| File name: | 3.rar |
| Full analysis: | https://app.any.run/tasks/d188293b-8cff-4cb4-bcf4-b6e8a4707d02 |
| Verdict: | Malicious activity |
| Analysis date: | December 02, 2023, 21:06:27 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 3C2D3ACCA0A6F4AA1DBDDB3F9F56672D |
| SHA1: | 78D668626AE46490976AA9A806C6FF13E8AA7D17 |
| SHA256: | 125C4B80F91917F505CFECE73AE6F73B1300CF0A0C11B455BDC078B091C5CD1A |
| SSDEEP: | 98304:ZYFGwzKocBggxk0MZwwkZVt++gsBlBP5FZ0k/pLU3bgLMmGAfYP0sp2KE/1pkOVW:6Xx2uQScYgwscEuxDAfnh4Whc |
MALICIOUS
Actions looks like stealing of personal data
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
Drops the executable file immediately after the start
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
The DLL Hijacking
- DismHost.exe (PID: 1376)
Creates a writable file in the system directory
- dispdiag.exe (PID: 3460)
SUSPICIOUS
Process drops legitimate windows executable
- WinRAR.exe (PID: 564)
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
- cleanmgr.exe (PID: 3784)
Application launched itself
- cmd.exe (PID: 604)
- cmd.exe (PID: 3080)
- CompatTelRunner.exe (PID: 3348)
- cmd.exe (PID: 3084)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 604)
- cmd.exe (PID: 3080)
- cmd.exe (PID: 3084)
- forfiles.exe (PID: 2236)
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 292)
- cmd.exe (PID: 4768)
Executes as Windows Service
- VSSVC.exe (PID: 2336)
- vds.exe (PID: 2468)
Reads the Internet Settings
- cleanmgr.exe (PID: 3784)
- CompMgmtLauncher.exe (PID: 3052)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 1608)
Process uses IPCONFIG to get network configuration information
- cmd.exe (PID: 5156)
Uses DRIVERQUERY.EXE to obtain a list of installed device drivers
- cmd.exe (PID: 3560)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 3664)
INFO
Drops the executable file immediately after the start
- WinRAR.exe (PID: 564)
- cleanmgr.exe (PID: 3784)
Manual execution by a user
- notepad.exe (PID: 2076)
- cmd.exe (PID: 604)
- notepad.exe (PID: 3856)
- cmd.exe (PID: 3084)
- wmpnscfg.exe (PID: 5332)
Creates files or folders in the user directory
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
- cleanmgr.exe (PID: 3784)
Uses BITSADMIN.EXE
- cmd.exe (PID: 1928)
Reads the computer name
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
- DismHost.exe (PID: 1376)
Reads Microsoft Office registry keys
- cleanmgr.exe (PID: 3784)
Create files in a temporary directory
- cleanmgr.exe (PID: 3784)
- ddodiag.exe (PID: 4032)
Checks supported languages
- DismHost.exe (PID: 1376)
- Defrag.exe (PID: 916)
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
Reads the machine GUID from the registry
- DismHost.exe (PID: 1376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
691
Monitored processes
525
Malicious processes
7
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | /c echo "api-ms-win-core-fibers-l1-1-0.dll" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | |||||||||||||||
| 128 | "CertEnrollCtrl.exe" | C:\Windows\System32\CertEnrollCtrl.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Certificate Enrollment Control Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 148 | "efsui.exe" | C:\Windows\System32\efsui.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: EFS UI Application Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 240 | "dpapimig.exe" | C:\Windows\System32\dpapimig.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: DPAPI Key Migration Wizard Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 276 | "attrib.exe" | C:\Windows\System32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 280 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" | C:\Windows\System32\mmc.exe | — | eventvwr.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 292 | cmd /c start "" "cacls.exe" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 296 | "calc.exe" | C:\Windows\System32\calc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Calculator Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 528 | cmd /c start "" "bootcfg.exe" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 528 | "Dism.exe" | C:\Windows\System32\Dism.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
11 869
Read events
11 543
Write events
326
Delete events
0
Modification events
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (4088) AdapterTroubleshooter.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: Explorer.EXE | |||
| (PID) Process: | (2896) aitagent.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AIT |
| Operation: | write | Name: | LastReadEntryTime |
Value: F482CD25F0B1D301 | |||
Executable files
101
Suspicious files
34
Text files
27
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 564 | WinRAR.exe | C:\Users\admin\Desktop\4b543325cf0e11dee26d58cc1ac38cf5.exe | executable | |
MD5:4B543325CF0E11DEE26D58CC1AC38CF5 | SHA256:E9EF5889CBC575FABAE55849EEBC9EFE2C14D9532C6CAFB02AAF78CC5DEE3CA0 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\289c1a8a890a567f4f70235ced85f763.exe | executable | |
MD5:289C1A8A890A567F4F70235CED85F763 | SHA256:4444FC67A93232E1B4F3C9B755AC3B9D0D2D7D0EB86D46F7D7B67EC8DF2D9771 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\127277c0097cef5ce18f0002a2456f84.exe | executable | |
MD5:127277C0097CEF5CE18F0002A2456F84 | SHA256:E0E43B3AAAACEA4C53B4723C5A9704C7B9C0EA88A45DA58622B0EA85A5A5CDF8 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\26a318ba688442470eb1f247da7d76c1.exe | executable | |
MD5:26A318BA688442470EB1F247DA7D76C1 | SHA256:D11E6B68E509EC7D7D70CF326BDA76768865687B2753E10EBD44C82EB4BAE9DE | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\12e89420d487205e997bbd25011d45fa.exe | executable | |
MD5:12E89420D487205E997BBD25011D45FA | SHA256:6724CE5B748F1C7CE548FC001CDBDC22AC18C81BC631A8CD7C6BD3F60C0A33A3 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\6a609d65263f2c95ab44b534255b53c9.exe | executable | |
MD5:6A609D65263F2C95AB44B534255B53C9 | SHA256:20DEF0B3ABB9FCE81424CEB394A1E184EF9C504F96B85A4D32637AA5CA069AAA | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\33fe4259a21b93c20ef6a920b6311b8f.exe | executable | |
MD5:33FE4259A21B93C20EF6A920B6311B8F | SHA256:3984F62C9C5E3AF60DF7278B321057FCF131B6B30887B4802F4A536277B44589 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\3a5a024582f9c0a6a08e5ff3b3e1ea7e.exe | executable | |
MD5:3A5A024582F9C0A6A08E5FF3B3E1EA7E | SHA256:2A0275EF3173C01D4802E0ADFEDED1CA2A67C63D53B3EA60EF82D3D558C614B7 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\b7732333c67d9155ebe9c3a11f966143.exe | executable | |
MD5:B7732333C67D9155EBE9C3A11F966143 | SHA256:99025DE2DE0CB3B8D407F23EF31B4E0851EE12F0893EFDFC8E02057DDAB954B8 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\545211f79941424f26866b9f00ad361b.exe | executable | |
MD5:545211F79941424F26866B9F00AD361B | SHA256:235A898FFCD14C165495DEC3B265492F17D09527FE55C6B0072B25727C6A2BAB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
2
Threats
1
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2292 | 127277c0097cef5ce18f0002a2456f84.exe | 34.41.229.245:80 | pywolwnvd.biz | GOOGLE-CLOUD-PLATFORM | US | unknown |
3884 | dplaysvr.exe | 192.168.100.2:1900 | — | — | — | whitelisted |
828 | svchost.exe | 239.255.255.250:3702 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pywolwnvd.biz |
| unknown |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
Process | Message |
|---|---|
cleanmgr.exe | PID=3784 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore |
cleanmgr.exe | PID=3784 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect |
cleanmgr.exe | PID=3784 Getting Provider OSServices - CDISMProviderStore::GetProvider |
cleanmgr.exe | PID=3784 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005) |
cleanmgr.exe | PID=3784 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect |
cleanmgr.exe | PID=3784 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider |
cleanmgr.exe | PID=3784 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider |
cleanmgr.exe | PID=3784 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005) |
cleanmgr.exe | PID=3784 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider |
Dism.exe | PID=528 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore |