analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Stf64.rar

Full analysis: https://app.any.run/tasks/10c481f0-7193-40ee-8799-b0f862ab09cc
Verdict: Malicious activity
Analysis date: February 22, 2020, 02:42:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

187649348720074F3250F9421147F221

SHA1:

4D9328593A30896E32EAD8E08FE5BBBC0242193C

SHA256:

2A0CD6ACF88E0AB539CFB7324CEF294612ACBDFAA6738825648F6C4EDAC5A00D

SSDEEP:

196608:3s7ATYajR0zGu43cmDlfA+epN/7nNf4qc733ucGc/qCL5e3b9JjwgQhCV+:cVajwHBslfzgN2qi33zip3Dwz1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Setup.exe (PID: 968)
      • Setup.exe (PID: 2720)
      • Setup.exe (PID: 4056)
      • irsetup.exe (PID: 3484)
      • Setup.exe (PID: 2108)
      • irsetup.exe (PID: 2380)
      • GetMachineSID.exe (PID: 2796)
      • GetMachineSID.exe (PID: 3616)

    • Loads dropped or rewritten executable

      • irsetup.exe (PID: 3484)
      • irsetup.exe (PID: 2380)

    • Connects to CnC server

      • irsetup.exe (PID: 2380)
      • irsetup.exe (PID: 3484)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 2720)
      • irsetup.exe (PID: 3484)
      • Setup.exe (PID: 2108)
      • irsetup.exe (PID: 2380)

    • Uses REG.EXE to modify Windows registry

      • irsetup.exe (PID: 3484)
      • irsetup.exe (PID: 2380)

    • Reads Internet Cache Settings

      • irsetup.exe (PID: 3484)
      • irsetup.exe (PID: 2380)

  • INFO

    • Manual execution by user

      • Setup.exe (PID: 2720)
      • Setup.exe (PID: 968)
      • Setup.exe (PID: 4056)
      • Setup.exe (PID: 2108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 12014266
UncompressedSize: 12709888
OperatingSystem: Win32
ModifyDate: 2018:06:13 21:35:01
PackingMethod: Normal
ArchivedFileName: Setup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
11
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe no specs setup.exe no specs setup.exe setup.exe no specs irsetup.exe setup.exe getmachinesid.exe no specs irsetup.exe reg.exe no specs getmachinesid.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3804"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Stf64.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
968"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup Application
Exit code:
3221226540
Version:
9.5.1.0
2720"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup Application
Version:
9.5.1.0
4056"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup Application
Exit code:
3221226540
Version:
9.5.1.0
3484"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1954746 "__IRAFN:C:\Users\admin\Desktop\Setup.exe" "__IRCT:3" "__IRTSS:12702823" "__IRSID:S-1-5-21-1302019708-1500728564-335382590-1000"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Setup.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Version:
9.5.1.0
2108"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup Application
Version:
9.5.1.0
2796"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmpC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exeirsetup.exe
User:
admin
Company:
Stardock Software, Inc
Integrity Level:
HIGH
Description:
Installer Helper
Exit code:
0
Version:
1.0.0.1
2380"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:1954746 "__IRAFN:C:\Users\admin\Desktop\Setup.exe" "__IRCT:3" "__IRTSS:12702823" "__IRSID:S-1-5-21-1302019708-1500728564-335382590-1000"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
Setup.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Version:
9.5.1.0
3272"C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\admin\AppData\Local\Temp\registry_export.txt /yC:\Windows\system32\reg.exeirsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3616"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_1\GetMachineSID.exe" C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_1\GetMachineSID.tmpC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_1\GetMachineSID.exeirsetup.exe
User:
admin
Company:
Stardock Software, Inc
Integrity Level:
HIGH
Description:
Installer Helper
Exit code:
0
Version:
1.0.0.1
Total events
1 848
Read events
1 808
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
0
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
3804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3804.40763\Setup.exe
MD5:
SHA256:
3804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3804.41147\Patch.exe
MD5:
SHA256:
3484irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat
MD5:
SHA256:
2380irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat
MD5:
SHA256:
3484irsetup.exeC:\Users\admin\AppData\Local\Temp\Stardock Fences 3 Setup Log.txttext
MD5:E6872EAE4E8C7A22848ED3B3C40CDB0D
SHA256:60412AACDF4AD39A9A116968A9DAF666E2DFF633ABF77ECD2ED7BFFA2E00FA30
3484irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exeexecutable
MD5:55BBF335F75F2A2FE0A5DAF603964D41
SHA256:723ADAE0E69127A6BFBC65C5EF552A351264205EA5E2BC3B80E505FEAA5D0E43
3484irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPGimage
MD5:3220A6AEFB4FC719CC8849F060859169
SHA256:988CF422CBF400D41C48FBE491B425A827A1B70691F483679C1DF02FB9352765
3484irsetup.exeC:\Users\admin\AppData\Local\Temp\sdWebResults.xmltext
MD5:6E720E34570B9A35DE764D26A34EAF0B
SHA256:DA8EBCF517B241323C479DEED228B3D5FC974986BBA4FDE7501349D011E04E1D
2380irsetup.exeC:\Users\admin\AppData\Local\Temp\Stardock Fences 3 Setup Log.txttext
MD5:07DB46616EBF745B7AE79636EEC679D6
SHA256:7D4C752450D660E2B592D79D8398CC7248EE61E42B9510F0845036A41AF21074
2720Setup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeexecutable
MD5:E6E3893FB246EA2DE73A810A6ED56BBD
SHA256:AAD69BB56FCF5914086AE69ED32D85B421F1DF20977269F951ACE13F562B32B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2380
irsetup.exe
POST
200
66.79.209.82:80
http://install.api.stardock.net/installer/Initialize/?format=xml
US
text
735 b
whitelisted
3484
irsetup.exe
POST
200
66.79.209.82:80
http://install.api.stardock.net/installer/Initialize/?format=xml
US
text
735 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2380
irsetup.exe
66.79.209.82:80
install.api.stardock.net
Telnet Worldwide, Inc.
US
malicious
3484
irsetup.exe
66.79.209.82:80
install.api.stardock.net
Telnet Worldwide, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
install.api.stardock.net
  • 66.79.209.82
whitelisted

Threats

PID
Process
Class
Message
3484
irsetup.exe
Misc activity
ADWARE [PTsecurity] Setup Factory Installer Checkin
2380
irsetup.exe
Misc activity
ADWARE [PTsecurity] Setup Factory Installer Checkin
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Stf64.rar