File name: | setup.cab |
Full analysis: | https://app.any.run/tasks/ecf0621b-cee5-49f3-9a3c-5ee62c381419 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 03:52:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-cab-compressed |
File info: | Microsoft Cabinet archive data, 178905 bytes, 5 files |
MD5: | 8B6962B35209039276B3088830463DF9 |
SHA1: | DF44D9E288E6899D6D8EE270CB77DB2147D8808E |
SHA256: | 114C58BEEE239BDFA9166AF50397AEE81505BCA9596F05EE74E239F8E6132E4B |
SSDEEP: | 3072:0ECTCJk6ab+xCyIMjuoRTvGsu/bVDQHh1DvN/k6H94t6movN+h+JrCI9hxsQZY2z:mCo+xCI9RTvVu6lQaQhar2QZYgb |
.cab | | | Microsoft Cabinet Archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2180 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\setup.cab" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2876 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
352 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2572 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\NTWDBLIB.dll | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1236 | "C:\Windows\system32\calc.exe" | C:\Windows\system32\calc.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Calculator Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1876 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3392 | rundll32 NTWDBLIB.dll | C:\Windows\system32\rundll32.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3276 | cmd /c ""C:\Users\admin\Desktop\install2.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3716 | sc stop COMSysApp | C:\Windows\system32\sc.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3960 | sc config COMSysApp type= own start= auto error= normal binpath= "C:\Windows\System32\svchost.exe -k COMSysApp" | C:\Windows\system32\sc.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2180 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2180.28700\install1.bat | — | |
MD5:— | SHA256:— | |||
2180 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2180.28700\install2.bat | — | |
MD5:— | SHA256:— | |||
2180 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2180.28700\ipnet.dll | — | |
MD5:— | SHA256:— | |||
2180 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2180.28700\ipnet.ini | — | |
MD5:— | SHA256:— | |||
2180 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2180.28700\NTWDBLIB.dll | — | |
MD5:— | SHA256:— | |||
352 | explorer.exe | C:\Users\admin\Desktop\install1.bat | text | |
MD5:FBC2E00DD4ACD426C67B01236437928A | SHA256:2C958CD3838FCAE410785ACB0ACF5A542D281524B7820D719BB22AD7D9FCDC7C | |||
352 | explorer.exe | C:\Users\admin\Desktop\ipnet.ini | text | |
MD5:F51786A22AFD16CBBC3FE642431DC6D0 | SHA256:1C00D54DD215D614E8C9CE41433BD88FCF8374757FA995D2D88AA9048020B290 | |||
352 | explorer.exe | C:\Users\admin\Desktop\install2.bat | text | |
MD5:AE67E59F1162677996B6F572C5B1A093 | SHA256:E4226645BAD95F20DF55EF32193D72C9DAFCF060C3360FD4E50B5C08A986A353 | |||
352 | explorer.exe | C:\Users\admin\Desktop\ipnet.dll | executable | |
MD5:3EB415F905E896EF1D43D8AAC74D0039 | SHA256:670002BCEAF387608A27827A95854B0A33ECAD5C83255F03B98BFE18FE5E9768 | |||
352 | explorer.exe | C:\Users\admin\Desktop\NTWDBLIB.dll | executable | |
MD5:E69500F133B4F02D7EAD478AF8E7E29D | SHA256:909D70F6D91957B20A8ED09BCD881FB1416D23B63083C03840EDC8C80D256A15 |
Process | Message |
---|---|
rundll32.exe | [DLL_PROCESS_ATTACH] |
rundll32.exe | [ServiceMain] |
rundll32.exe | [sub_10001000] |
rundll32.exe | [sub_100024D4] |
rundll32.exe | C:\Windows\system32\ipnet.ini |
rundll32.exe | [ThreadFunc] |
rundll32.exe | USER-PC |
rundll32.exe | [GetFTPAccountInfo_10001712] |
rundll32.exe | C:\Windows\system32\ipnet.ini |
rundll32.exe | 111 |