analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PRIORITY046.iso

Full analysis: https://app.any.run/tasks/01a5abb3-7e2c-4af7-93c5-085695d845b0
Verdict: Malicious activity
Analysis date: January 17, 2020, 17:19:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

5335B07834F567776263E73E03204CBF

SHA1:

765422CA5BDC1E9FC2775F3A2A426DED3B41AFAC

SHA256:

1D6B545EECEE6917EB29A9B7BF6F840BA2BDEC584E318A875B3A8F410B0F6D6A

SSDEEP:

24576:+NcBtkZXds9dbjqUL6cIl/DmbxL6xpAqYYTBZsssOEa3+oxfGzVDGm:ZekxL6rUxGxa+9Zs+zuuKdG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • D780978.scr (PID: 2968)
      • Mvqixew.exe (PID: 2612)

    • Changes the autorun value in the registry

      • Mvqixew.exe (PID: 2612)

    • Uses SVCHOST.EXE for hidden code execution

      • Mvqixew.exe (PID: 2612)

    • Uses Task Scheduler to run other applications

      • Mvqixew.exe (PID: 2612)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Mvqixew.exe (PID: 2612)

    • Executable content was dropped or overwritten

      • D780978.scr (PID: 2968)
      • Mvqixew.exe (PID: 2612)
      • WinRAR.exe (PID: 1328)
      • cmd.exe (PID: 2492)

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 1328)

    • Creates files in the Windows directory

      • cmd.exe (PID: 2492)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.atn | Photoshop Action (37.5)
.gmc | Game Music Creator Music (8.4)
.abr | Adobe PhotoShop Brush (7.5)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe d780978.scr mvqixew.exe cmd.exe tapiunattend.exe no specs schtasks.exe no specs sxstrace.exe no specs svchost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PRIORITY046.iso"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2968"C:\Users\admin\AppData\Local\Temp\Rar$DIa1328.11337\D780978.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIa1328.11337\D780978.scr
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2612"C:\Users\admin\AppData\Local\Temp\Mvqic\Mvqixew.exe" C:\Users\admin\AppData\Local\Temp\Mvqic\Mvqixew.exe
D780978.scr
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2492cmd /c ""C:\Users\Public\Runex.bat" "C:\Windows\system32\cmd.exe
Mvqixew.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
216
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2388"C:\Windows\System32\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exeMvqixew.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Windows(TM) Telephony Unattend Action
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1904"C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exeMvqixew.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
324"C:\Windows\System32\sxstrace.exe"C:\Windows\System32\sxstrace.exeMvqixew.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Sxs Tracing Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2140"C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exeMvqixew.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
838
Read events
813
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
0
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
2612Mvqixew.exeC:\Users\admin\AppData\Local\Mvqi\Mvqiimage
MD5:A28698D50C76DBAB0F7A681C65E26F23
SHA256:D9568928C44C0AD1F9A3A535AB0788FE9579382F63650FF848FC371D45D929F0
2968D780978.scrC:\Users\admin\AppData\Local\Temp\Mvqic\Mvqixew.exeexecutable
MD5:A79A308F79AB48FD5D98A050BF90D660
SHA256:B6B51BB65FB7B29115BBDA1AD2050FF0E0625AC0BF5DCF427ACF7B8F9C1A0048
1328WinRAR.exeC:\Users\admin\AppData\Local\Temp\D780978.screxecutable
MD5:46AD4C027AA691EBABE4459C5603E88D
SHA256:5607D38DA8FA43703945F27D8069F5262172A9A75F2F620A5EB8714E72190344
2612Mvqixew.exeC:\Users\admin\AppData\Local\Mvqi\Mvqioet.vbstext
MD5:9EE39BF2EA9758A2BBD46B78C2EEABF7
SHA256:04BB37529AD80771DB4ABD6DFDC195853FCB2D521855AD2C5CCEE360BDBC0625
2968D780978.scrC:\Users\admin\AppData\Local\Temp\Mvqic\Mvqiimage
MD5:A28698D50C76DBAB0F7A681C65E26F23
SHA256:D9568928C44C0AD1F9A3A535AB0788FE9579382F63650FF848FC371D45D929F0
1328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1328.11337\D780978.screxecutable
MD5:46AD4C027AA691EBABE4459C5603E88D
SHA256:5607D38DA8FA43703945F27D8069F5262172A9A75F2F620A5EB8714E72190344
2612Mvqixew.exeC:\Users\admin\AppData\Local\Mvqi\Mvqi_setko.htahtml
MD5:8B3D84B21460B4B760B7D554EBAD7237
SHA256:2FF90E88F2AEE2A61D37D88145153306891C0241902645A6EBF80FFBF1086A65
2612Mvqixew.exeC:\Users\Public\Clean.battext
MD5:7610BE4B8ECB523913B600F088F23DE6
SHA256:98ECA4F680E49E01FEF14FFEEF33E2F1A3BECB18E208F6E23E70B9F30BE66CDC
2492cmd.exeC:\Windows \System32\SSPICLI.dllexecutable
MD5:F7AECE04E3B3EA028EFE24508A95F7C8
SHA256:64C812B78B0085EB9D04B66E5872BDBACDC230B0C29A0BD13B71190F3E610DD0
2968D780978.scrC:\Users\admin\AppData\Local\Temp\Mvqic.lnklnk
MD5:3F3CA4DE6F6093B00A1AA8F00E37223D
SHA256:9279EEFD1FEFFBE0AA99C4C2E6A5417AD15EFA2C809BC01F6C0159B3FA642FB9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PRIORITY046.iso