC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\1.msi优化工具.exe
User:
admin
Company:
Longtion 软件公司。
Integrity Level:
MEDIUM
Description:
AutoRun Pro Enterprise II
Exit code:
3221226540
Version:
6.0.5.155
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\recent\1.msi
c:\windows\system32\ntdll.dll
Total events
9 672
Read events
9 623
Write events
48
Delete events
1

Modification events

(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4008) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\优化工具.rar
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
9
Suspicious files
3
Text files
16
Unknown types
1

Dropped files

PID
Process
Filename
Type
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa4008.48130\优化工具.exeexecutable
MD5:
SHA256:
3276优化工具.exeC:\PHP5433\goopdate.exeexecutable
MD5:
SHA256:
3276优化工具.exeC:\PHP5433\goopdate.dllexecutable
MD5:
SHA256:
3276优化工具.exeC:\PHP5433\sdiagnhost.exeexecutable
MD5:
SHA256:
3276优化工具.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\1.msiexecutable
MD5:
SHA256:
4008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4008.49249\优化工具.exeexecutable
MD5:
SHA256:
23361.msiC:\Users\admin\AppData\Local\Temp\~~4770641541084996828.tmpabr
MD5:
SHA256:
39761.msiC:\Users\admin\AppData\Local\Temp\~7555814860460657514.tmpbinary
MD5:
SHA256:
23361.msiC:\Users\admin\AppData\Local\Temp\~7075424272917238929~\sg.tmpexecutable
MD5:
SHA256:
2040sg.tmpC:\Users\admin\AppData\Local\Temp\~260705556319499373\01.jpgimage
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown
2692
sdiagnhost.exe
45.195.198.207:8000
ffcc1.casacam.net
Shanghai Anchang Network Security Technology Co.,Ltd.
MU
unknown

DNS requests

Domain
IP
Reputation
ffcc1.casacam.net
  • 45.195.198.207
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.casacam .net Domain
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
优化工具.rar