File name:

phonerescue-ios-en-setup.rar

Full analysis: https://app.any.run/tasks/01ed9492-2709-4234-b3f7-2bda8d2cab62
Verdict: Malicious activity
Analysis date: February 21, 2024, 18:08:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

0B834504634A2A7E274D55A141CB0CEA

SHA1:

0440F2414FEF5B6447857F04DEA144E3DC75F4E3

SHA256:

3E65A01B2AA04600F9BA9B0132539EA3BC6074A9E1BC4989E0BF935CE103543D

SSDEEP:

196608:gInJ6RGzmO2UT0Kly+YzWXlHviwcj0/0sy4HB7rCL8:RJ1zl2U9hEWXlHvrcwHy0B7r7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • phonerescue-ios-en-setup.exe (PID: 2340)
      • WinRAR.exe (PID: 3864)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • The process creates files with name similar to system file names

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • The process drops C-runtime libraries

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Process drops legitimate windows executable

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Executable content was dropped or overwritten

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Reads security settings of Internet Explorer

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Reads the Internet Settings

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Starts CMD.EXE for commands execution

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Drops 7-zip archiver for unpacking

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Checks Windows Trust Settings

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Reads settings of System Certificates

      • phonerescue-ios-en-setup.exe (PID: 2340)

  • INFO

    • Reads the computer name

      • phonerescue-ios-en-setup.exe (PID: 2340)
      • curl.exe (PID: 1692)
      • curl.exe (PID: 4044)

    • Checks supported languages

      • phonerescue-ios-en-setup.exe (PID: 2340)
      • curl.exe (PID: 1692)
      • curl.exe (PID: 4044)

    • Manual execution by a user

      • phonerescue-ios-en-setup.exe (PID: 2340)
      • phonerescue-ios-en-setup.exe (PID: 2852)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3864)

    • Create files in a temporary directory

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Reads CPU info

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Creates files in the program directory

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Reads the machine GUID from the registry

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Checks proxy server information

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Reads the software policy settings

      • phonerescue-ios-en-setup.exe (PID: 2340)

    • Creates files or folders in the user directory

      • phonerescue-ios-en-setup.exe (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe phonerescue-ios-en-setup.exe no specs phonerescue-ios-en-setup.exe cmd.exe no specs curl.exe cmd.exe no specs curl.exe netsh.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1692curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"pri-Windows\",\"user_id\":\"C4BA3647\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"4.2.0.2\",\"soft_os_version\":\"Windows_32\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-4D72KK46T8&api_secret=jW79niyjSe6fsz5T2J2_hw"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.5.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
1740netsh advfirewall firewall add rule name="thunder" dir=out program="C:\Program Files\iMobie\PhoneRescue\xldownload\download\MiniThunderPlatform.exe" action=allowC:\Windows\System32\netsh.exephonerescue-ios-en-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2064netsh advfirewall firewall add rule name="thunder" dir=in program="C:\Program Files\iMobie\PhoneRescue\xldownload\download\MiniThunderPlatform.exe" action=allowC:\Windows\System32\netsh.exephonerescue-ios-en-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2120"C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"pri-Windows\",\"user_id\":\"C4BA3647\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"4.2.0.2\",\"soft_os_version\":\"Windows_32\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-4D72KK46T8&api_secret=jW79niyjSe6fsz5T2J2_hw""C:\Windows\System32\cmd.exephonerescue-ios-en-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2340"C:\Users\admin\Desktop\phonerescue-ios-en-setup.exe" C:\Users\admin\Desktop\phonerescue-ios-en-setup.exe
explorer.exe
User:
admin
Company:
iMobie Inc.
Integrity Level:
HIGH
Description:
PhoneRescue
Exit code:
0
Version:
4.2.0
Modules
Images
c:\users\admin\desktop\phonerescue-ios-en-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2852"C:\Users\admin\Desktop\phonerescue-ios-en-setup.exe" C:\Users\admin\Desktop\phonerescue-ios-en-setup.exeexplorer.exe
User:
admin
Company:
iMobie Inc.
Integrity Level:
MEDIUM
Description:
PhoneRescue
Exit code:
3221226540
Version:
4.2.0
Modules
Images
c:\users\admin\desktop\phonerescue-ios-en-setup.exe
c:\windows\system32\ntdll.dll
3864"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\phonerescue-ios-en-setup.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4000"C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"pri-Windows\",\"user_id\":\"C4BA3647\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Download\",\"el\":\"1\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"4.2.0.2\",\"soft_os_version\":\"Windows_32\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-4D72KK46T8&api_secret=jW79niyjSe6fsz5T2J2_hw""C:\Windows\System32\cmd.exephonerescue-ios-en-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4044curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"pri-Windows\",\"user_id\":\"C4BA3647\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Download\",\"el\":\"1\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"4.2.0.2\",\"soft_os_version\":\"Windows_32\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-4D72KK46T8&api_secret=jW79niyjSe6fsz5T2J2_hw"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.5.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
Total events
10 682
Read events
10 493
Write events
177
Delete events
12

Modification events

(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3864) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phonerescue-ios-en-setup.rar
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
25
Suspicious files
4
Text files
14
Unknown types
1

Dropped files

PID
Process
Filename
Type
2340phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsq1C6D.tmp\ico.icoimage
MD5:B9D1F49842629613F86FF6F8119C6CE5
SHA256:45EF697BEAF9F9F23C43214643EF62FBA579CF6C19126A29E04DC4AE2C364EC2
2340phonerescue-ios-en-setup.exeC:\Program Files\iMobie\PhoneRescue\DuiLib.lib
MD5:
SHA256:
2340phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsq1C6D.tmp\modern-install.icoimage
MD5:56D4641D5A0829AFD59D0AF1B83AD60B
SHA256:BA2517A63C2A18C1859EC52A4B6C2861795022C1E02A1E8E22D022BC10EC731F
2340phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsq1C6D.tmp\uninstall.exeexecutable
MD5:3DE5BDBCDD98BF66753C43CC4C3A7AAB
SHA256:31204C093AB5908E3320FF509535211DEB229F1B1635332167AD1F2311687CEE
2340phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsq1C6D.tmp\Setup.icoimage
MD5:56D4641D5A0829AFD59D0AF1B83AD60B
SHA256:BA2517A63C2A18C1859EC52A4B6C2861795022C1E02A1E8E22D022BC10EC731F
2340phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsq1C6D.tmp\xl.7zcompressed
MD5:F872FF185F953A62C814E64AFDF3D296
SHA256:47B8C0AD0A8980FD985E0C0A111B5768730099E8B48CE4E1D0D1C6D6B3CE2D6F
2340phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsq1C6D.tmp\uninstall.initext
MD5:7F3F59FC2C1ECDB7E5B3FA152F221668
SHA256:2EB4DA2FD165B9387590E24FC5A2B2A1E1674D545E7864D9132C7B08168E20EC
2340phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsq1C6D.tmp\BgWorker.dllexecutable
MD5:33EC04738007E665059CF40BC0F0C22B
SHA256:50F735AB8F3473423E6873D628150BBC0777BE7B4F6405247CDDF22BB00FB6BE
2340phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nsq1C6D.tmp\GoogleTracingLib.dllexecutable
MD5:D8FCA35FF95FE00A7174177181F8BD13
SHA256:AD873F1E51E6D033E5507235EC735957256EBEEB0D3F22AA0B57BB4BD0846E4C
2340phonerescue-ios-en-setup.exeC:\Program Files\iMobie\PhoneRescue\xl.7zcompressed
MD5:F872FF185F953A62C814E64AFDF3D296
SHA256:47B8C0AD0A8980FD985E0C0A111B5768730099E8B48CE4E1D0D1C6D6B3CE2D6F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
10
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2340
phonerescue-ios-en-setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
binary
1.47 Kb
unknown
2340
phonerescue-ios-en-setup.exe
GET
304
184.24.77.180:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?782ac2fdb72cf1b4
unknown
unknown
1080
svchost.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?89bca2e7018c82c0
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1692
curl.exe
142.250.186.78:443
www.google-analytics.com
GOOGLE
US
whitelisted
4044
curl.exe
142.250.186.78:443
www.google-analytics.com
GOOGLE
US
whitelisted
2340
phonerescue-ios-en-setup.exe
104.26.12.111:443
imobie-resource.com
CLOUDFLARENET
US
unknown
2340
phonerescue-ios-en-setup.exe
184.24.77.180:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
2340
phonerescue-ios-en-setup.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1080
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
www.google-analytics.com
  • 142.250.186.78
whitelisted
imobie-resource.com
  • 104.26.12.111
  • 172.67.68.126
  • 104.26.13.111
unknown
ctldl.windowsupdate.com
  • 184.24.77.180
  • 184.24.77.174
  • 184.24.77.199
  • 184.24.77.207
  • 184.24.77.195
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
phonerescue-ios-en-setup.rar