Malware analysis Crack.rar Malicious activity | ANY.RUN

Add for printing

File name:	Crack.rar
Full analysis:	https://app.any.run/tasks/73d172b6-935e-46a8-a191-de23164a6d1b
Verdict:	Malicious activity
Analysis date:	August 16, 2018, 16:05:55
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v4, os: Win32, flags: Locked
MD5:	153F2C4215531BC80E7141913ABDE172
SHA1:	7D7628BA0ED705F0EEC09D36A9C21A7D07C7F0C2
SHA256:	32BF0593DA42136D71C60F53EF2EB95ACC2F799263475F4BBBF67AA7C282BBAB
SSDEEP:	49152:qeygreBGo+WSJONPp3HkZaA40Wi6foc47c83zAt/eVvSN8cC7gchJghbaedtIfA1:qkreBcfSuEAgNocYMUhcCkG60q1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
FileZilla Client 3.31.0 (3.31.0)
Google Chrome (61.0.3163.91)
Google Update Helper (1.3.33.5)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Home and Business 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (12.0.40660.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 (12.0.40660)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 (12.0.40660)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
Mozilla Firefox 55.0.3 (x86 en-US) (55.0.3)
Mozilla Maintenance Service (55.0.3)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Steam (2.10.91.91)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - amtemu.v0.9-painter.exe (PID: 2148)
  - amtemu.v0.9-painter.exe (PID: 3748)
  - Keygen_XF-adobecc2015.exe (PID: 956)
  - adobe.snr.patch-painter.exe (PID: 1680)
  - adobe.snr.patch-painter.exe (PID: 580)
- Loads dropped or rewritten executable
  - amtemu.v0.9-painter.exe (PID: 2148)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3360)
  - amtemu.v0.9-painter.exe (PID: 2148)
INFO
- Dropped object may contain URL's
  - WinRAR.exe (PID: 3360)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v-4.x) (58.3)
.rar	\|	RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize:	605852
UncompressedSize:	631808
OperatingSystem:	Win32
ModifyDate:	2016:02:09 09:22:04
PackingMethod:	Best Compression
ArchivedFileName:	Crack\Adobe CC 2015 Universal Patcher 1.5\adobe.snr.patch-painter.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

580

"C:\Users\admin\Desktop\Crack\Adobe CC 2015 Universal Patcher 1.5\adobe.snr.patch-painter.exe"

C:\Users\admin\Desktop\Crack\Adobe CC 2015 Universal Patcher 1.5\adobe.snr.patch-painter.exe

explorer.exe

User:

admin

Company:

PainteR

Integrity Level:

HIGH

Description:

Universal Adobe Patcher

Exit code:

Version:

1.5.0.0

Modules

Images
c:\users\admin\desktop\crack\adobe cc 2015 universal patcher 1.5\adobe.snr.patch-painter.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll

956

"C:\Users\admin\Desktop\Crack\Adobe CC 2015.5 XFORCE Activation\Keygen_XF-adobecc2015.exe"

C:\Users\admin\Desktop\Crack\Adobe CC 2015.5 XFORCE Activation\Keygen_XF-adobecc2015.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\crack\adobe cc 2015.5 xforce activation\keygen_xf-adobecc2015.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll

1680

"C:\Users\admin\Desktop\Crack\Adobe CC 2015 Universal Patcher 1.5\adobe.snr.patch-painter.exe"

C:\Users\admin\Desktop\Crack\Adobe CC 2015 Universal Patcher 1.5\adobe.snr.patch-painter.exe

—

explorer.exe

User:

admin

Company:

PainteR

Integrity Level:

MEDIUM

Description:

Universal Adobe Patcher

Exit code:

3221226540

Version:

1.5.0.0

Modules

Images
c:\users\admin\desktop\crack\adobe cc 2015 universal patcher 1.5\adobe.snr.patch-painter.exe
c:\systemroot\system32\ntdll.dll

2148

"C:\Users\admin\Desktop\Crack\AMT Emulator v0.9 by PainteR\amtemu.v0.9-painter.exe"

C:\Users\admin\Desktop\Crack\AMT Emulator v0.9 by PainteR\amtemu.v0.9-painter.exe

explorer.exe

User:

admin

Company:

PainteR

Integrity Level:

HIGH

Description:

ProxyEmu

Exit code:

Version:

0.9.0.0

Modules

Images
c:\users\admin\desktop\crack\amt emulator v0.9 by painter\amtemu.v0.9-painter.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3360

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Crack.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

3748

"C:\Users\admin\Desktop\Crack\AMT Emulator v0.9 by PainteR\amtemu.v0.9-painter.exe"

C:\Users\admin\Desktop\Crack\AMT Emulator v0.9 by PainteR\amtemu.v0.9-painter.exe

—

explorer.exe

User:

admin

Company:

PainteR

Integrity Level:

MEDIUM

Description:

ProxyEmu

Exit code:

3221226540

Version:

0.9.0.0

Modules

Images
c:\users\admin\desktop\crack\amt emulator v0.9 by painter\amtemu.v0.9-painter.exe
c:\systemroot\system32\ntdll.dll

Add for printing

Total events

1 468

Read events

1 382

Write events

Delete events

Modification events


(PID) Process:	(3360) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3360) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3360) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\59\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3360) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Crack.rar
(PID) Process:	(3360) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3360) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3360) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3360) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3360) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop
(PID) Process:	(3360) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2C0000002C000000EC03000021020000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3360	WinRAR.exe	C:\Users\admin\Desktop\Crack\AMT Emulator v0.9 by PainteR\changelog.txt		text
		MD5:—	SHA256:—
3360	WinRAR.exe	C:\Users\admin\Desktop\Crack\AMT Emulator v0.9 by PainteR\file_id.diz		text
		MD5:—	SHA256:—
3360	WinRAR.exe	C:\Users\admin\Desktop\Crack\Adobe CC 2015 Universal Patcher 1.5\How Use Patch Not Listed Adobe Product In Patch.png		image
		MD5:3CADB21B44C5F8B6A999B714A22E85A3	SHA256:EB695210B07F0C92B79FDE2901E8A69EDEB43FDA296E336F5CDB5FD8A7E855DD
3360	WinRAR.exe	C:\Users\admin\Desktop\Crack\Adobe CC 2015 Universal Patcher 1.5\adobe.snr.patch-painter.exe		executable
		MD5:0D9B7ABE952D6C1DC24750BF47969132	SHA256:9EC96E0FACF95D1A08D4761AFF436DAC8318ABD008C7284A4A22347069E8284D
3360	WinRAR.exe	C:\Users\admin\Desktop\Crack\Adobe CC 2015.5 XFORCE Activation\How To Use Keygen.txt		text
		MD5:838378A47EF1A272ECE0B8E3D3BB6159	SHA256:73CD69136BCF4AB8336C303A4492F9044ABC811747B210967B27CB4BC892FD24
3360	WinRAR.exe	C:\Users\admin\Desktop\Crack\Adobe CC 2015 Universal Patcher 1.5\SadeemAPK.com.URL		text
		MD5:146F5C01B4A4989BC2CBED9D9C322BB2	SHA256:FC5B36947E7151704AE339614D4AD15A2BBA155F883D0A6F8AB3F3AD0818BD0D
3360	WinRAR.exe	C:\Users\admin\Desktop\Crack\Adobe CC 2015.5 XFORCE Activation\SadeemPC.com - Download Latest Software Free.URL		text
		MD5:2599DAF1CB8128BC8B09969C4AC51091	SHA256:8924634DC43332D8289BEE28389A7B0F96D085BC5CD6C945D90D6099FDEBCDD3
3360	WinRAR.exe	C:\Users\admin\Desktop\Crack\Adobe CC 2015.5 XFORCE Activation\CC2016_Offline_Activation Method With Screenshots.pdf		pdf
		MD5:285897308A633CA88826A01A03DA43D7	SHA256:254F67DD6796850FE855624E56EED792B93317658F4E3DC7085694DC2A75791E
3360	WinRAR.exe	C:\Users\admin\Desktop\Crack\Adobe CC 2015.5 XFORCE Activation\disable_activation.cmd		text
		MD5:18B92AB0F40B83DB461A064995F58E7E	SHA256:817D26B5C664BD6514203335BEA528DF42879473EC7CFC495D3D3E03054CA861
3360	WinRAR.exe	C:\Users\admin\Desktop\Crack\Adobe CC 2015.5 XFORCE Activation\Keygen_XF-adobecc2015.exe		executable
		MD5:8C03FBBEF9DB991BB02AB35BF0D2718E	SHA256:C5D9C52583EEFD03728BA877BAF21725F9E2DA4435E9433B87DC82B77B695EDD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

Crack.rar

153F2C4215531BC80E7141913ABDE172

7D7628BA0ED705F0EEC09D36A9C21A7D07C7F0C2

32BF0593DA42136D71C60F53EF2EB95ACC2F799263475F4BBBF67AA7C282BBAB

49152:qeygreBGo+WSJONPp3HkZaA40Wi6foc47c83zAt/eVvSN8cC7gchJghbaedtIfA1:qkreBcfSuEAgNocYMUhcCkG60q1

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Dropped object may contain URL's

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings