File name:

check.zip

Full analysis: https://app.any.run/tasks/4a62a3cb-8299-4888-9c08-a0cd6f0f0f9c
Verdict: Malicious activity
Analysis date: May 23, 2024, 08:18:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

E0FBBA684EEA89D8CB6CCC22AAF45C93

SHA1:

E3F55705E1D67D1C92F6965BFC61250C1F1C56D5

SHA256:

3126FBC05A792D589E790D77FF41F691795FB848CFDB0989D596A4DFBC3EBC9A

SSDEEP:

1536:KDGi7D06KR5dJFUloZ10ZiKcbYjEGQz9ILqI6HdHRlfmjMKoLgbTIS6:sGycXpH0ZiK0S7Q5f5HdxAAKoL2o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3964)
      • PSetup.exe (PID: 1680)
      • drvinst.exe (PID: 2316)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 2316)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 3964)
      • PSetup.exe (PID: 1680)
      • drvinst.exe (PID: 2316)

    • Executable content was dropped or overwritten

      • PSetup.exe (PID: 1680)
      • drvinst.exe (PID: 2316)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2316)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 2316)

  • INFO

    • Manual execution by a user

      • PSetup.exe (PID: 1680)
      • PSetup.exe (PID: 2108)
      • PSetup.exe (PID: 2124)
      • PSetup.exe (PID: 2080)
      • PSetup.exe (PID: 2356)
      • PSetup.exe (PID: 2480)
      • PSetup.exe (PID: 1696)
      • PSetup.exe (PID: 1988)
      • PSetup.exe (PID: 2680)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3964)

    • Reads the computer name

      • PSetup.exe (PID: 1680)
      • drvinst.exe (PID: 2316)
      • PSetup.exe (PID: 1988)
      • PSetup.exe (PID: 2124)
      • PSetup.exe (PID: 2480)
      • PSetup.exe (PID: 1696)
      • PSetup.exe (PID: 2680)

    • Checks supported languages

      • PSetup.exe (PID: 1680)
      • drvinst.exe (PID: 2316)
      • PSetup.exe (PID: 1988)
      • PSetup.exe (PID: 1696)
      • PSetup.exe (PID: 2124)
      • PSetup.exe (PID: 2480)
      • PSetup.exe (PID: 2680)

    • Reads the machine GUID from the registry

      • PSetup.exe (PID: 1680)
      • drvinst.exe (PID: 2316)
      • PSetup.exe (PID: 1988)
      • PSetup.exe (PID: 2124)
      • PSetup.exe (PID: 2480)
      • PSetup.exe (PID: 2680)
      • PSetup.exe (PID: 1696)

    • Create files in a temporary directory

      • PSetup.exe (PID: 1680)

    • Reads the software policy settings

      • drvinst.exe (PID: 2316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:05:23 10:00:54
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: WCHUSBNIC/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe psetup.exe no specs psetup.exe drvinst.exe psetup.exe psetup.exe psetup.exe no specs psetup.exe psetup.exe no specs psetup.exe psetup.exe

Process information

PID
CMD
Path
Indicators
Parent process
1680"C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe" C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe
explorer.exe
User:
admin
Company:
http://wch.cn
Integrity Level:
HIGH
Description:
EXE for wch usb2.0 nic driver install
Exit code:
0
Version:
1.20
Modules
Images
c:\users\admin\desktop\wchusbnic\psetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1696"C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe" C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe
explorer.exe
User:
admin
Company:
http://wch.cn
Integrity Level:
HIGH
Description:
EXE for wch usb2.0 nic driver install
Exit code:
0
Version:
1.20
Modules
Images
c:\users\admin\desktop\wchusbnic\psetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1988"C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe" C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe
explorer.exe
User:
admin
Company:
http://wch.cn
Integrity Level:
HIGH
Description:
EXE for wch usb2.0 nic driver install
Exit code:
0
Version:
1.20
Modules
Images
c:\users\admin\desktop\wchusbnic\psetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2080"C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe" C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exeexplorer.exe
User:
admin
Company:
http://wch.cn
Integrity Level:
MEDIUM
Description:
EXE for wch usb2.0 nic driver install
Exit code:
3221226540
Version:
1.20
Modules
Images
c:\users\admin\desktop\wchusbnic\psetup.exe
c:\windows\system32\ntdll.dll
2108"C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe" C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exeexplorer.exe
User:
admin
Company:
http://wch.cn
Integrity Level:
MEDIUM
Description:
EXE for wch usb2.0 nic driver install
Exit code:
3221226540
Version:
1.20
Modules
Images
c:\users\admin\desktop\wchusbnic\psetup.exe
c:\windows\system32\ntdll.dll
2124"C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe" C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe
explorer.exe
User:
admin
Company:
http://wch.cn
Integrity Level:
HIGH
Description:
EXE for wch usb2.0 nic driver install
Exit code:
0
Version:
1.20
Modules
Images
c:\users\admin\desktop\wchusbnic\psetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2316DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{5f812e68-c64b-7386-9159-db739c85b521}\WCHUSBNIC.INF" "0" "648667f2b" "00000064" "WinSta0\Default" "000002B8" "208" "C:\Users\admin\Desktop\WCHUSBNIC"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2356"C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe" C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exeexplorer.exe
User:
admin
Company:
http://wch.cn
Integrity Level:
MEDIUM
Description:
EXE for wch usb2.0 nic driver install
Exit code:
3221226540
Version:
1.20
Modules
Images
c:\users\admin\desktop\wchusbnic\psetup.exe
c:\windows\system32\ntdll.dll
2480"C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe" C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe
explorer.exe
User:
admin
Company:
http://wch.cn
Integrity Level:
HIGH
Description:
EXE for wch usb2.0 nic driver install
Exit code:
0
Version:
1.20
Modules
Images
c:\users\admin\desktop\wchusbnic\psetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2680"C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe" C:\Users\admin\Desktop\WCHUSBNIC\PSetup.exe
explorer.exe
User:
admin
Company:
http://wch.cn
Integrity Level:
HIGH
Description:
EXE for wch usb2.0 nic driver install
Exit code:
0
Version:
1.20
Modules
Images
c:\users\admin\desktop\wchusbnic\psetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
7 382
Read events
7 252
Write events
127
Delete events
3

Modification events

(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\check.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
10
Suspicious files
21
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
3964WinRAR.exeC:\Users\admin\AppData\Local\Temp\WCHUSBNIC\WCHUSBNIC.INFbinary
MD5:B506F7B13BE59ECDD489E59AFC467DD1
SHA256:8D2716B7F429001B476488082FDC6C7494C92CAC34257CF52C23EEA7AC7940A7
3964WinRAR.exeC:\Users\admin\AppData\Local\Temp\logo.icoimage
MD5:23739D31617F33FDBA5D318604E32E77
SHA256:CE1AFE6D45297DAED1A2534D952F787F7A07BF1EE7A21941DFA3B01D246724CB
3964WinRAR.exeC:\Users\admin\AppData\Local\Temp\WCHUSBNIC\WCHUSBNIC.CATcat
MD5:BAA38C6865468B64C62A6E7895C19431
SHA256:F7CFC7807B8654078E13B185A37AF347CE985BBD174B60EDC660E2EE92A70DB9
3964WinRAR.exeC:\Users\admin\AppData\Local\Temp\WCHUSBNIC\WCHUSBNIC.sysexecutable
MD5:F477E0A81505756AA996B98D3562DFEC
SHA256:62B29092F5264B88952FD49860EB007B8536B4952AEB8CE0B1971AC7544379E6
3964WinRAR.exeC:\Users\admin\AppData\Local\Temp\AUTORUN.INFinf
MD5:4C3C84813739C085ED3AC0930A3385CF
SHA256:ADBA7FBD9D042C4E9AE41CED188E748CD1EA258841E2440B524A6E795602DDD2
3964WinRAR.exeC:\Users\admin\Desktop\WCHUSBNIC\PSetup.exeexecutable
MD5:BC0B5F20A2DD4E96084D7604CDB6AEC5
SHA256:A290256623A01ED19F5B05F45017E3CADAC2E246476F86AC08BD61D8FCC4FB2D
3964WinRAR.exeC:\Users\admin\Desktop\WCHUSBNIC\WCHUSBNIC.sysexecutable
MD5:F477E0A81505756AA996B98D3562DFEC
SHA256:62B29092F5264B88952FD49860EB007B8536B4952AEB8CE0B1971AC7544379E6
3964WinRAR.exeC:\Users\admin\AppData\Local\Temp\WCHUSBNIC\PSetup.exeexecutable
MD5:BC0B5F20A2DD4E96084D7604CDB6AEC5
SHA256:A290256623A01ED19F5B05F45017E3CADAC2E246476F86AC08BD61D8FCC4FB2D
3964WinRAR.exeC:\Users\admin\Desktop\WCHUSBNIC\WCHUSBNIC.CATcat
MD5:BAA38C6865468B64C62A6E7895C19431
SHA256:F7CFC7807B8654078E13B185A37AF347CE985BBD174B60EDC660E2EE92A70DB9
3964WinRAR.exeC:\Users\admin\AppData\Local\Temp\WCHUSBNIC\WCHUSBNICA64.sysexecutable
MD5:5AA6752F165DE06CE67A2193A19A9039
SHA256:2011301F46899F911ABEBCC484CE121EF48555752ADC77669414C17162F6C6D2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
check.zip