analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

locker_x86.rar

Full analysis: https://app.any.run/tasks/f9bfcd79-2c14-402f-8e75-88a1c3300506
Verdict: Malicious activity
Analysis date: June 27, 2022, 06:19:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

DA7FEB66C95A1E6A97D58A0B296999C4

SHA1:

7897B6025609E916CD38AD3E6453C9BD824D05F8

SHA256:

1392CAAA6D82780AA8E771F2F8CCA8B33BF87EBBFA66FA65762F27C8360E43A7

SSDEEP:

384:Lya2wNEbcAyBjMxGR6kWBsPhbHGAOXBPQIZrtahQ5QGOgM3:LBC/ypwGYBsJsBQEwdxgG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2688)
    • Application was dropped or rewritten from another process

      • locker_x86.exe (PID: 3752)
      • locker_x86.exe (PID: 2676)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2688)
    • Checks supported languages

      • WinRAR.exe (PID: 2688)
      • locker_x86.exe (PID: 3752)
      • cmd.exe (PID: 1400)
      • locker_x86.exe (PID: 2676)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2688)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2688)
  • INFO

    • Manual execution by user

      • cmd.exe (PID: 1400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: locker_x86.exe
PackingMethod: Normal
ModifyDate: 2022:06:27 10:18:05
OperatingSystem: Win32
UncompressedSize: 44544
CompressedSize: 17171
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs locker_x86.exe no specs locker_x86.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2688"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\locker_x86.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1400"cmd.exe" /s /k pushd "C:\Users\admin\Desktop"C:\Windows\system32\cmd.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225547
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3752locker_x86.exe dsds lockC:\Users\admin\Desktop\locker_x86.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2676locker_x86.exe fabianwosar lockerC:\Users\admin\Desktop\locker_x86.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
Total events
858
Read events
837
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2676locker_x86.exeC:\Users\admin\Desktop\googleupon.png.lockertext
MD5:8398D65150CD549897D2AB3281845124
SHA256:C6E1A13E28AC286F3E656B2CBBEB2192508C9F352F6D62ED3A9AE7F773EE1809
2676locker_x86.exeC:\Users\admin\Desktop\securegift.rtf.lockertext
MD5:5BD79436B1D8C9AB44859F2F4FC652A8
SHA256:731B26E58E132F980D5C56AD4EDDE41F52EE36C39EA549F77D912CEFD8BC6DC4
2676locker_x86.exeC:\Users\admin\Desktop\wayscentral.png.lockertext
MD5:D65D98C65435B85CF85BB016D725D234
SHA256:F972DB446BF20FD80FB355DA197AC35A3D95DA340E1078E44E9EE9136FE362D5
2676locker_x86.exeC:\Users\admin\Desktop\cheapengineering.rtf.lockertext
MD5:2B881BC9BDE1897024BD8AD802CA459E
SHA256:D51BFD1D24A857E00E14C3570043A017B963FD2F22F4DB48F7649B18A18E1582
2676locker_x86.exeC:\Users\admin\Desktop\locker_x86.rar.lockertext
MD5:BEDD60A528C127025EC15E0440BCD230
SHA256:BD17EDFDA5780BDFBB42C0BBCBE978204F3AD7907F10B66E933BE75F69B26E6F
2676locker_x86.exeC:\Users\admin\Desktop\starsemail.rtf.lockertext
MD5:24AE12794C0D2B73BC9A27C1CF02930C
SHA256:989C2F91738850133AEB0DF710C687474C322DE5380039BA79970EA732CD71DF
2676locker_x86.exeC:\Users\admin\Desktop\locker_x86.exe.lockertext
MD5:195D451D61F2772C6EE6A4BCD3B927B8
SHA256:06F369E25B4322F3BD7CA8228DA46F6F6F5CA63B624970B87F9E1BAD5B510798
2676locker_x86.exeC:\Users\admin\Desktop\benefitwindows.jpg.lockertext
MD5:898E262A6323155B2E9B0522F573E2AE
SHA256:BBD375550494784BE300E05020CABDDF168D6DBC9D2F515809DA5527E803D03D
2676locker_x86.exeC:\Users\admin\Desktop\wednesdayinternational.rtf.lockertext
MD5:3697D78CA98B49AAD57803118F365879
SHA256:2EADB76D7B15D2B205B59465AF3DB4D5AD2550EC8E89ED6BC47BF423C1A104C0
2676locker_x86.exeC:\Users\admin\Desktop\networklaws.rtf.lockertext
MD5:C7B928243C8E8D0129BEB5EFC50DE2A4
SHA256:1CDFB661B1FA3280FAA51AE61E86EADAE745F22D3B342CFCE60D9BF10258197E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info