Malware analysis Advanced Rar Repair.exe Malicious activity

Add for printing

File name:	Advanced Rar Repair.exe
Full analysis:	https://app.any.run/tasks/45c1f27b-31cb-4ccb-9f1f-88d541a052a7
Verdict:	Malicious activity
Analysis date:	June 04, 2018, 22:57:28
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	installer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	DB9D4FD30E586AA00833CFB393E06A74
SHA1:	2704641E92C00AFA5E8AE06D57361B5BC317BA95
SHA256:	31B08D1F10D48863A2809D3BF5825618FFE30FF56800EA2318101818CED9170F
SSDEEP:	12288:xtoJaSfasxYdaI6PnRtouwuLDdrD9IEnT+ZQa6OUnf7ZrvZuR1s5gTztmGA:xuapsAUf7FdrD9ZnqZNuf7NI1s5YBA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: on
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:

Software preset

Internet Explorer 8.0.7601.17514 undefined
7-Zip 16.04 (16.04)
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 26 ActiveX (26.0.0.137)
CCleaner (5.35)
FileZilla Client 3.31.0 (3.31.0)
Google Chrome (61.0.3163.100)
Google Update Helper (1.3.33.5)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Home and Business 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2005 Redistributable (8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 (14.12.25810.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.12.25810 (14.12.25810)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.12.25810 (14.12.25810)
Mozilla Firefox 55.0.3 (x86 en-US) (55.0.3)
Mozilla Maintenance Service (55.0.3)
Notepad++ (32-bit x86) (7.5.4)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
VLC media player (2.2.6)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition
WinMan WinIP Package TopLevel

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - Advanced Rar Repair.exe (PID: 4028)
- Application was dropped or rewritten from another process
  - GLJB9E9.tmp (PID: 2408)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Advanced Rar Repair.exe (PID: 4028)
- Removes files from Windows directory
  - Advanced Rar Repair.exe (PID: 4028)
- Creates files in the Windows directory
  - Advanced Rar Repair.exe (PID: 4028)
- Starts application with an unusual extension
  - Advanced Rar Repair.exe (PID: 4028)
- Creates COM task schedule object
  - GLJB9E9.tmp (PID: 2408)
- Creates files in the program directory
  - Advanced Rar Repair.exe (PID: 4028)
- Creates a software uninstall entry
  - Advanced Rar Repair.exe (PID: 4028)
INFO
- Dropped object may contain URL's
  - Advanced Rar Repair.exe (PID: 4028)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Wise Installer executable (96.9)
.dll	\|	Win32 Dynamic Link Library (generic) (1.3)
.exe	\|	Win32 Executable (generic) (0.9)
.exe	\|	Generic Win/DOS Executable (0.4)
.exe	\|	DOS Executable Generic (0.4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2000:04:25 16:37:12+02:00
PEType:	PE32
LinkerVersion:	6
CodeSize:	8704
InitializedDataSize:	5632
UninitializedDataSize:	-
EntryPoint:	0x21af
OSVersion:	4
ImageVersion:	4
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows 16-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	noname
FileDescription:	Advanced RAR Repair v1.2 Installation
FileVersion:	-
LegalCopyright:	noname

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2408

"C:\Users\admin\AppData\Local\Temp\GLJB9E9.tmp" C:\Program Files\ARAR\ARARSHL.dll

C:\Users\admin\AppData\Local\Temp\GLJB9E9.tmp

—

Advanced Rar Repair.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\gljb9e9.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll

2988

"C:\Users\admin\AppData\Local\Temp\Advanced Rar Repair.exe"

C:\Users\admin\AppData\Local\Temp\Advanced Rar Repair.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\advanced rar repair.exe
c:\systemroot\system32\ntdll.dll

4028

"C:\Users\admin\AppData\Local\Temp\Advanced Rar Repair.exe"

C:\Users\admin\AppData\Local\Temp\Advanced Rar Repair.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\advanced rar repair.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

186

Read events

162

Write events

Delete events

Modification events


(PID) Process:	(4028) Advanced Rar Repair.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Advanced RAR Repair v1.2
Operation:	write	Name:	DisplayName
Value: Advanced RAR Repair v1.2
(PID) Process:	(4028) Advanced Rar Repair.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Advanced RAR Repair v1.2
Operation:	write	Name:	UninstallString
Value: C:\PROGRA~1\ARAR\UNWISE.EXE C:\PROGRA~1\ARAR\INSTALL.LOG
(PID) Process:	(2408) GLJB9E9.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\7-Zip.rar\shellex\ContextMenuHandlers\ARAR
Operation:	write	Name:
Value: {51A64D28-F937-4045-A420-065CEFBD8A76}
(PID) Process:	(2408) GLJB9E9.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Operation:	write	Name:	{51A64D28-F937-4045-A420-065CEFBD8A76}
Value: ARAR Context Menu Shell Extension
(PID) Process:	(2408) GLJB9E9.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShellExt.ARARCtxMenu.1
Operation:	write	Name:
Value: ARARCtxMenu Class
(PID) Process:	(2408) GLJB9E9.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShellExt.ARARCtxMenu.1\CLSID
Operation:	write	Name:
Value: {51A64D28-F937-4045-A420-065CEFBD8A76}
(PID) Process:	(2408) GLJB9E9.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShellExt.ARARCtxMenu
Operation:	write	Name:
Value: ARARCtxMenu Class
(PID) Process:	(2408) GLJB9E9.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShellExt.ARARCtxMenu\CLSID
Operation:	write	Name:
Value: {51A64D28-F937-4045-A420-065CEFBD8A76}
(PID) Process:	(2408) GLJB9E9.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShellExt.ARARCtxMenu\CurVer
Operation:	write	Name:
Value: ShellExt.ARARCtxMenu.1
(PID) Process:	(2408) GLJB9E9.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51A64D28-F937-4045-A420-065CEFBD8A76}
Operation:	write	Name:
Value: ARARCtxMenu Class

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4028	Advanced Rar Repair.exe	C:\Users\admin\AppData\Local\Temp\~GLH0000.TMP		—
		MD5:—	SHA256:—
4028	Advanced Rar Repair.exe	C:\Program Files\ARAR\~GLH0001.TMP		—
		MD5:—	SHA256:—
4028	Advanced Rar Repair.exe	C:\Program Files\ARAR\~GLH0002.TMP		—
		MD5:—	SHA256:—
4028	Advanced Rar Repair.exe	C:\Program Files\ARAR\~GLH0003.TMP		—
		MD5:—	SHA256:—
4028	Advanced Rar Repair.exe	C:\Program Files\ARAR\temp.000		—
		MD5:—	SHA256:—
4028	Advanced Rar Repair.exe	C:\PROGRA~1\ARAR\~GLH0004.TMP		—
		MD5:—	SHA256:—
4028	Advanced Rar Repair.exe	C:\Program Files\ARAR\~GLH0005.TMP		—
		MD5:—	SHA256:—
4028	Advanced Rar Repair.exe	C:\PROGRA~1\ARAR\~GLH0006.TMP		—
		MD5:—	SHA256:—
4028	Advanced Rar Repair.exe	C:\Program Files\ARAR\~GLH0007.TMP		—
		MD5:—	SHA256:—
4028	Advanced Rar Repair.exe	C:\Program Files\ARAR\~GLH0008.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

Advanced Rar Repair.exe

DB9D4FD30E586AA00833CFB393E06A74

2704641E92C00AFA5E8AE06D57361B5BC317BA95

31B08D1F10D48863A2809D3BF5825618FFE30FF56800EA2318101818CED9170F

12288:xtoJaSfasxYdaI6PnRtouwuLDdrD9IEnT+ZQa6OUnf7ZrvZuR1s5gTztmGA:xuapsAUf7FdrD9ZnqZNuf7NI1s5YBA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Removes files from Windows directory

Creates files in the Windows directory

Starts application with an unusual extension

Creates COM task schedule object

Creates files in the program directory

Creates a software uninstall entry

INFO

Dropped object may contain URL's

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings