File name: | RemoveWAT.rar |
Full analysis: | https://app.any.run/tasks/8d10563d-6778-477c-a256-7fcf9a559425 |
Verdict: | Malicious activity |
Analysis date: | July 12, 2020, 16:30:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | CF99BEC65BE72BEA0D03D08B4B14A1F6 |
SHA1: | BDB51F0D3DC9CEC90F6F4AABF5F1A2D71AD2953F |
SHA256: | 170C725FE2B38199EA6A316386FD874E32C6930E40CCA6D4E9CF3F57ECF97AC6 |
SSDEEP: | 98304:bw23yxOcCHuRsIpYjWBBBVyKTjavrMJ6tEAD:ZEzejAz/j7kEw |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | RemoveWAT.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2013:04:10 22:09:05 |
OperatingSystem: | Win32 |
UncompressedSize: | 6664704 |
CompressedSize: | 3937114 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2256 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RemoveWAT.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2192 | "C:\Users\admin\Desktop\RemoveWAT.exe" | C:\Users\admin\Desktop\RemoveWAT.exe | — | explorer.exe |
User: admin Company: Hazar & Co. Integrity Level: MEDIUM Description: RemoveWAT Exit code: 3221226540 Version: 2.2.6.0 | ||||
904 | "C:\Users\admin\Desktop\RemoveWAT.exe" | C:\Users\admin\Desktop\RemoveWAT.exe | explorer.exe | |
User: admin Company: Hazar & Co. Integrity Level: HIGH Description: RemoveWAT Version: 2.2.6.0 | ||||
4084 | "C:\Windows\System32\taskkill.exe" /f /im explorer.exe | C:\Windows\System32\taskkill.exe | — | RemoveWAT.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1756 | "C:\Windows\system32\wusa.exe" "C:\Windows\wat.MSU" /quiet | C:\Windows\system32\wusa.exe | — | RemoveWAT.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Standalone Installer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1144 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3416 | "C:\Windows\System32\cmd.exe" /c taskkill /f /im WatAdminSvc.exe & taskkill /f /im WatUX.exe | C:\Windows\System32\cmd.exe | — | RemoveWAT.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2612 | taskkill /f /im WatAdminSvc.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3308 | taskkill /f /im WatUX.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3968 | "C:\Windows\System32\cmd.exe" /c takeown /f "C:\Windows\System32\Wat\WatAdminSvc.exe" & icacls "C:\Windows\System32\Wat\WatAdminSvc.exe" /reset & icacls "C:\Windows\System32\Wat\WatAdminSvc.exe" /deny *S-1-1-0:(X) | C:\Windows\System32\cmd.exe | — | RemoveWAT.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1756 | wusa.exe | C:\fd463ae46d285d6e2f45940546f3\$dpx$.tmp\2e8815f03a6b894faa149db07cee4892.tmp | — | |
MD5:— | SHA256:— | |||
1756 | wusa.exe | C:\fd463ae46d285d6e2f45940546f3\$dpx$.tmp\a396e9d82fba75478943aaf1730a4603.tmp | — | |
MD5:— | SHA256:— | |||
1756 | wusa.exe | C:\fd463ae46d285d6e2f45940546f3\$dpx$.tmp\ebd4de63fd6bed4ebd38421173b0bbbc.tmp | — | |
MD5:— | SHA256:— | |||
1756 | wusa.exe | C:\fd463ae46d285d6e2f45940546f3\$dpx$.tmp\041c9aa9aa7bc14b9454cf7224538dd6.tmp | — | |
MD5:— | SHA256:— | |||
1144 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
1756 | wusa.exe | C:\Windows\Logs\DPX\setuperr.log | — | |
MD5:— | SHA256:— | |||
1756 | wusa.exe | C:\fd463ae46d285d6e2f45940546f3\WSUSSCAN.cab | compressed | |
MD5:63B344025100243B997D5E2756A11F7A | SHA256:9B3FC7CAC1E02935F5D59D96D76844780DCCAE81CCC275FB0847A81E5BDB8594 | |||
1756 | wusa.exe | C:\fd463ae46d285d6e2f45940546f3\Windows6.1-KB971033-x86-pkgProperties.txt | text | |
MD5:2A935916F7EA88AA5EE735B1775C228E | SHA256:D71B35046C13D0638ADBC20F5D9835E5E363AE685E23CECC3A47E66C79510337 | |||
2256 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2256.28037\RemoveWAT.exe | executable | |
MD5:BFACF78644CA41FD6D4B23976E7574A1 | SHA256:94A1A26F61B015C2CED2FD50BDBA4070B6C9AEC7D2938FBF7EB9E99960D3B7A9 | |||
904 | RemoveWAT.exe | C:\Windows\wat.MSU | msu | |
MD5:2B2CB791AA5C80018454DE799D178541 | SHA256:AD8E8C2DE3784438D584E612B8ED787AC8F905429AAB7E23958D64DAAA89109D |