General Info

File name

Exe2Aut v0.11.rar

Full analysis
https://app.any.run/tasks/0575611b-2b69-4a5f-8c0c-db8974ec66e4
Verdict
Malicious activity
Analysis date
10/9/2019, 18:44:47
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v4, os: Win32
MD5

48ee8905c196a20de313c656580589d6

SHA1

2b466fba87876e3a71a843151dbffa0d0558746d

SHA256

32c6c7a3e93faeb74ad56230ea7a037bdbc2fe11e231d8078bfe5039ea18b4e2

SSDEEP

24576:yw9z7xcTLRSfgr/EJ90TI7Mvwnvg7d6BX41t5ppMnL3GGPPga1D3m/6BPOAPO2YI:b9z7xcPRetJ99gwv+1tM2GPPfS/l0BN7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • Exe2Aut.exe (PID: 2128)
  • New AutoIt v3 Script.exe (PID: 2320)
Application was dropped or rewritten from another process
  • GcafeX.exe (PID: 3020)
  • GcafeX.exe (PID: 2848)
  • Exe2Aut.exe (PID: 2128)
  • New AutoIt v3 Script.exe (PID: 2320)
  • GcafeX.exe (PID: 3608)
  • Exe2Aut.exe (PID: 3444)
Application launched itself
  • Exe2Aut.exe (PID: 3444)
Executable content was dropped or overwritten
  • Exe2Aut.exe (PID: 3444)
  • WinRAR.exe (PID: 2792)
Manual execution by user
  • Exe2Aut.exe (PID: 3444)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v-4.x) (58.3%)
.rar
|   RAR compressed archive (gen) (41.6%)
EXIF
ZIP
CompressedSize:
42406
UncompressedSize:
50176
OperatingSystem:
Win32
ModifyDate:
2016:04:24 18:44:03
PackingMethod:
Normal
ArchivedFileName:
Exe2Aut v0.11\Exe2Aut.exe

Screenshots

Processes

Total processes
41
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

+
start winrar.exe exe2aut.exe gcafex.exe no specs new autoit v3 script.exe no specs gcafex.exe no specs exe2aut.exe no specs gcafex.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2792
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Exe2Aut v0.11.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3444
CMD
"C:\Users\admin\Desktop\Exe2Aut v0.11\Exe2Aut.exe"
Path
C:\Users\admin\Desktop\Exe2Aut v0.11\Exe2Aut.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\exe2aut v0.11\exe2aut.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\apphelp.dll

PID
3608
CMD
"C:\Users\admin\Desktop\Exe2Aut v0.11\GcafeX.exe"
Path
C:\Users\admin\Desktop\Exe2Aut v0.11\GcafeX.exe
Indicators
No indicators
Parent process
Exe2Aut.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
TranNghiaIT
Description
TranNghiaIT
Version
3.3.14.5
Modules
Image
c:\users\admin\desktop\exe2aut v0.11\gcafex.exe
c:\systemroot\system32\ntdll.dll

PID
2320
CMD
"C:\Users\admin\Desktop\Exe2Aut v0.11\New AutoIt v3 Script.exe"
Path
C:\Users\admin\Desktop\Exe2Aut v0.11\New AutoIt v3 Script.exe
Indicators
No indicators
Parent process
Exe2Aut.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\exe2aut v0.11\new autoit v3 script.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\c36c.tmp
c:\windows\system32\cryptbase.dll

PID
2848
CMD
"C:\Users\admin\Desktop\Exe2Aut v0.11\GcafeX.exe"
Path
C:\Users\admin\Desktop\Exe2Aut v0.11\GcafeX.exe
Indicators
No indicators
Parent process
Exe2Aut.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
TranNghiaIT
Description
TranNghiaIT
Version
3.3.14.5
Modules
Image
c:\users\admin\desktop\exe2aut v0.11\gcafex.exe
c:\systemroot\system32\ntdll.dll

PID
2128
CMD
"C:\Users\admin\Desktop\Exe2Aut v0.11\Exe2Aut.exe"
Path
C:\Users\admin\Desktop\Exe2Aut v0.11\Exe2Aut.exe
Indicators
No indicators
Parent process
Exe2Aut.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\exe2aut v0.11\exe2aut.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\18c1.tmp

PID
3020
CMD
"C:\Users\admin\Desktop\Exe2Aut v0.11\GcafeX.exe"
Path
C:\Users\admin\Desktop\Exe2Aut v0.11\GcafeX.exe
Indicators
No indicators
Parent process
Exe2Aut.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
TranNghiaIT
Description
TranNghiaIT
Version
3.3.14.5
Modules
Image
c:\users\admin\desktop\exe2aut v0.11\gcafex.exe
c:\systemroot\system32\ntdll.dll

Registry activity

Total events
438
Read events
428
Write events
10
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2792
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2792
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2792
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2792
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Exe2Aut v0.11.rar
2792
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2792
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2792
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2792
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2792
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop

Files activity

Executable files
4
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3444
Exe2Aut.exe
C:\Users\admin\AppData\Local\Temp\C36C.tmp
executable
MD5: 96615b040fa3aa64bbdb039dbd86ab8d
SHA256: c262d252637dc617f5cf939dbfea44b64a5acca1d7406ba300178af37cc63523
2792
WinRAR.exe
C:\Users\admin\Desktop\Exe2Aut v0.11\New AutoIt v3 Script.exe
executable
MD5: efc5e95ecdb21660b9ff183b457fb09b
SHA256: 4b336ff68fca637038b7eb58774c1605dcabfaccec3d88a40818790ecb1d649e
2792
WinRAR.exe
C:\Users\admin\Desktop\Exe2Aut v0.11\GcafeX.exe
executable
MD5: 6f7bfd401e956b690358bf409d56e2ea
SHA256: 5e774b2fdeb2ba071983bb53e71ddab3845fa7561813d3a7e87b64c30bb9d27b
2792
WinRAR.exe
C:\Users\admin\Desktop\Exe2Aut v0.11\Exe2Aut.exe
executable
MD5: 26a4a6170418b7b1c4a069f18df7d384
SHA256: 1b7794dc1d8373355781adb401d8139c0f1634bdc59338a5ac15c88fde9c2eaa
3444
Exe2Aut.exe
C:\Users\admin\AppData\Local\Temp\18C1.tmp
––
MD5:  ––
SHA256:  ––
3444
Exe2Aut.exe
C:\Users\admin\Desktop\Exe2Aut v0.11\New AutoIt v3 Script_.au3
text
MD5: e26140686492380b9feabc4513d73b96
SHA256: 16d01a59c3291320b209bbdaaee9c7c0baa4399f9bcc64555c8b4f133cf59cc9
2320
New AutoIt v3 Script.exe
C:\Users\admin\Desktop\Exe2Aut v0.11\New AutoIt v3 Script_.au3
binary
MD5: 3cd0fd321eab8ee196936fd8acae3a46
SHA256: 046df5be6b6e8e388f82b90f8ada3316ad25ad1b8cd78496fbd958b1a3d55203
2792
WinRAR.exe
C:\Users\admin\Desktop\Exe2Aut v0.11\ReadMe.txt
text
MD5: 0f637bddfb7d9c81c4f5f7917bdf7701
SHA256: ac16c55a11f6c070aa3891071f37545ac0b07f71c963166dceb3df1d7ebf65e1

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.