| File name: | 3de17dfcfe6e2cfaaf2bff3f2eb6d1e31151fd126985f6c5a5a14242396379ce |
| Full analysis: | https://app.any.run/tasks/1f28b7b8-59d7-4177-b91f-8e1953e986bc |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | July 23, 2019, 23:46:48 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid |
| MD5: | 10609B0C4ADD0CB7F40B51F14FC190B9 |
| SHA1: | 1C198E318658790097F03F515560B4AE7C449C26 |
| SHA256: | 3DE17DFCFE6E2CFAAF2BFF3F2EB6D1E31151FD126985F6C5A5A14242396379CE |
| SSDEEP: | 49152:wCVTj677cSDF/YiDv9aRQmFiovja49CVTj677cSDF/YiDv9aRQmFiovja4RkJJo1:lV677ceBclFiovuV677ceBclFiovzkJq |
MALICIOUS
Writes to a start menu file
- WinRAR.exe (PID: 4016)
Application was dropped or rewritten from another process
- Memsys32.exe (PID: 2664)
REVCODE was detected
- Memsys32.exe (PID: 2664)
Changes the autorun value in the registry
- Memsys32.exe (PID: 2664)
SUSPICIOUS
Creates files in the user directory
- WinRAR.exe (PID: 4016)
- Memsys32.exe (PID: 2664)
Executed via COM
- DllHost.exe (PID: 2936)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 4016)
Reads the machine GUID from the registry
- Memsys32.exe (PID: 2664)
Connects to server without host name
- Memsys32.exe (PID: 2664)
INFO
Manual execution by user
- WinRAR.exe (PID: 4016)
- WINWORD.EXE (PID: 3472)
- Memsys32.exe (PID: 2664)
Creates files in the user directory
- WINWORD.EXE (PID: 3472)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .ace | | | ACE compressed archive (100) |
|---|
Total processes
80
Monitored processes
5
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2264 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\3de17dfcfe6e2cfaaf2bff3f2eb6d1e31151fd126985f6c5a5a14242396379ce.ace" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 2664 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Memsys32.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Memsys32.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2936 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3472 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\edu(0119).doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 4016 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\3de17dfcfe6e2cfaaf2bff3f2eb6d1e31151fd126985f6c5a5a14242396379ce.ace" C:\Users\admin\Desktop\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
Total events
1 415
Read events
1 151
Write events
253
Delete events
11
Modification events
| (PID) Process: | (2264) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2264) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2264) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2264) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\3de17dfcfe6e2cfaaf2bff3f2eb6d1e31151fd126985f6c5a5a14242396379ce.ace | |||
| (PID) Process: | (2264) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2264) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2264) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2264) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2264) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
| Operation: | write | Name: | Count |
Value: 0 | |||
| (PID) Process: | (2264) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
| Operation: | write | Name: | Name |
Value: 542D4B42647265644B76737A7E794B5372647C6378674B24737226207371747172217225747176767125757171247125727521732672242626222671732625212E2F22712174227622762623252325242E2124202E7472397674721717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700 | |||
Executable files
1
Suspicious files
2
Text files
3
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3472 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3FD5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3472 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF5801C8B4B1568EA3.TMP | — | |
MD5:— | SHA256:— | |||
| 3472 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF5BE3144C53E27AE3.TMP | — | |
MD5:— | SHA256:— | |||
| 3472 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF3D47CE07708FF74A.TMP | — | |
MD5:— | SHA256:— | |||
| 3472 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{994901F8-EF5E-4C8E-B29A-A456579F9387}.tmp | — | |
MD5:— | SHA256:— | |||
| 3472 | WINWORD.EXE | C:\Users\admin\Desktop\~$u(0119).doc | pgc | |
MD5:— | SHA256:— | |||
| 3472 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 4016 | WinRAR.exe | C:\Users\admin\Desktop\edu(0119).jpg | image | |
MD5:— | SHA256:— | |||
| 4016 | WinRAR.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Memsys32.exe | executable | |
MD5:— | SHA256:— | |||
| 4016 | WinRAR.exe | C:\Users\admin\Desktop\edu(0119).doc | document | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
29
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2664 | Memsys32.exe | POST | 200 | 213.188.152.96:443 | https://213.188.152.96/recv4.php | CZ | text | 6 b | malicious |
2664 | Memsys32.exe | POST | 200 | 213.188.152.96:443 | https://213.188.152.96/recv4.php | CZ | binary | 1 b | malicious |
2664 | Memsys32.exe | POST | 200 | 213.188.152.96:443 | https://213.188.152.96/recv4.php | CZ | binary | 1 b | malicious |
2664 | Memsys32.exe | POST | 200 | 213.188.152.96:443 | https://213.188.152.96/recv4.php | CZ | binary | 1 b | malicious |
2664 | Memsys32.exe | POST | 200 | 213.188.152.96:443 | https://213.188.152.96/recv4.php | CZ | binary | 1 b | malicious |
2664 | Memsys32.exe | POST | 200 | 213.188.152.96:443 | https://213.188.152.96/recv4.php | CZ | binary | 1 b | malicious |
2664 | Memsys32.exe | POST | 200 | 213.188.152.96:443 | https://213.188.152.96/recv4.php | CZ | binary | 1 b | malicious |
2664 | Memsys32.exe | POST | 200 | 213.188.152.96:443 | https://213.188.152.96/recv4.php | CZ | binary | 1 b | malicious |
2664 | Memsys32.exe | POST | 200 | 213.188.152.96:443 | https://213.188.152.96/recv4.php | CZ | binary | 1 b | malicious |
2664 | Memsys32.exe | POST | 200 | 213.188.152.96:443 | https://213.188.152.96/recv4.php | CZ | binary | 1 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2664 | Memsys32.exe | 151.106.7.221:53 | sdns.se | — | US | unknown |
2664 | Memsys32.exe | 213.188.152.96:443 | 71f19cec8fce0b5d6698a18e623fbd83.com | ACTIVE 24 | CZ | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
rookie3824.wm01.to |
| malicious |
sdns.se |
| malicious |
71f19cec8fce0b5d6698a18e623fbd83.com |
| malicious |