| File name: | дллельки.7z |
| Full analysis: | https://app.any.run/tasks/c376462f-bdf8-48e3-be0d-84f24f9ccb58 |
| Verdict: | Malicious activity |
| Analysis date: | February 16, 2024, 15:10:34 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 564F4605A2AE0F9D319CE571CCBA07EF |
| SHA1: | D006FA9FC3B530A763631CA4F10B6584673F6BA6 |
| SHA256: | 2CA2A42ACA31F2814CF397AD92CA3B2947F17E9D76B757F7779960C76CB19146 |
| SSDEEP: | 98304:xn6cghXPLpLfkHGyylDFju1Qt5VUoukxIqpb/CN+XsW0k1CpH6RA4yKUq/UIBYYG:xiLp5N1+h5vsOc7GAGi8lJ |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2160)
Registers / Runs the DLL via REGSVR32.EXE
- cmd.exe (PID: 3936)
SUSPICIOUS
Reads the Internet Settings
- taskmgr.exe (PID: 2364)
Application launched itself
- taskmgr.exe (PID: 2364)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 3936)
INFO
Reads the computer name
- wmpnscfg.exe (PID: 2572)
- wmpnscfg.exe (PID: 3616)
- wmpnscfg.exe (PID: 2468)
Manual execution by a user
- cmd.exe (PID: 3936)
- wmpnscfg.exe (PID: 2572)
- taskmgr.exe (PID: 2364)
- wmpnscfg.exe (PID: 3616)
- wmpnscfg.exe (PID: 2468)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2160)
Checks supported languages
- wmpnscfg.exe (PID: 2572)
- wmpnscfg.exe (PID: 3616)
- wmpnscfg.exe (PID: 2468)
Reads security settings of Internet Explorer
- taskmgr.exe (PID: 2364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
64
Monitored processes
11
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | regsvr32 err0r437.dll | C:\Windows\System32\regsvr32.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1768 | "C:\Windows\system32\taskmgr.exe" /1 | C:\Windows\System32\taskmgr.exe | taskmgr.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Task Manager Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1780 | taskkill /f /im svchost.exe | C:\Windows\System32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2160 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\дллельки.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2208 | regsvr32 error437.dll | C:\Windows\System32\regsvr32.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2364 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2468 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2572 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3444 | taskkill /f /f im svchost.exe | C:\Windows\System32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3616 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 392
Read events
4 370
Write events
22
Delete events
0
Modification events
| (PID) Process: | (2160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2160) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\дллельки.7z | |||
| (PID) Process: | (2160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2160) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
12
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2160.24187\дллельки\error437.dll | compressed | |
MD5:0E56D2278987B470B85A51A3276696AE | SHA256:D06E2A76B51D015B815BA3D88F3217BF1FE879E05F564D5F8AA34C5BC6F9664D | |||
| 2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2160.24187\дллельки\jinput-dx8_64.dll | executable | |
MD5:9A123D6F947BEDCA2F01C9F6A006083C | SHA256:A8C49BE05A3C4615ABC77AC77729086D6928C999AC10E3FCD686D03A94DE76DE | |||
| 2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2160.24187\дллельки\consoleLib-x64.dll | executable | |
MD5:9FD4366231018993914EC6546E3E6083 | SHA256:D7CD5122B1AE19A8B95EC9E5DB5C3055E3936A546BC22C4F1C7911C3629AB021 | |||
| 2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2160.24187\дллельки\OpenAL32.dll | executable | |
MD5:7E457D00B89DF9588B869E7C4064B2E4 | SHA256:F30F952A8052103F0ABD601DED36F054824F49FF45AA48B99B6B5E5F90B2BC29 | |||
| 2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2160.24187\дллельки\jinput-wintab.dll | executable | |
MD5:FE9D38049703EB52ABADB634109CF1FB | SHA256:57F4333F590766A29105E1457FEFD4592728E555D7127353CA611620127E8B7C | |||
| 2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2160.24187\дллельки\lwjgl.dll | executable | |
MD5:F4A31218FCB01A9A8946F4F315E91AA8 | SHA256:CD99D747587038B9488A9B183E30B3004E5C2CB4DFAB02B11C6B6C3AF2FFC391 | |||
| 2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2160.24187\дллельки\OpenAL64.dll | executable | |
MD5:1C090735A531D60AC22719F9EA0248D1 | SHA256:EC153256A00F451514E7284E3A8A1949889BC49C93BFB1F16814075D9B7B9A3A | |||
| 2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2160.24187\дллельки\lwjgl64.dll | executable | |
MD5:3FCF8B1BD4C9066FF815D887A4192456 | SHA256:19DDC120C3F382CEBC249DA69F7CEC7D71F7A665054F8D6F5C6F5BDE6CFD2297 | |||
| 2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2160.24187\дллельки\err0r437.dll | executable | |
MD5:2DADF66B87B8A417595D1194D0FDFA66 | SHA256:8109BDB849F4707F0F1F1A439C8D032F7AC220347F93726E08E393C55C007382 | |||
| 2160 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2160.24187\дллельки\jinput-dx8.dll | executable | |
MD5:DC6A0BD257B5EC616A49F0AE64CF02BE | SHA256:C772FD2952E66FEB7179798F70B12730599295BE8486BA8399059C3BB8C28A89 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |