analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

208cdaeb25eb64fcb985c1d14d6ed693a0b2bfa7821ec3ec494f7c0c32eda8a0

Full analysis: https://app.any.run/tasks/d9f63539-e7ff-4550-bbeb-f98d07e30d09
Verdict: Malicious activity
Analysis date: March 21, 2019, 15:23:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

76289F02A0B31143D87D5E35839FB24A

SHA1:

46DA3A895DDD61507ECD3E8FA03EF212CE17E5E1

SHA256:

208CDAEB25EB64FCB985C1D14D6ED693A0B2BFA7821EC3EC494F7C0C32EDA8A0

SSDEEP:

3072:cd52pb77M230VwZtW2Y0N3y/FAsqbtC+O0UdTrqrjKzJ6:cdC7gNR2w/tSot1xq86

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe (PID: 2120)
      • SearchProtocolHost.exe (PID: 3588)
      • explorer.exe (PID: 1696)

    • Application was dropped or rewritten from another process

      • Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe (PID: 2120)
      • persis32.exe (PID: 2824)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1960)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2348)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • explorer.exe (PID: 1696)

    • Starts Microsoft Office Application

      • Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe (PID: 2120)

    • Executable content was dropped or overwritten

      • Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe (PID: 2120)
      • persis32.exe (PID: 2824)
      • WinRAR.exe (PID: 516)

    • Creates files in the user directory

      • explorer.exe (PID: 1696)

    • Creates files in the program directory

      • Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe (PID: 2120)

    • Starts CMD.EXE for commands execution

      • Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe (PID: 2120)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1576)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: Thu moi 2019\Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe
PackingMethod: Normal
ModifyDate: 2018:03:29 02:47:06
OperatingSystem: Win32
UncompressedSize: 347432
CompressedSize: 117253
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs thu moi tham du hoi nghi tai toan quoc. cong hoa xa hoi chu nghia viet nam. doc lap tu do hanh phuc.exe winword.exe no specs cmd.exe no specs persis32.exe cmd.exe no specs schtasks.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\208cdaeb25eb64fcb985c1d14d6ed693a0b2bfa7821ec3ec494f7c0c32eda8a0.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3588"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2120"C:\Users\admin\Desktop\Thu moi 2019\Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe" C:\Users\admin\Desktop\Thu moi 2019\Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Word
Version:
12.0.4518.1014
1576"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Document.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEThu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2708C:\Windows\system32\cmd.exe /C c:\programdata\word\persis32.exe c:\programdata\word\word.exeC:\Windows\system32\cmd.exeThu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
15
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2824c:\programdata\word\persis32.exe c:\programdata\word\word.exec:\programdata\word\persis32.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
15
1960C:\Windows\system32\cmd.exe /C schtasks /create /sc MINUTE /tn "timesyn" /tr "c:\programdata\word\word.exe" /mo 60 /FC:\Windows\system32\cmd.exeThu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2348schtasks /create /sc MINUTE /tn "timesyn" /tr "c:\programdata\word\word.exe" /mo 60 /FC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1696C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 486
Read events
3 751
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
2
Text files
2
Unknown types
6

Dropped files

PID
Process
Filename
Type
1696explorer.exeC:\Users\admin\Desktop\Thu moi 2019
MD5:
SHA256:
1576WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD633.tmp.cvr
MD5:
SHA256:
1576WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C7F6F715-1279-45A6-B69C-4705DBF42FA8}.tmp
MD5:
SHA256:
1576WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0B7154F0-3C05-4E5A-A29D-C5984DF81B43}.tmp
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-msautomaticdestinations-ms
MD5:E21DD88F520325A805D680B9E4BF111C
SHA256:FA1FB9E3FD463D820DB29A80AC4C011BB61F1D5765D4C85B75BB574F81B063C1
2824persis32.exeC:\Users\admin\AppData\Local\Error\ErrorLog.txttext
MD5:6969DC0C42AF030FA25676BC132417C2
SHA256:F22C2401A32D13F950ED003A69D82B10497F7E114DC58ADC333596013523F774
1576WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$cument.docpgc
MD5:DC27B60C9A14C98CD28B88213A7037E7
SHA256:667F5026CEA74F165418F8701BDFD6B26BB16D6D6508A6E013CB8E837B07FA16
1696explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\208cdaeb25eb64fcb985c1d14d6ed693a0b2bfa7821ec3ec494f7c0c32eda8a0.rar.lnklnk
MD5:DDFF8BEE779A9989AE16DCF2D48F7E35
SHA256:6B0F5C2E80E93033D585210ADBE78212BDB8349CABD72D9E6015F6FA2563EF73
2824persis32.exeC:\Users\admin\AppData\Local\Error\Error.pngexecutable
MD5:B4041B514C7B415EC0C71EA6DAEE0B90
SHA256:B8562E98AA902C137D285FDD97068BF69F0E8B4357D2AE71690853154A5546DB
1576WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:125CA83F35E2B2E411EF88D1CEB9BCB1
SHA256:92F2401FDCE6F8CAFCB378ABA4C61C518D0A3A87B2D45F9EF73873C2DD744D2F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2120
Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe
66.85.157.73:443
trust.zapto.org
SECURED SERVERS LLC
US
unknown

DNS requests

Domain
IP
Reputation
trust.zapto.org
  • 66.85.157.73
unknown

Threats

PID
Process
Class
Message
2120
Thu moi tham du hoi nghi tai toan quoc. Cong hoa xa hoi chu nghia Viet Nam. Doc lap tu do hanh phuc.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
208cdaeb25eb64fcb985c1d14d6ed693a0b2bfa7821ec3ec494f7c0c32eda8a0