File name:

Patch.zip

Full analysis: https://app.any.run/tasks/d6ece6e8-9c1d-44de-872b-b6f3b5c47cd8
Verdict: Malicious activity
Analysis date: May 13, 2024, 09:41:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

D4A5B3808DB594C90DF43A3273FB4E7E

SHA1:

E5A5CDCCFDDF24D996615DF9F37EB6542B0F288F

SHA256:

26E4FD0399AC0B4C7E316098FC9C40D56C0CDBAF6E7739672AE2F4BA2C802184

SSDEEP:

3072:Krtvj7IHXm+rqatDCdgO2ml5gXbXKVxwARgBco1o/2Amo7PBSdg:WvvAXm+GaA4Y5gLXKIARKoOboVSdg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • nitro.pro.14.5.x.enterprise.(x64)-patch.exe (PID: 328)
      • WinRAR.exe (PID: 3972)
      • nitro.pro.14.5.x.enterprise.(x86)-patch.exe (PID: 1944)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • nitro.pro.14.5.x.enterprise.(x86)-patch.exe (PID: 1944)
      • nitro.pro.14.5.x.enterprise.(x64)-patch.exe (PID: 328)

    • Creates file in the systems drive root

      • nitro.pro.14.5.x.enterprise.(x86)-patch.exe (PID: 1944)

  • INFO

    • Create files in a temporary directory

      • nitro.pro.14.5.x.enterprise.(x64)-patch.exe (PID: 328)
      • nitro.pro.14.5.x.enterprise.(x86)-patch.exe (PID: 1944)

    • Checks supported languages

      • nitro.pro.14.5.x.enterprise.(x64)-patch.exe (PID: 328)
      • nitro.pro.14.5.x.enterprise.(x86)-patch.exe (PID: 1944)

    • Reads the computer name

      • nitro.pro.14.5.x.enterprise.(x64)-patch.exe (PID: 328)
      • nitro.pro.14.5.x.enterprise.(x86)-patch.exe (PID: 1944)

    • Manual execution by a user

      • nitro.pro.14.5.x.enterprise.(x64)-patch.exe (PID: 1024)
      • nitro.pro.14.5.x.enterprise.(x64)-patch.exe (PID: 328)
      • nitro.pro.14.5.x.enterprise.(x86)-patch.exe (PID: 1236)
      • nitro.pro.14.5.x.enterprise.(x86)-patch.exe (PID: 1944)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3972)

    • Reads the machine GUID from the registry

      • nitro.pro.14.5.x.enterprise.(x64)-patch.exe (PID: 328)
      • nitro.pro.14.5.x.enterprise.(x86)-patch.exe (PID: 1944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2023:07:14 15:56:32
ZipCRC: 0x90954249
ZipCompressedSize: 59476
ZipUncompressedSize: 62976
ZipFileName: nitro.pro.14.5.x.enterprise.(x64)-patch.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe nitro.pro.14.5.x.enterprise.(x64)-patch.exe no specs nitro.pro.14.5.x.enterprise.(x64)-patch.exe nitro.pro.14.5.x.enterprise.(x86)-patch.exe no specs nitro.pro.14.5.x.enterprise.(x86)-patch.exe

Process information

PID
CMD
Path
Indicators
Parent process
328"C:\Users\admin\Desktop\nitro.pro.14.5.x.enterprise.(x64)-patch.exe" C:\Users\admin\Desktop\nitro.pro.14.5.x.enterprise.(x64)-patch.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\nitro.pro.14.5.x.enterprise.(x64)-patch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\dup2patcher.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1024"C:\Users\admin\Desktop\nitro.pro.14.5.x.enterprise.(x64)-patch.exe" C:\Users\admin\Desktop\nitro.pro.14.5.x.enterprise.(x64)-patch.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\nitro.pro.14.5.x.enterprise.(x64)-patch.exe
c:\windows\system32\ntdll.dll
1236"C:\Users\admin\Desktop\nitro.pro.14.5.x.enterprise.(x86)-patch.exe" C:\Users\admin\Desktop\nitro.pro.14.5.x.enterprise.(x86)-patch.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\nitro.pro.14.5.x.enterprise.(x86)-patch.exe
c:\windows\system32\ntdll.dll
1944"C:\Users\admin\Desktop\nitro.pro.14.5.x.enterprise.(x86)-patch.exe" C:\Users\admin\Desktop\nitro.pro.14.5.x.enterprise.(x86)-patch.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\nitro.pro.14.5.x.enterprise.(x86)-patch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\dup2patcher.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3972"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Patch.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
24 194
Read events
23 807
Write events
369
Delete events
18

Modification events

(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Patch.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3972WinRAR.exeC:\Users\admin\Desktop\nitro.pro.14.5.x.enterprise.(x64)-patch.exeexecutable
MD5:F7007C250CFF3DFEEEA4467E0CF916CB
SHA256:107D1F6CAB03E59229CA6951CC1FA29B3900115A2805A5A599B24CC48E7BA7AF
328nitro.pro.14.5.x.enterprise.(x64)-patch.exeC:\Users\admin\AppData\Local\Temp\dup2patcher.dllexecutable
MD5:CFFAA69BA5217DA64920923306BF5BC6
SHA256:36487BA01F7303F58B92FC6C11AC1EAE662B1FCA08B69EB9E663642F9B4E1705
1944nitro.pro.14.5.x.enterprise.(x86)-patch.exeC:\Users\admin\AppData\Local\Temp\dup2patcher.dllexecutable
MD5:6A9E74E6ACFAE8C586EC71A47BA81AB9
SHA256:8BFB39F6BAB1992F9AC838CF17319C4B77360596313B06618F9B17F79610B06F
3972WinRAR.exeC:\Users\admin\Desktop\nitro.pro.14.5.x.enterprise.(x86)-patch.exeexecutable
MD5:20CB76A75FAD711A4FBEF56DFEFA0B61
SHA256:521C4AE3603CFC6BE33B66EFAE343B6380A7D4BA41044071A46C67687EFD5BA2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Patch.zip