| File name: | 3.rar |
| Full analysis: | https://app.any.run/tasks/d188293b-8cff-4cb4-bcf4-b6e8a4707d02 |
| Verdict: | Malicious activity |
| Analysis date: | December 02, 2023, 21:06:27 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 3C2D3ACCA0A6F4AA1DBDDB3F9F56672D |
| SHA1: | 78D668626AE46490976AA9A806C6FF13E8AA7D17 |
| SHA256: | 125C4B80F91917F505CFECE73AE6F73B1300CF0A0C11B455BDC078B091C5CD1A |
| SSDEEP: | 98304:ZYFGwzKocBggxk0MZwwkZVt++gsBlBP5FZ0k/pLU3bgLMmGAfYP0sp2KE/1pkOVW:6Xx2uQScYgwscEuxDAfnh4Whc |
MALICIOUS
Drops the executable file immediately after the start
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
Actions looks like stealing of personal data
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
Creates a writable file in the system directory
- dispdiag.exe (PID: 3460)
The DLL Hijacking
- DismHost.exe (PID: 1376)
SUSPICIOUS
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 3664)
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 292)
- cmd.exe (PID: 4768)
Executes as Windows Service
- VSSVC.exe (PID: 2336)
- vds.exe (PID: 2468)
Process drops legitimate windows executable
- WinRAR.exe (PID: 564)
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
- cleanmgr.exe (PID: 3784)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3080)
- cmd.exe (PID: 3084)
- cmd.exe (PID: 604)
- forfiles.exe (PID: 2236)
Application launched itself
- cmd.exe (PID: 3080)
- CompatTelRunner.exe (PID: 3348)
- cmd.exe (PID: 604)
- cmd.exe (PID: 3084)
Reads the Internet Settings
- cleanmgr.exe (PID: 3784)
- CompMgmtLauncher.exe (PID: 3052)
Uses DRIVERQUERY.EXE to obtain a list of installed device drivers
- cmd.exe (PID: 3560)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 1608)
Process uses IPCONFIG to get network configuration information
- cmd.exe (PID: 5156)
INFO
Manual execution by a user
- cmd.exe (PID: 604)
- cmd.exe (PID: 3084)
- notepad.exe (PID: 2076)
- notepad.exe (PID: 3856)
- wmpnscfg.exe (PID: 5332)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 564)
- cleanmgr.exe (PID: 3784)
Uses BITSADMIN.EXE
- cmd.exe (PID: 1928)
Checks supported languages
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
- DismHost.exe (PID: 1376)
- Defrag.exe (PID: 916)
Creates files or folders in the user directory
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
- cleanmgr.exe (PID: 3784)
Reads Microsoft Office registry keys
- cleanmgr.exe (PID: 3784)
Create files in a temporary directory
- cleanmgr.exe (PID: 3784)
- ddodiag.exe (PID: 4032)
Reads the machine GUID from the registry
- DismHost.exe (PID: 1376)
Reads the computer name
- DismHost.exe (PID: 1376)
- 127277c0097cef5ce18f0002a2456f84.exe (PID: 2292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
691
Monitored processes
525
Malicious processes
7
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | /c echo "api-ms-win-core-fibers-l1-1-0.dll" | C:\Windows\System32\cmd.exe | — | forfiles.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | |||||||||||||||
| 128 | "CertEnrollCtrl.exe" | C:\Windows\System32\CertEnrollCtrl.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Certificate Enrollment Control Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 148 | "efsui.exe" | C:\Windows\System32\efsui.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: EFS UI Application Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 240 | "dpapimig.exe" | C:\Windows\System32\dpapimig.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: DPAPI Key Migration Wizard Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 276 | "attrib.exe" | C:\Windows\System32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 280 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" | C:\Windows\System32\mmc.exe | — | eventvwr.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 292 | cmd /c start "" "cacls.exe" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 296 | "calc.exe" | C:\Windows\System32\calc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Calculator Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 528 | cmd /c start "" "bootcfg.exe" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 528 | "Dism.exe" | C:\Windows\System32\Dism.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
11 869
Read events
11 543
Write events
326
Delete events
0
Modification events
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (4088) AdapterTroubleshooter.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: Explorer.EXE | |||
| (PID) Process: | (2896) aitagent.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\AIT |
| Operation: | write | Name: | LastReadEntryTime |
Value: F482CD25F0B1D301 | |||
Executable files
101
Suspicious files
34
Text files
27
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 564 | WinRAR.exe | C:\Users\admin\Desktop\3bd034caf22f9d14a7d984c31f36cb67.exe | executable | |
MD5:3BD034CAF22F9D14A7D984C31F36CB67 | SHA256:017BC03A3F41D807F6A2FB437DEA72E82F27D4EEC077E48D63EA3984CB55DCB8 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\a8b8df17c34f05be56406fcde37666eb.exe | executable | |
MD5:A8B8DF17C34F05BE56406FCDE37666EB | SHA256:587AF8510E8148E03E4B63EE8C80A1E8F9B96ABA3F9FD229E88AFC1B6C6BE358 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\59a943ed50c22f23b6b4342f1e66c8c6.exe | executable | |
MD5:59A943ED50C22F23B6B4342F1E66C8C6 | SHA256:5F69663DDD3C274B74A7DF5E474C9F4933BCBD6A9DE14B8A1F09916031DFA64F | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\545211f79941424f26866b9f00ad361b.exe | executable | |
MD5:545211F79941424F26866B9F00AD361B | SHA256:235A898FFCD14C165495DEC3B265492F17D09527FE55C6B0072B25727C6A2BAB | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\8191224f863e0d5287aafa7a08cdcdb3.exe | executable | |
MD5:8191224F863E0D5287AAFA7A08CDCDB3 | SHA256:512E198C86A1DF61FF512EFDD25106A557B9A3EB0DA264F9BC247C487F6678E1 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\33fe4259a21b93c20ef6a920b6311b8f.exe | executable | |
MD5:33FE4259A21B93C20EF6A920B6311B8F | SHA256:3984F62C9C5E3AF60DF7278B321057FCF131B6B30887B4802F4A536277B44589 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\2278600280b0490ebf08c98c0e27e46c.exe | executable | |
MD5:2278600280B0490EBF08C98C0E27E46C | SHA256:5CA39702956C612AA62BE11B28E0073576D17AC5569157A1D1291543ABCE4B4C | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\4a184b64b838a4833419c76951f7eda4.exe | executable | |
MD5:4A184B64B838A4833419C76951F7EDA4 | SHA256:0977FAEDBC532514CBBC5DBAF1B077364555378C7094B3BB1A91095C58870775 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\127277c0097cef5ce18f0002a2456f84.exe | executable | |
MD5:127277C0097CEF5CE18F0002A2456F84 | SHA256:E0E43B3AAAACEA4C53B4723C5A9704C7B9C0EA88A45DA58622B0EA85A5A5CDF8 | |||
| 564 | WinRAR.exe | C:\Users\admin\Desktop\b7732333c67d9155ebe9c3a11f966143.exe | executable | |
MD5:B7732333C67D9155EBE9C3A11F966143 | SHA256:99025DE2DE0CB3B8D407F23EF31B4E0851EE12F0893EFDFC8E02057DDAB954B8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
2
Threats
1
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2292 | 127277c0097cef5ce18f0002a2456f84.exe | 34.41.229.245:80 | pywolwnvd.biz | GOOGLE-CLOUD-PLATFORM | US | unknown |
3884 | dplaysvr.exe | 192.168.100.2:1900 | — | — | — | whitelisted |
828 | svchost.exe | 239.255.255.250:3702 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pywolwnvd.biz |
| unknown |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
Process | Message |
|---|---|
cleanmgr.exe | PID=3784 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore |
cleanmgr.exe | PID=3784 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect |
cleanmgr.exe | PID=3784 Getting Provider OSServices - CDISMProviderStore::GetProvider |
cleanmgr.exe | PID=3784 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005) |
cleanmgr.exe | PID=3784 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect |
cleanmgr.exe | PID=3784 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider |
cleanmgr.exe | PID=3784 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider |
cleanmgr.exe | PID=3784 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005) |
cleanmgr.exe | PID=3784 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider |
Dism.exe | PID=528 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore |