| File name: | Pack.7z |
| Full analysis: | https://app.any.run/tasks/84a868ea-e8f3-436b-abe9-82b0226aac5d |
| Verdict: | Malicious activity |
| Threats: | The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes. |
| Analysis date: | November 12, 2023, 16:15:03 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 7DE41ED6B74A9EBC44AFD585253EB426 |
| SHA1: | 08F20420DCE57CB7B6B49D1B0396D7633C517E3D |
| SHA256: | 17A63753F90FD599E78F8B1C7DBD88294153431B34906A3EDFA200F250CF0E35 |
| SSDEEP: | 49152:Xqc/LCUmhJc65+crfFBfPsmVFr+DE3rv9t1vOhKaatQxKVatnKMdo8S36IW/LpGU:p/+PEOdBFHFv9XfaaSQMt0R6IWjpG1Sj |
MALICIOUS
Connects to the CnC server
- MSBuild.exe (PID: 6848)
ARECHCLIENT2 has been detected (SURICATA)
- MSBuild.exe (PID: 6848)
Actions looks like stealing of personal data
- MSBuild.exe (PID: 6848)
SUSPICIOUS
Starts CMD.EXE for commands execution
- atkexComSvc.exe (PID: 6692)
Searches for installed software
- MSBuild.exe (PID: 6848)
Connects to unusual port
- MSBuild.exe (PID: 6848)
INFO
Reads the computer name
- atkexComSvc.exe (PID: 6692)
- MSBuild.exe (PID: 6848)
Checks supported languages
- atkexComSvc.exe (PID: 6692)
- MSBuild.exe (PID: 6848)
Manual execution by a user
- atkexComSvc.exe (PID: 6692)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 1496)
Create files in a temporary directory
- atkexComSvc.exe (PID: 6692)
- MSBuild.exe (PID: 6848)
Reads the machine GUID from the registry
- MSBuild.exe (PID: 6848)
Reads Environment values
- MSBuild.exe (PID: 6848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
144
Monitored processes
5
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1496 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Pack.7z" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 6692 | "C:\Users\admin\Desktop\Pack\atkexComSvc.exe" | C:\Users\admin\Desktop\Pack\atkexComSvc.exe | — | explorer.exe | |||||||||||
User: admin Company: ASUSTeK Computer Inc. Integrity Level: MEDIUM Description: ASUS Com Service Exit code: 1 Version: 1.0.0.1 Modules
| |||||||||||||||
| 6712 | C:\WINDOWS\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe | — | atkexComSvc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.746 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6720 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6848 | C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Exit code: 0 Version: 4.8.4084.0 built by: NET48REL1 Modules
| |||||||||||||||
Total events
2 385
Read events
2 366
Write events
19
Delete events
0
Modification events
| (PID) Process: | (1496) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\General |
| Operation: | write | Name: | VerInfo |
Value: 003C050012F8FE6A437AD701 | |||
| (PID) Process: | (1496) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\SpybotAntiBeaconPortable-safer-networking.org_3.7.0.paf.zip | |||
| (PID) Process: | (1496) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\MicrosoftEdgePolicyTemplates.cab | |||
| (PID) Process: | (1496) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\MicrosoftEdgePolicyTemplates.zip | |||
| (PID) Process: | (1496) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1496) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1496) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1496) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1496) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000 | |||
| (PID) Process: | (1496) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\General |
| Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\Desktop | |||
Executable files
4
Suspicious files
6
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6712 | cmd.exe | C:\Users\admin\AppData\Local\Temp\cxfudpmxdaor | — | |
MD5:— | SHA256:— | |||
| 1496 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1496.19692\Pack\AsIO.dll | executable | |
MD5:3E2C867B129165ACDB3A457E131B90BC | SHA256:E1BB63CCAC541B38266228ACD3D77A141EFC468A69C3F821BFCC06330CE86815 | |||
| 6848 | MSBuild.exe | C:\Users\admin\AppData\Local\Temp\tmp4309.tmp | binary | |
MD5:AF5558D39B30A23F896479B424695E02 | SHA256:EB78FFA937A3B647E9D1B905C149F5AE02E8BEB3F9DE29F8F541413DF9EF4F5E | |||
| 6712 | cmd.exe | C:\Users\admin\AppData\Local\Temp\oqmvy | binary | |
MD5:AC0A66B7F1668444A037194D2758C620 | SHA256:D17441BE5D9AD31F7FBD98C00E03E086D41944D788F9D14713EFD0ED9C19C063 | |||
| 6848 | MSBuild.exe | C:\Users\admin\AppData\Local\Temp\tmp431A.tmp | binary | |
MD5:AF5558D39B30A23F896479B424695E02 | SHA256:EB78FFA937A3B647E9D1B905C149F5AE02E8BEB3F9DE29F8F541413DF9EF4F5E | |||
| 1496 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1496.19692\Pack\atkexComSvc.exe | executable | |
MD5:485008B43F0EDCEBA0E0D3CA04BC1C1A | SHA256:12C22BA646232D5D5087D0300D5CFD46FED424F26143A02DC866F1BFCEAB3C10 | |||
| 1496 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1496.19692\Pack\ASUS_WMI.dll | executable | |
MD5:487276C560DB5AD5016799188F79D71F | SHA256:F20774620A07C41F846C4017C1DC7F99AFD1758D58EBBC9DFC0C1AC536524D2C | |||
| 1496 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1496.19692\Pack\ATKEX.dll | executable | |
MD5:E68562F63265E1A70881446B4B9DC455 | SHA256:C8B16F1C6883A23021DA37D9116A757F971FE919D64EF8F9DBA17A7D8DD39ADB | |||
| 6692 | atkexComSvc.exe | C:\Users\admin\AppData\Local\Temp\3120451d | binary | |
MD5:1C0FDB92F727AFF0653F992AD537ED93 | SHA256:F7B3407B42C8D9C4EC6C994899045586686490283F513EA3BDDF02EBBEDFF4B0 | |||
| 1496 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1496.19692\Pack\dramaturge.txt | image | |
MD5:2FCA9BF5E6C21FF750BF5750B0BDD845 | SHA256:9492842FBFD93E470F151C5AE3DF23562BCBD45E34429E7D256236121618637A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
50
DNS requests
16
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6992 | svchost.exe | HEAD | 200 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1700121708&P2=404&P3=2&P4=GJlb4dihM9fQ%2buB5HN3M7rLbl5qnBNMCtVOrksuCdXvuG8P860bkweBJSe79l5v%2fN6nUmM7VsqHo%2bUrZNo%2bF3Q%3d%3d | unknown | — | — | — |
2668 | SIHClient.exe | GET | 200 | 104.119.109.218:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | binary | 418 b | — |
6164 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D | unknown | binary | 471 b | — |
1356 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | — |
6992 | svchost.exe | GET | 206 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1700121708&P2=404&P3=2&P4=GJlb4dihM9fQ%2buB5HN3M7rLbl5qnBNMCtVOrksuCdXvuG8P860bkweBJSe79l5v%2fN6nUmM7VsqHo%2bUrZNo%2bF3Q%3d%3d | unknown | binary | 3.81 Kb | — |
2668 | SIHClient.exe | GET | 200 | 104.119.109.218:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | binary | 409 b | — |
6992 | svchost.exe | GET | 206 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1700121708&P2=404&P3=2&P4=GJlb4dihM9fQ%2buB5HN3M7rLbl5qnBNMCtVOrksuCdXvuG8P860bkweBJSe79l5v%2fN6nUmM7VsqHo%2bUrZNo%2bF3Q%3d%3d | unknown | binary | 1.61 Kb | — |
6992 | svchost.exe | GET | 206 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1700121708&P2=404&P3=2&P4=GJlb4dihM9fQ%2buB5HN3M7rLbl5qnBNMCtVOrksuCdXvuG8P860bkweBJSe79l5v%2fN6nUmM7VsqHo%2bUrZNo%2bF3Q%3d%3d | unknown | binary | 1.09 Kb | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
2836 | msedge.exe | 239.255.255.250:1900 | — | — | — | unknown |
2836 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
1356 | svchost.exe | 40.126.31.71:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1356 | svchost.exe | 192.229.221.95:80 | — | EDGECAST | US | unknown |
3792 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
3868 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
5548 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
6164 | backgroundTaskHost.exe | 20.199.58.43:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
login.live.com |
| unknown |
settings-win.data.microsoft.com |
| unknown |
arc.msn.com |
| unknown |
slscr.update.microsoft.com |
| unknown |
www.microsoft.com |
| unknown |
fe3cr.delivery.mp.microsoft.com |
| unknown |
go.microsoft.com |
| unknown |
edge.microsoft.com |
| unknown |
msedge.b.tlu.dl.delivery.mp.microsoft.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Malware Command and Control Activity Detected | ET MALWARE Arechclient2 Backdoor CnC Init |