analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

d473b802-eb5f-11e7-8ccc-5944bc969a40

Full analysis: https://app.any.run/tasks/fe1aa1e3-045a-49e6-811b-3619dbb764f5
Verdict: Malicious activity
Analysis date: October 05, 2022, 05:19:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C26A2C5F6154225E8D83C4000306F162

SHA1:

67C586CEDBF0852AA52268311841CBAC5C96FDF8

SHA256:

35A9481DDBED5177431A9EA4BD09468FE987797D7B1231D64942D17EB54EC269

SSDEEP:

49152:cPEbpqUPr0OMPjmNgyV24OXxr2/NV0CA7QUmu4LnB:cPEbpPPrC4gWFOBr4Wfg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • RDPCheck.exe (PID: 348)
      • RDPCheck.exe (PID: 3204)
      • RDPConf.exe (PID: 3504)
      • RDPConf.exe (PID: 752)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs explorer.exe no specs rundll32.exe no specs winrar.exe no specs rdpconf.exe no specs rdpconf.exe drvinst.exe no specs rundll32.exe no specs explorer.exe no specs rdpcheck.exe no specs rdpcheck.exe

Process information

PID
CMD
Path
Indicators
Parent process
2576"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL "C:\Users\admin\AppData\Roaming\d473b802-eb5f-11e7-8ccc-5944bc969a40.xpi"C:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2284"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
576"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl ,1C:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2496"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Roaming\d473b802-eb5f-11e7-8ccc-5944bc969a40.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
752"C:\Users\admin\Desktop\RDPConf.exe" C:\Users\admin\Desktop\RDPConf.exeExplorer.EXE
User:
admin
Company:
Stas'M Corp.
Integrity Level:
MEDIUM
Description:
RDP Configuration Program
Exit code:
3221226540
Version:
1.4.0.0
3504"C:\Users\admin\Desktop\RDPConf.exe" C:\Users\admin\Desktop\RDPConf.exe
Explorer.EXE
User:
admin
Company:
Stas'M Corp.
Integrity Level:
HIGH
Description:
RDP Configuration Program
Exit code:
0
Version:
1.4.0.0
552DrvInst.exe "1" "200" "UMB\UMB\1&841921d&0&TERMINPUT_BUS" "" "" "6e3bed883" "00000000" "00000564" "000003EC"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3832C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2948"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
3221225547
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3204"C:\Users\admin\AppData\Roaming\RDPCheck.exe" C:\Users\admin\AppData\Roaming\RDPCheck.exeExplorer.EXE
User:
admin
Company:
Stas'M Corp.
Integrity Level:
MEDIUM
Description:
Local RDP Checker
Exit code:
3221226540
Version:
2.2.0.0
Total events
5 738
Read events
5 652
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
552DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:B3A5D9AC6211BAF643A7C6417B8A1AD3
SHA256:BDBB32228A51C3352F71B6F721A81332E5C2DE17AA8329FBE39745C411E958CF
552DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:D767C84394E9CF0B5FE7606B37A23417
SHA256:465F7BFEAC337750E28F594B0DD8290B9BBE5D13CF911C6488FDAD1EEF8F8A55
552DrvInst.exeC:\Windows\INF\setupapi.ev2binary
MD5:D3B21242559895DA8B46A1FB81A225E6
SHA256:F2EEF4E2614413D5E709C6D4C2EBEAB13F7942E0C994591AFA581A9D74B75687
2496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2496.35339\RDPConf.exeexecutable
MD5:03FB8E478F4BA100D37A136231FA2F78
SHA256:3C0E5D6863B03283AFDA9BD188501757D47DC57FC4BBA2BDBB0D9BAA34487FE0
2496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2496.35339\RDPCheck.exeexecutable
MD5:8F82226B2F24D470C02F6664F67F23F7
SHA256:5603338A1F8DBB46EFB8E0869DB3491D5DB92F362711D6680F91ECC5D18BFADF
348RDPCheck.exeC:\Users\admin\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache22.bmcbinary
MD5:AD7697FD09E1D1E865915D67C6538AFD
SHA256:4913CB02C1D1754379792F009E9EE376EA9BE487E46C44AE0A00DE74564A2662
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
d473b802-eb5f-11e7-8ccc-5944bc969a40