analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1919451179989524203815663507076221655987993950541226219603864.tgz

Full analysis: https://app.any.run/tasks/96e66c11-fe78-42e1-8c71-248c15a0a089
Verdict: Malicious activity
Analysis date: October 04, 2022, 20:55:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

A99F49888E1F11DCC28433A74F662EEA

SHA1:

D93AD8F049D0461D47A95975D6B3D251E3DE6C96

SHA256:

2784876DF9372689EC7B8EF76ABE78F3BC1B9CC6BE3657318CAD346C681D4490

SSDEEP:

3072:xLQft8XmpfEt1wjSbTbihBF7buQ37nZuxanL27YTHESNuKw2V6u9BNMY:xsfGD5zihBTbcAL27YjRwK6sNMY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3044)
      • 1919451179989524203815663507076221655987993950541226219603864.exe (PID: 3800)

    • Application was dropped or rewritten from another process

      • 1919451179989524203815663507076221655987993950541226219603864.exe (PID: 2604)
      • 1919451179989524203815663507076221655987993950541226219603864.exe (PID: 3800)

    • Loads dropped or rewritten executable

      • 1919451179989524203815663507076221655987993950541226219603864.exe (PID: 3800)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3044)
      • 1919451179989524203815663507076221655987993950541226219603864.exe (PID: 3800)
      • 1919451179989524203815663507076221655987993950541226219603864.exe (PID: 2604)

    • Checks supported languages

      • 1919451179989524203815663507076221655987993950541226219603864.exe (PID: 3800)
      • WinRAR.exe (PID: 3044)
      • 1919451179989524203815663507076221655987993950541226219603864.exe (PID: 2604)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3044)
      • 1919451179989524203815663507076221655987993950541226219603864.exe (PID: 3800)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3044)
      • 1919451179989524203815663507076221655987993950541226219603864.exe (PID: 3800)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe 1919451179989524203815663507076221655987993950541226219603864.exe 1919451179989524203815663507076221655987993950541226219603864.exe

Process information

PID
CMD
Path
Indicators
Parent process
3044"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1919451179989524203815663507076221655987993950541226219603864.tgz.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3800"C:\Users\admin\AppData\Local\Temp\Rar$EXa3044.12311\1919451179989524203815663507076221655987993950541226219603864.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3044.12311\1919451179989524203815663507076221655987993950541226219603864.exe
WinRAR.exe
User:
admin
Company:
Bundedes
Integrity Level:
MEDIUM
Description:
Coalyards Olenellidian
2604"C:\Users\admin\AppData\Local\Temp\Rar$EXa3044.13247\1919451179989524203815663507076221655987993950541226219603864.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3044.13247\1919451179989524203815663507076221655987993950541226219603864.exe
WinRAR.exe
User:
admin
Company:
Bundedes
Integrity Level:
MEDIUM
Description:
Coalyards Olenellidian
Exit code:
3221225725
Total events
7 382
Read events
7 364
Write events
18
Delete events
0

Modification events

(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3044) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\1919451179989524203815663507076221655987993950541226219603864.tgz.rar
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
38001919451179989524203815663507076221655987993950541226219603864.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Skaktposens\plaprende\Edb\Recognosce\Cancion\ArtDeco_brown_5.bmpimage
MD5:3C7CC468A86B752025F90B9EF685F544
SHA256:A371136AECA79D1B2CF0D080401B2D47CFFA85465088165B6D812C6E11EAF0B7
38001919451179989524203815663507076221655987993950541226219603864.exeC:\Users\admin\Documents\Paaskrifternes.initext
MD5:40BD3ADBCA2286457EC18969C19365A1
SHA256:1FABFD0D19397D5BB9FB75DB475F5F38AE3694D766184FE8C12740F28EDBE522
3044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3044.12311\1919451179989524203815663507076221655987993950541226219603864.exeexecutable
MD5:C196A9B402DDA0B7AE123228065BDE55
SHA256:01E6C6D762A076E4AC8660020D74DC6B0F2B02D84EE2D0F32AF30A544D34AC26
3044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3044.13247\1919451179989524203815663507076221655987993950541226219603864.exeexecutable
MD5:C196A9B402DDA0B7AE123228065BDE55
SHA256:01E6C6D762A076E4AC8660020D74DC6B0F2B02D84EE2D0F32AF30A544D34AC26
38001919451179989524203815663507076221655987993950541226219603864.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Skaktposens\plaprende\Edb\Ule\Misdepart\Gastroenterostomies.Cuabinary
MD5:9071364866B7D04F10153B4EDE6CE39C
SHA256:D7E09FDD479481B0620C7D0E7111780A7DB452F08EBAED0297BC4F4103A550F1
38001919451179989524203815663507076221655987993950541226219603864.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Skaktposens\plaprende\Edb\Flaadeofficerernes\surreverence.Vantext
MD5:7BB5573ECF50315E121800E98BE3798F
SHA256:77A93FFC560918986539DA039D5A227F48904710DECF1DFD647E29F761EE42C2
38001919451179989524203815663507076221655987993950541226219603864.exeC:\Users\admin\AppData\Local\Temp\nsr67E6.tmp\System.dllexecutable
MD5:17ED1C86BD67E78ADE4712BE48A7D2BD
SHA256:BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB
38001919451179989524203815663507076221655987993950541226219603864.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Skaktposens\plaprende\Edb\Flaadeofficerernes\weather-few-clouds-symbolic.svgimage
MD5:3AF5AFFF134750B10F9B491591A8F7A2
SHA256:E5EC423B37F0BF203CEB9B8E3DA6A7F1F3491A15C732B3CA58E38C0503FC14DA
38001919451179989524203815663507076221655987993950541226219603864.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Skaktposens\plaprende\Edb\Flaadeofficerernes\network-wireless-signal-weak-symbolic.symbolic.pngimage
MD5:7A40E03256D60C255FDDE6F773C03344
SHA256:4E771A48955E294B17A13C339DFF4154A67CE84A7C52BCCF6FE56EEAEEC392DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1600
WerFault.exe
20.189.173.20:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 20.189.173.20
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1919451179989524203815663507076221655987993950541226219603864.tgz