analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

setup.cab

Full analysis: https://app.any.run/tasks/ecf0621b-cee5-49f3-9a3c-5ee62c381419
Verdict: Malicious activity
Analysis date: September 30, 2020, 03:52:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-cab-compressed
File info: Microsoft Cabinet archive data, 178905 bytes, 5 files
MD5:

8B6962B35209039276B3088830463DF9

SHA1:

DF44D9E288E6899D6D8EE270CB77DB2147D8808E

SHA256:

114C58BEEE239BDFA9166AF50397AEE81505BCA9596F05EE74E239F8E6132E4B

SSDEEP:

3072:0ECTCJk6ab+xCyIMjuoRTvGsu/bVDQHh1DvN/k6H94t6movN+h+JrCI9hxsQZY2z:mCo+xCI9RTvVu6lQaQhar2QZYgb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2876)
      • explorer.exe (PID: 352)
      • rundll32.exe (PID: 2864)

    • Runs app for hidden code execution

      • explorer.exe (PID: 352)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 352)
      • cmd.exe (PID: 1876)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 2756)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 352)
      • rundll32.exe (PID: 2864)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 2756)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2608)

    • Reads Internet Cache Settings

      • rundll32.exe (PID: 2864)

  • INFO

    • Manual execution by user

      • calc.exe (PID: 1236)
      • rundll32.exe (PID: 2572)
      • cmd.exe (PID: 1876)
      • cmd.exe (PID: 3276)
      • cmd.exe (PID: 2756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cab | Microsoft Cabinet Archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
24
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs explorer.exe no specs rundll32.exe no specs calc.exe no specs cmd.exe no specs rundll32.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs rundll32.exe no specs rundll32.exe cmd.exe no specs taskkill.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2180"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\setup.cab"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2876"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2572"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\NTWDBLIB.dllC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1236"C:\Windows\system32\calc.exe" C:\Windows\system32\calc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1876"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3392rundll32 NTWDBLIB.dllC:\Windows\system32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3276cmd /c ""C:\Users\admin\Desktop\install2.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3716sc stop COMSysAppC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3960sc config COMSysApp type= own start= auto error= normal binpath= "C:\Windows\System32\svchost.exe -k COMSysApp"C:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 174
Read events
1 661
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2180WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2180.28700\install1.bat
MD5:
SHA256:
2180WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2180.28700\install2.bat
MD5:
SHA256:
2180WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2180.28700\ipnet.dll
MD5:
SHA256:
2180WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2180.28700\ipnet.ini
MD5:
SHA256:
2180WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2180.28700\NTWDBLIB.dll
MD5:
SHA256:
352explorer.exeC:\Users\admin\Desktop\install1.battext
MD5:FBC2E00DD4ACD426C67B01236437928A
SHA256:2C958CD3838FCAE410785ACB0ACF5A542D281524B7820D719BB22AD7D9FCDC7C
352explorer.exeC:\Users\admin\Desktop\ipnet.initext
MD5:F51786A22AFD16CBBC3FE642431DC6D0
SHA256:1C00D54DD215D614E8C9CE41433BD88FCF8374757FA995D2D88AA9048020B290
352explorer.exeC:\Users\admin\Desktop\install2.battext
MD5:AE67E59F1162677996B6F572C5B1A093
SHA256:E4226645BAD95F20DF55EF32193D72C9DAFCF060C3360FD4E50B5C08A986A353
352explorer.exeC:\Users\admin\Desktop\ipnet.dllexecutable
MD5:3EB415F905E896EF1D43D8AAC74D0039
SHA256:670002BCEAF387608A27827A95854B0A33ECAD5C83255F03B98BFE18FE5E9768
352explorer.exeC:\Users\admin\Desktop\NTWDBLIB.dllexecutable
MD5:E69500F133B4F02D7EAD478AF8E7E29D
SHA256:909D70F6D91957B20A8ED09BCD881FB1416D23B63083C03840EDC8C80D256A15
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
rundll32.exe
[DLL_PROCESS_ATTACH]
rundll32.exe
[ServiceMain]
rundll32.exe
[sub_10001000]
rundll32.exe
[sub_100024D4]
rundll32.exe
C:\Windows\system32\ipnet.ini
rundll32.exe
[ThreadFunc]
rundll32.exe
USER-PC
rundll32.exe
[GetFTPAccountInfo_10001712]
rundll32.exe
C:\Windows\system32\ipnet.ini
rundll32.exe
111
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.cab