File name:

Roro.Release.zip

Full analysis: https://app.any.run/tasks/aade89ab-1231-4025-a3ce-0e6cb7b18ac4
Verdict: Malicious activity
Analysis date: August 13, 2019, 17:30:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

96BBB5CD833AEEA76526F50FDC5C0218

SHA1:

33C290C4C1B5B2A8664FA70DD85CE710CA85BAF0

SHA256:

270BB225F7C7EA0506DF1CDFB0BAEFB9DA13354F97460456967F6110EE8DF770

SSDEEP:

98304:VHjpSsiCGLiFN0SaQ+l6PM5OFAu3SVP/V7XJbDJplz+aUcr/AtQ:VDpiC0gtHPMsStFJbt76aUcs+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Roro.exe (PID: 3584)
      • Roro.exe (PID: 3804)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2680)
      • Roro.exe (PID: 3584)
      • Roro.exe (PID: 3804)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2072)
  • INFO

    • Manual execution by user

      • Roro.exe (PID: 3804)
      • Roro.exe (PID: 3584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Roro.exe
ZipUncompressedSize: 12288
ZipCompressedSize: 5176
ZipCRC: 0x0cde7c2c
ZipModifyDate: 2018:05:29 04:00:27
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs roro.exe no specs roro.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2072"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Roro.Release.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2680"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3584"C:\Users\admin\Desktop\Roro.exe" C:\Users\admin\Desktop\Roro.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Roro
Exit code:
0
Version:
1.0.0.0
3804"C:\Users\admin\Desktop\Roro.exe" C:\Users\admin\Desktop\Roro.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Roro
Exit code:
0
Version:
1.0.0.0
Total events
990
Read events
944
Write events
45
Delete events
1

Modification events

(PID) Process:(2072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2072) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Roro.Release.zip
(PID) Process:(2072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(3584) Roro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
10
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2072WinRAR.exeC:\Users\admin\Desktop\Roro.Activities.dllexecutable
MD5:49911AC614FDF22262CE4E23D6AFB87E
SHA256:CEF6437952AC57E55D4A545C94334B2D8071FCD432B06621D79A1E5EA8C766F7
2072WinRAR.exeC:\Users\admin\Desktop\Roro.Activities.SharePoint.dllexecutable
MD5:88DFF814F400987DCE0A5F6DF71B0479
SHA256:AEEF8D0FA07B2E77A74FA76E06F7434EBF1881EE8991E21C3FC31BBB6382F2C1
2072WinRAR.exeC:\Users\admin\Desktop\Roro.Activities.Files.dllexecutable
MD5:2D8F2BE439EEF00A5214C0A71B37FB85
SHA256:3AF11603B347EE2294F834D45E77115A55DB455DB8D6F8402D2A975D815971E2
2072WinRAR.exeC:\Users\admin\Desktop\Roro.Activities.Outlook.dllexecutable
MD5:7C5A8147E84B7DFF804E968228F45331
SHA256:D4187A1A4011A1084D93F5D61CC94EAB2455B2043083C31F7AF3295E189C1113
2072WinRAR.exeC:\Users\admin\Desktop\Roro.Activities.Cognitive.dllexecutable
MD5:B7FC452CC8578A6C80C15A664ABA0E56
SHA256:2CB5C76252FF26382727F7B23C6E67D38293D97711A5D339FAD0CAA32A1944B1
2072WinRAR.exeC:\Users\admin\Desktop\Roro.Activities.Apps.dllexecutable
MD5:A0C820EFEED34D7B67F31C49BDC3C782
SHA256:C5FC4B52B63A411DD8143642CDE11E74BFD6E8578820F9A4103075F9D41B9CD6
2072WinRAR.exeC:\Users\admin\Desktop\Roro.Activities.Excel.dllexecutable
MD5:AD194D9841B50776FFBE1E9966772166
SHA256:281175F619EA96B57007C0CEA6BC300AC947E8EEEFC2765650B5A9C7B863F443
2072WinRAR.exeC:\Users\admin\Desktop\Roro.exeexecutable
MD5:BEC87E0A67520E718B5785C4B964A5CB
SHA256:74A5B3D6B3654E99B2036BD367B8C05D00C77E21BEF137F4B79B2E9AADC9C479
2072WinRAR.exeC:\Users\admin\Desktop\LICENSEtext
MD5:FE99202DBF497FCE817EF60C4D3AD346
SHA256:9E067058A6E2BFC882BBE3A40FC7E0E59B3FE3264F34A96DFF497C81A3C5A2B0
2072WinRAR.exeC:\Users\admin\Desktop\Microsoft.SharePoint.Client.dllexecutable
MD5:5BE04CE64C752D98D66BBE25F54E26C9
SHA256:F40C4D176F541EB6C1187252747A07634596FE7892C8A9740A1DAE8C123BAA3C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info