analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | a7994f9aa26ba3ea2efb963904671f7fe448df042b3341ec3502cbc7c5e67ed77ea0888b |
| Full analysis: | https://app.any.run/tasks/61486891-37b6-41e0-adf3-e5a114ddfa40 |
| Verdict: | Malicious activity |
| Analysis date: | September 30, 2020, 10:59:29 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | A7994F9AA26BA3EA2EFB963904671F7F |
| SHA1: | E448DF042B3341EC3502CBC7C5E67ED77EA0888B |
| SHA256: | 0F01F469DC49ACE8969FA49E0B4E32FC55E0A359AAB3F360112967BEBF1A6D93 |
| SSDEEP: | 12288:EnlkG1Lfgk6i4SDa2SsvJf+f25YQbEC5j/dbbLyE5:EnlkGpVa2X1EU95bdbSE5 |
MALICIOUS
Application was dropped or rewritten from another process
- 我司已汇$23856 (Our remitted $ 23856).exe (PID: 3776)
- 我司已汇$23856 (Our remitted $ 23856).exe (PID: 2768)
- 我司已汇$23856 (Our remitted $ 23856).exe (PID: 2436)
Uses Task Scheduler to run other applications
- 我司已汇$23856 (Our remitted $ 23856).exe (PID: 3776)
- 我司已汇$23856 (Our remitted $ 23856).exe (PID: 2768)
- 我司已汇$23856 (Our remitted $ 23856).exe (PID: 2436)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 1244)
- schtasks.exe (PID: 3228)
- schtasks.exe (PID: 1928)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2496)
- 我司已汇$23856 (Our remitted $ 23856).exe (PID: 3776)
Creates files in the user directory
- 我司已汇$23856 (Our remitted $ 23856).exe (PID: 3776)
INFO
Manual execution by user
- 我司已汇$23856 (Our remitted $ 23856).exe (PID: 2436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
47
Monitored processes
10
Malicious processes
1
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2496 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\a7994f9aa26ba3ea2efb963904671f7fe448df042b3341ec3502cbc7c5e67ed77ea0888b.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
| 3776 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2496.43506\我司已汇$23856 (Our remitted $ 23856).exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2496.43506\我司已汇$23856 (Our remitted $ 23856).exe | WinRAR.exe | |
User: admin Company: C.S.D Team Integrity Level: MEDIUM Description: Folder Protector Exit code: 3762507597 Version: 18.3.0.3 | ||||
| 2768 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2496.43840\我司已汇$23856 (Our remitted $ 23856).exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2496.43840\我司已汇$23856 (Our remitted $ 23856).exe | WinRAR.exe | |
User: admin Company: C.S.D Team Integrity Level: MEDIUM Description: Folder Protector Exit code: 3762507597 Version: 18.3.0.3 | ||||
| 2436 | "C:\Users\admin\Desktop\我司已汇$23856 (Our remitted $ 23856).exe" | C:\Users\admin\Desktop\我司已汇$23856 (Our remitted $ 23856).exe | explorer.exe | |
User: admin Company: C.S.D Team Integrity Level: MEDIUM Description: Folder Protector Version: 18.3.0.3 | ||||
| 3228 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UfqJVSjbq" /XML "C:\Users\admin\AppData\Local\Temp\tmpD965.tmp" | C:\Windows\System32\schtasks.exe | — | 我司已汇$23856 (Our remitted $ 23856).exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2140 | dw20.exe -x -s 860 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | — | 我司已汇$23856 (Our remitted $ 23856).exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Exit code: 0 Version: 2.0.50727.4927 (NetFXspW7.050727-4900) | ||||
| 1244 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UfqJVSjbq" /XML "C:\Users\admin\AppData\Local\Temp\tmpE309.tmp" | C:\Windows\System32\schtasks.exe | — | 我司已汇$23856 (Our remitted $ 23856).exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2928 | dw20.exe -x -s 856 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | — | 我司已汇$23856 (Our remitted $ 23856).exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Exit code: 0 Version: 2.0.50727.4927 (NetFXspW7.050727-4900) | ||||
| 1928 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UfqJVSjbq" /XML "C:\Users\admin\AppData\Local\Temp\tmp629A.tmp" | C:\Windows\System32\schtasks.exe | — | 我司已汇$23856 (Our remitted $ 23856).exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2304 | dw20.exe -x -s 856 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | — | 我司已汇$23856 (Our remitted $ 23856).exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Version: 2.0.50727.4927 (NetFXspW7.050727-4900) | ||||
Total events
700
Read events
663
Write events
0
Delete events
0
Modification events
Executable files
4
Suspicious files
2
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3776 | 我司已汇$23856 (Our remitted $ 23856).exe | C:\Users\admin\AppData\Local\Temp\tmpD965.tmp | — | |
MD5:— | SHA256:— | |||
| 2768 | 我司已汇$23856 (Our remitted $ 23856).exe | C:\Users\admin\AppData\Local\Temp\tmpE309.tmp | — | |
MD5:— | SHA256:— | |||
| 2436 | 我司已汇$23856 (Our remitted $ 23856).exe | C:\Users\admin\AppData\Local\Temp\tmp629A.tmp | xml | |
MD5:63B699549964D0FB1B258117E66EEBE7 | SHA256:6BE24CF0434279D8424EE3977A04E8E96E30AB5CC62E00F396FD622F228BBD03 | |||
| 2928 | dw20.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_LXWYYB2L4QXOP4KY_3ca99b877b602331fdc5fd9646ca1ce96b8bd261_0b6c3e29\Report.wer | binary | |
MD5:390FCBA1879292420EC70806519CA096 | SHA256:B09A19D73B7B9E094958020DD21C6126BD3162F3370F4B323F92EBD5B62BE942 | |||
| 2496 | WinRAR.exe | C:\Users\admin\Desktop\我司已汇$23856 (Our remitted $ 23856).exe | executable | |
MD5:FB8A81FAE852CC6B612279CB7B032EBC | SHA256:8715C56FFA7A44E7E01E022FBBE65A09CF11B18DE43910DFB731DB3E019E60E6 | |||
| 3776 | 我司已汇$23856 (Our remitted $ 23856).exe | C:\Users\admin\AppData\Roaming\UfqJVSjbq.exe | executable | |
MD5:FB8A81FAE852CC6B612279CB7B032EBC | SHA256:8715C56FFA7A44E7E01E022FBBE65A09CF11B18DE43910DFB731DB3E019E60E6 | |||
| 2140 | dw20.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_LXWYYB2L4QXOP4KY_3ca99b877b602331fdc5fd9646ca1ce96b8bd261_0840523e\Report.wer | binary | |
MD5:5D832C416E6D5903BBAE440A522B7B59 | SHA256:C2099459909AE2954C3F4BC3888B622F1FF69BED185209F6E22A9ADC8A0DCDF3 | |||
| 2496 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2496.43506\我司已汇$23856 (Our remitted $ 23856).exe | executable | |
MD5:FB8A81FAE852CC6B612279CB7B032EBC | SHA256:8715C56FFA7A44E7E01E022FBBE65A09CF11B18DE43910DFB731DB3E019E60E6 | |||
| 2496 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2496.43840\我司已汇$23856 (Our remitted $ 23856).exe | executable | |
MD5:FB8A81FAE852CC6B612279CB7B032EBC | SHA256:8715C56FFA7A44E7E01E022FBBE65A09CF11B18DE43910DFB731DB3E019E60E6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report