analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Win32.Bootkit.Lkf.rar

Full analysis: https://app.any.run/tasks/2d4b5831-1abe-4d43-a43c-f335002c68f7
Verdict: Malicious activity
Analysis date: January 14, 2022, 22:13:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D33B2978F7F889DBF082CA25A35C1397

SHA1:

E928A8A00AA7928C89D1344DE9E7A3ED101B012F

SHA256:

1F86982E8A7B4A58D5FD57278BC198D6B39E04CA95282BFFABA11C24EB89CBDA

SSDEEP:

12288:Ej8udgCq9BEL+11eFTlBI1kzk42XEWzqQV+N6iLshO6aXS8OX:nuWCq9Bn1OI1k16VzqQYMhO6aXHa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • nc.exe (PID: 3120)
      • WinFlash.exe (PID: 2752)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2164)
      • WinFlash.exe (PID: 2752)

    • Checks supported languages

      • WinRAR.exe (PID: 2164)
      • nc.exe (PID: 3120)
      • WinFlash.exe (PID: 2752)

    • Executes application which crashes

      • WinRAR.exe (PID: 2164)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2164)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 2164)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2164)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2164)

    • Reads default file associations for system extensions

      • WinRAR.exe (PID: 2164)
      • WinFlash.exe (PID: 2752)

  • INFO

    • Checks supported languages

      • ntvdm.exe (PID: 2332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe nc.exe no specs ntvdm.exe no specs winflash.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2164"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Win32.Bootkit.Lkf.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3120"C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\nc.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\nc.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
2332"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2752"C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????\WinFlash\WinFlash.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2164.8034\LkfBiosRootkit\????\WinFlash\WinFlash.exeWinRAR.exe
User:
admin
Company:
Phoenix Technologies Ltd.
Integrity Level:
MEDIUM
Description:
WinFlash MFC ????
Exit code:
0
Version:
1.74
Total events
2 612
Read events
2 559
Write events
52
Delete events
1

Modification events

(PID) Process:(2164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2164) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Win32.Bootkit.Lkf.rar
(PID) Process:(2164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2164) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
21
Suspicious files
0
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
2164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\romtools.exeexecutable
MD5:567B5D7F12481CE7F1DFF2D52EB6FFD7
SHA256:315BB1E2EC52F333DC018FA5BCE58E4FE7D116001704976F81292EE976A06B9C
2164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\Source\romtools.exeexecutable
MD5:567B5D7F12481CE7F1DFF2D52EB6FFD7
SHA256:315BB1E2EC52F333DC018FA5BCE58E4FE7D116001704976F81292EE976A06B9C
2164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????.txttext
MD5:567A30AE576FF45E5B98DD5CDB3A7E9F
SHA256:B3A415503032AB7B14C36BB07DAB52FCFB1FF4A5325F5EB37B819E8B0606FA93
2164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\nc.exeexecutable
MD5:F3110E27F8CCF98121129339C612F493
SHA256:21E7FC81C94D79BBEA6BBED73FBA2E4CE0BA14574B29EFED8C54C3FFB370CF60
2164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\????\??.txttext
MD5:B126410267F9B837DD776EE8A3CA0226
SHA256:8AAD585BDB0B1D74C0C1F08042D6B72B4A61D6D0ABA61C07276EEFBAF2B5E48D
2164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\??.battext
MD5:D9D8CA1F6D2E7235FF6891770CA879CD
SHA256:21282096AC83CD667D08DBEA96A01E5B47FD9C13E9EDF8D84BD0DDA20863FA77
2164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\ML.EXEexecutable
MD5:0A05C3EAE7888A2F01330862EEEA7EFD
SHA256:94595B9CCC09DBCAF6B877AA11A35576F78DE2AB0EB39546ABFDE430B79DCE2F
2164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\Source\link.exeexecutable
MD5:706E1856D28B963911306168C4744844
SHA256:2B5236E3F6198A5C4CEBEC02178786CDCEA423F9B6B9823D538A1838E65F045C
2164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7153\LkfBiosRootkit\Source\cmd.battext
MD5:45E0EDACA8702E6E90D1D98CF3647D5F
SHA256:7371F071A9A4E653A5AFD134BCE9C735EF74B0421D6988958E5C6D8A34FEAA3B
2164WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2164.7630\LkfBiosRootkit\????\??.txttext
MD5:B126410267F9B837DD776EE8A3CA0226
SHA256:8AAD585BDB0B1D74C0C1F08042D6B72B4A61D6D0ABA61C07276EEFBAF2B5E48D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Win32.Bootkit.Lkf.rar