File name:

Piriform.Recuva.Professional.v1.53.1087-SeuPirate.7z

Full analysis: https://app.any.run/tasks/1f953b75-ba3f-4115-a0ce-d9ce063f5433
Verdict: Malicious activity
Analysis date: July 02, 2024, 22:54:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

126A1AD85F4FC88799D07A565AEA9330

SHA1:

C2F6B3A1574733E8695C4C648FECAD94A8107584

SHA256:

1C20B75C72F04F17069AB6474624FFBE9C71DE013EC4DB7D0737A36DA610BEC2

SSDEEP:

98304:4tvzcjKt0T9xpexAAv/XQo9DBq8NU0BGTVPVll+enfzUdSwrxzTpuH+lkEfRP8P9:/qBLPVBW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3532)
      • rcsetup153.exe (PID: 2348)
      • rcsetup153.exe (PID: 932)

    • Steals credentials from Web Browsers

      • rcsetup153.exe (PID: 932)

    • Actions looks like stealing of personal data

      • rcsetup153.exe (PID: 932)

    • Registers / Runs the DLL via REGSVR32.EXE

      • rcsetup153.exe (PID: 932)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • rcsetup153.exe (PID: 2348)
      • rcsetup153.exe (PID: 932)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3532)
      • rcsetup153.exe (PID: 932)
      • recuva.exe (PID: 4044)

    • Starts application with an unusual extension

      • rcsetup153.exe (PID: 2348)
      • rcsetup153.exe (PID: 932)

    • Reads Internet Explorer settings

      • rcsetup153.exe (PID: 2348)
      • rcsetup153.exe (PID: 932)
      • recuva.exe (PID: 4044)

    • Executable content was dropped or overwritten

      • rcsetup153.exe (PID: 2348)
      • rcsetup153.exe (PID: 932)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • rcsetup153.exe (PID: 2348)
      • rcsetup153.exe (PID: 932)

    • Reads settings of System Certificates

      • rcsetup153.exe (PID: 2348)
      • rcsetup153.exe (PID: 932)
      • recuva.exe (PID: 4044)

    • Start notepad (likely ransomware note)

      • WinRAR.exe (PID: 3532)

    • Searches for installed software

      • rcsetup153.exe (PID: 932)
      • rcsetup153.exe (PID: 2348)

    • Reads browser cookies

      • rcsetup153.exe (PID: 932)

    • Checks Windows Trust Settings

      • rcsetup153.exe (PID: 932)
      • recuva.exe (PID: 4044)

    • Creates a software uninstall entry

      • rcsetup153.exe (PID: 932)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1072)

    • Reads the Internet Settings

      • recuva.exe (PID: 4044)
      • rcsetup153.exe (PID: 932)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2328)

    • Process requests binary or script from the Internet

      • rcsetup153.exe (PID: 932)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3532)

    • Reads Environment values

      • rcsetup153.exe (PID: 2348)
      • rcsetup153.exe (PID: 932)

    • Reads the software policy settings

      • rcsetup153.exe (PID: 2348)
      • recuva.exe (PID: 4044)
      • rcsetup153.exe (PID: 932)

    • Checks supported languages

      • ns356.tmp (PID: 3124)
      • rcsetup153.exe (PID: 932)
      • ns1AC6.tmp (PID: 3068)
      • ns586C.tmp (PID: 3844)
      • rcsetup153.exe (PID: 2348)
      • recuva.exe (PID: 3312)
      • recuva.exe (PID: 4044)

    • Reads the machine GUID from the registry

      • rcsetup153.exe (PID: 2348)
      • rcsetup153.exe (PID: 932)
      • recuva.exe (PID: 4044)

    • Reads the computer name

      • rcsetup153.exe (PID: 932)
      • rcsetup153.exe (PID: 2348)
      • recuva.exe (PID: 4044)
      • recuva.exe (PID: 3312)

    • Create files in a temporary directory

      • rcsetup153.exe (PID: 932)
      • rcsetup153.exe (PID: 2348)

    • Reads product name

      • rcsetup153.exe (PID: 932)
      • rcsetup153.exe (PID: 2348)

    • Creates files or folders in the user directory

      • rcsetup153.exe (PID: 932)

    • Checks proxy server information

      • rcsetup153.exe (PID: 932)
      • recuva.exe (PID: 4044)

    • Creates files in the program directory

      • rcsetup153.exe (PID: 932)
      • recuva.exe (PID: 4044)

    • Reads CPU info

      • recuva.exe (PID: 4044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
16
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rcsetup153.exe no specs rcsetup153.exe ns356.tmp no specs ping.exe no specs rcsetup153.exe no specs notepad.exe no specs rcsetup153.exe ns1ac6.tmp no specs ping.exe no specs ns586c.tmp no specs ping.exe no specs regsvr32.exe no specs recuva.exe no specs recuva.exe vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
932"C:\Users\admin\AppData\Local\Temp\Rar$EXa3532.22156\rcsetup153.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3532.22156\rcsetup153.exe
WinRAR.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
HIGH
Description:
Recuva Installer
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3532.22156\rcsetup153.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1072regsvr32.exe /I "C:\Program Files\Recuva\RecuvaShell.dll" /sC:\Windows\System32\regsvr32.exercsetup153.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1808ping -n 1 -w 5000 www.piriform.comC:\Windows\System32\PING.EXEns586C.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2012ping -n 1 -w 1000 www.piriform.comC:\Windows\System32\PING.EXEns1AC6.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2328C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2348"C:\Users\admin\AppData\Local\Temp\Rar$EXa3532.21531\rcsetup153.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3532.21531\rcsetup153.exe
WinRAR.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
HIGH
Description:
Recuva Installer
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3532.21531\rcsetup153.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2732"C:\Users\admin\AppData\Local\Temp\Rar$EXa3532.21531\rcsetup153.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3532.21531\rcsetup153.exeWinRAR.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
MEDIUM
Description:
Recuva Installer
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3532.21531\rcsetup153.exe
c:\windows\system32\ntdll.dll
2864"C:\Users\admin\AppData\Local\Temp\Rar$EXa3532.22156\rcsetup153.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3532.22156\rcsetup153.exeWinRAR.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
MEDIUM
Description:
Recuva Installer
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3532.22156\rcsetup153.exe
c:\windows\system32\ntdll.dll
2900ping -n 1 -w 1000 www.piriform.comC:\Windows\System32\PING.EXEns356.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
3068"C:\Users\admin\AppData\Local\Temp\nsn171B.tmp\ns1AC6.tmp" ping -n 1 -w 1000 www.piriform.comC:\Users\admin\AppData\Local\Temp\nsn171B.tmp\ns1AC6.tmprcsetup153.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsn171b.tmp\ns1ac6.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
21 683
Read events
21 442
Write events
215
Delete events
26

Modification events

(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3532) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Piriform.Recuva.Professional.v1.53.1087-SeuPirate.7z
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3532) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
161
Suspicious files
8
Text files
11
Unknown types
4

Dropped files

PID
Process
Filename
Type
2348rcsetup153.exeC:\Users\admin\AppData\Local\Temp\nsjFED1.tmp\ui\res\Montserrat-Regular.otfotf
MD5:27E50FFD6A14CBC8221C9DBD3B5208DC
SHA256:40FC1142200A5C1C18F80B6915257083C528C7F7FD2B00A552AEEBC42898D428
3532WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3532.21531\rcsetup153.exeexecutable
MD5:264474AE9B9FD039AC0C113F88F7BD2D
SHA256:75155568D64E958D8003F9FBB36839FC9A53BFAB3B51A8A1106A78E5BE98B2E9
3532WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3532.21531\Install Notes.txttext
MD5:5BFD02FD05FB43F4E8D036E34913B818
SHA256:B7CC4DD117CF834D09974257BE54776A4BF9FE9E713BC18C48514738A6BBBD97
3532WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3532.21531\Lic. File\recuva.datbinary
MD5:5B7084354FB28EC3CF45AF803356EF2D
SHA256:5E86174EC5718A07F5D902E26EF82690E1B42CA63A923F24FAF9988BA3CCFF05
2348rcsetup153.exeC:\Users\admin\AppData\Local\Temp\nsjFED1.tmp\ui\res\Recuva_Logo_72px.pngimage
MD5:6A2E01749E591A1CE8216DAED41B8721
SHA256:F72782600989EFF0AA13FF7C63875538C9042C32B77862475C899514F61C9290
2348rcsetup153.exeC:\Users\admin\AppData\Local\Temp\nsjFED1.tmp\ui\res\lang-1031.dllexecutable
MD5:9AACC044FD82F2FFD928403E86F70C35
SHA256:6FD3123FD744501963F2A62882980191A1536821A9337743B675E09AD305C204
2348rcsetup153.exeC:\Users\admin\AppData\Local\Temp\nsjFED1.tmp\ui\res\PF_logo.pngimage
MD5:079CCA30760CCA3C01863B6B96E87848
SHA256:8DD37D3721E25C32C5BF878B6DBA9E61D04B7CE8AEC45BDF703A41BC41802DFA
2348rcsetup153.exeC:\Users\admin\AppData\Local\Temp\nsjFED1.tmp\ui\res\lang-1053.dllexecutable
MD5:C3342340A06835137C924243D6413F22
SHA256:78A0EF63231D367794C70F6F92F9E8B662BFD40D00FF483DEE134C893975B0C6
2348rcsetup153.exeC:\Users\admin\AppData\Local\Temp\nsjFED1.tmp\ui\res\lang-1049.dllexecutable
MD5:7708720586A057A4431C499848471FEA
SHA256:D04B6A6FD264A308A706AA2A6915CC5A48BA51FA96A53DB3687E93B4EACE58D1
2348rcsetup153.exeC:\Users\admin\AppData\Local\Temp\nsjFED1.tmp\g\gtapi_signed.dllexecutable
MD5:61BC40D1FAD9E0FAA9A07219B90BA0E4
SHA256:89E157A4F61D7D18180CB7F901C0095DA3B7A5CC5A9FD58D710099E5F0EE505A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
18
DNS requests
10
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
932
rcsetup153.exe
GET
302
23.45.96.145:80
http://service.piriform.com/installcheck.aspx?p=2&v=1.53.1087&vx=&l=1033&b=1&o=6.1W3&g=0&i=1&a=0&c=0&d=0&e=0&n=rcsetup153.exe&id=003
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
932
rcsetup153.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
unknown
4044
recuva.exe
GET
302
23.45.96.145:80
http://www.piriform.com/auto?p=rc&v=1.53.1087&l=1033&a=0
unknown
unknown
4044
recuva.exe
GET
301
23.206.209.82:80
http://www.ccleaner.com/auto?p=rc&v=1.53.1087&l=1033&a=0
unknown
unknown
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60bcd71e49d094b3
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1060
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2348
rcsetup153.exe
23.45.96.145:443
www.piriform.com
AKAMAI-AS
DE
unknown
932
rcsetup153.exe
23.45.96.145:443
www.piriform.com
AKAMAI-AS
DE
unknown
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
932
rcsetup153.exe
23.45.96.145:80
www.piriform.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
www.piriform.com
  • 23.45.96.145
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
service.piriform.com
  • 23.45.96.145
whitelisted
license.piriform.com
  • 23.45.96.145
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.ccleaner.com
  • 23.206.209.82
whitelisted

Threats

PID
Process
Class
Message
4044
recuva.exe
Misc activity
ET POLICY Recuva File Recovery Software - Observed User-Agent
4044
recuva.exe
Misc activity
ET POLICY Recuva File Recovery Software - Observed User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Piriform.Recuva.Professional.v1.53.1087-SeuPirate.7z