analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

о заказе пароль 11.rar

Full analysis: https://app.any.run/tasks/c7bfa294-4213-494f-8529-68876c9fed9a
Verdict: Malicious activity
Analysis date: June 19, 2019, 14:23:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

1257822B6D3813F981348D07536DE65B

SHA1:

57CBF15E45C5B649B6616519D1930E57E9B0B9CB

SHA256:

133C66B369A3A93F041D6D7FD5C651371CD425552B1E575B58B17A853EC050A6

SSDEEP:

24:H4FNNHFeUvc+6JNJVzXg6+8XaIVkPnWltuLfFwm3v4kz70Kzg/uP4AWqiEDM5Arl:CNNlNvwM63qIGnWl4LdpzJw1AWqBD4+l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 1028)
      • WScript.exe (PID: 3240)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 3240)

    • Executes scripts

      • WinRAR.exe (PID: 3144)

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 3240)
      • WScript.exe (PID: 1028)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
3144"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\о заказе пароль 11.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3240"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3144.27445\Подробности заказа.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1028"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3144.27686\Подробности заказа.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
588
Read events
511
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3144.27445\Подробности заказа.jstext
MD5:CD81ADE22D721306D8C91484B15FD262
SHA256:A8FB3CA7A313CD4EBBE6C8A72C81D804E9E055C3D6612E710EC806FF6804B3DC
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3144.27686\Подробности заказа.jstext
MD5:CD81ADE22D721306D8C91484B15FD262
SHA256:A8FB3CA7A313CD4EBBE6C8A72C81D804E9E055C3D6612E710EC806FF6804B3DC
3240WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3240
WScript.exe
GET
404
109.234.165.77:80
http://mboavision.rodevdesign.com/.well-known/acme-challenge/1c.jpg
FR
html
350 b
malicious
1028
WScript.exe
GET
404
109.234.165.77:80
http://mboavision.rodevdesign.com/.well-known/acme-challenge/1c.jpg
FR
html
350 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3240
WScript.exe
109.234.165.77:80
mboavision.rodevdesign.com
o2switch SARL
FR
suspicious
3240
WScript.exe
62.173.145.104:443
easyplay.io
JSC Internet-Cosmos
RU
malicious
1028
WScript.exe
109.234.165.77:80
mboavision.rodevdesign.com
o2switch SARL
FR
suspicious
1028
WScript.exe
62.173.145.104:443
easyplay.io
JSC Internet-Cosmos
RU
malicious

DNS requests

Domain
IP
Reputation
easyplay.io
  • 62.173.145.104
malicious
mboavision.rodevdesign.com
  • 109.234.165.77
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
о заказе пароль 11.rar