analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Сверить данные 18.02.rar

Full analysis: https://app.any.run/tasks/6d206875-19a8-40c7-b093-f4cc61ed116d
Verdict: Malicious activity
Analysis date: February 18, 2019, 10:55:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

60C64C137C86733054F082652D127EFC

SHA1:

04F15220A7372D937E05D439A919A76CF85C399D

SHA256:

15D764FD0EACA3E43BADA0ABB858131D53DC7504A5DFF0A9B85E726CA773C99D

SSDEEP:

6144:Wb/Fg01XYflKxGU7cZ/z4kVzhPG8ha0PpLObAsjwHaxOI0g:Wb/m01KlKxyZ/EkVzZRha4LRN/In

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • WinRAR.exe (PID: 2988)
      • rundll32.exe (PID: 3924)
      • Сверить данные 18.02.exe (PID: 2856)
      • explorer.exe (PID: 116)
      • Сверить данные 18.02.exe (PID: 2300)
      • Сверить данные 18.02.exe (PID: 2216)
    • Application was dropped or rewritten from another process

      • Сверить данные 18.02.exe (PID: 2856)
      • Сверить данные 18.02.exe (PID: 2216)
      • Сверить данные 18.02.exe (PID: 2300)
    • Loads the Task Scheduler COM API

      • Сверить данные 18.02.exe (PID: 2856)
  • SUSPICIOUS

    • Creates files in the program directory

      • Сверить данные 18.02.exe (PID: 2856)
    • Executable content was dropped or overwritten

      • Сверить данные 18.02.exe (PID: 2856)
      • Сверить данные 18.02.exe (PID: 2216)
      • WinRAR.exe (PID: 2988)
      • Сверить данные 18.02.exe (PID: 2300)
    • Connects to unusual port

      • rundll32.exe (PID: 3924)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe сверить данные 18.02.exe rundll32.exe explorer.exe no specs сверить данные 18.02.exe сверить данные 18.02.exe

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Сверить данные 18.02.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2856"C:\Users\admin\Desktop\Сверить данные 18.02.exe" C:\Users\admin\Desktop\Сверить данные 18.02.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3924rundll32.exe "C:\ProgramData\2401bf603c90\2702bc633f93.dat",DllGetClassObject rootC:\Windows\system32\rundll32.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2216"C:\Users\admin\Desktop\Сверить данные 18.02.exe" C:\Users\admin\Desktop\Сверить данные 18.02.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2300"C:\Users\admin\Desktop\Сверить данные 18.02.exe" C:\Users\admin\Desktop\Сверить данные 18.02.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
3 115
Read events
3 086
Write events
29
Delete events
0

Modification events

(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Сверить данные 18.02.rar
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(116) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(116) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
6
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2988.34739\Сверить данные 18.02.exe
MD5:
SHA256:
3924rundll32.exeC:\Users\admin\AppData\Local\Temp\CCFB.tmp
MD5:
SHA256:
3924rundll32.exeC:\Users\admin\AppData\Local\Temp\kmjicopknmaboalk
MD5:
SHA256:
3924rundll32.exeC:\Users\admin\Desktop\Сверить данные 18.02.exe
MD5:
SHA256:
3924rundll32.exeC:\Users\admin\Desktop\mgnjabkgifpikgoo
MD5:
SHA256:
2856Сверить данные 18.02.exeC:\Users\admin\AppData\Local\Temp\CCFB.tmpexecutable
MD5:637299B765F5790DCA95B1BF5092948C
SHA256:923E318BBB07309ED12BADBDAB53CDE98F3D2BFDE70EC27AF425319A9884C2C3
2856Сверить данные 18.02.exeC:\ProgramData\2401bf603c90\2702bc633f93.datexecutable
MD5:637299B765F5790DCA95B1BF5092948C
SHA256:923E318BBB07309ED12BADBDAB53CDE98F3D2BFDE70EC27AF425319A9884C2C3
2300Сверить данные 18.02.exeC:\Users\admin\AppData\Local\Temp\328B.tmpexecutable
MD5:637299B765F5790DCA95B1BF5092948C
SHA256:923E318BBB07309ED12BADBDAB53CDE98F3D2BFDE70EC27AF425319A9884C2C3
116explorer.exeC:\Users\admin\Desktop\Сверить данные 18.02.exeexecutable
MD5:76C4249BAF2F212AF01E077EFB48E0D4
SHA256:594246B1D38DB4949CB126C9049ABFDA6103C6CC1DD7BF0C0CAC4435842ABA95
2216Сверить данные 18.02.exeC:\Users\admin\AppData\Local\Temp\1260.tmpexecutable
MD5:637299B765F5790DCA95B1BF5092948C
SHA256:923E318BBB07309ED12BADBDAB53CDE98F3D2BFDE70EC27AF425319A9884C2C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3924
rundll32.exe
GET
200
178.62.9.171:80
http://myip.ru/index_small.php
GB
html
319 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3924
rundll32.exe
178.62.9.171:80
myip.ru
Digital Ocean, Inc.
GB
malicious
3924
rundll32.exe
37.187.118.34:9001
OVH SAS
FR
suspicious
3924
rundll32.exe
85.25.159.253:47044
Host Europe GmbH
DE
suspicious
3924
rundll32.exe
172.105.198.191:9100
US
suspicious
3924
rundll32.exe
104.236.46.10:9001
Digital Ocean, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
myip.ru
  • 178.62.9.171
unknown

Threats

PID
Process
Class
Message
3924
rundll32.exe
Potential Corporate Privacy Violation
ET POLICY myip.ru IP lookup
3924
rundll32.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633
3924
rundll32.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3924
rundll32.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 180
3924
rundll32.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3924
rundll32.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 439
3924
rundll32.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3924
rundll32.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 89
3924
rundll32.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
No debug info