File name:

Project Devotion.rar

Full analysis: https://app.any.run/tasks/cffb5540-9aee-4bae-b178-eb02957db2d5
Verdict: Malicious activity
Analysis date: April 07, 2021, 12:38:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

EB7F4BC04853A30F1F9FBBBEF694A2D5

SHA1:

38B6DB0286F8C93FDBA9266C40C13CC4A4115BC6

SHA256:

431BEF6A710EE247D29F8255DCC32ACF2D349D5E596F502B5A31EF768E89CA0E

SSDEEP:

6144:XCE5kv2/BGP3enpAgXfqcR9sqcb2tzQvoMx1bfeLX:X3ui0P3UpBXZMqcSuoW1b4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Avoid.exe (PID: 2540)
      • Hydra.exe (PID: 956)
      • Mapper.exe (PID: 2756)
      • Mapper.exe (PID: 2480)
      • Mapper.exe (PID: 888)
      • Smap.exe (PID: 2560)
      • Smap.exe (PID: 3876)
      • Smap.exe (PID: 3784)
      • Ransomware2.0.exe (PID: 3688)

    • Task Manager has been disabled (taskmgr)

      • Mapper.exe (PID: 888)
      • Ransomware2.0.exe (PID: 3688)

    • Changes settings of System certificates

      • Smap.exe (PID: 3784)

    • Changes the login/logoff helper path in the registry

      • Ransomware2.0.exe (PID: 3688)
      • Mapper.exe (PID: 888)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3280)
      • Smap.exe (PID: 3784)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3984)

    • Application launched itself

      • cmd.exe (PID: 3984)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3280)
      • Smap.exe (PID: 3784)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3984)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 3280)
      • Smap.exe (PID: 3784)

    • Changes the desktop background image

      • Mapper.exe (PID: 888)
      • Ransomware2.0.exe (PID: 3688)

    • Creates a directory in Program Files

      • Smap.exe (PID: 3784)

    • Adds / modifies Windows certificates

      • Smap.exe (PID: 3784)

    • Creates files in the program directory

      • Smap.exe (PID: 3784)

  • INFO

    • Manual execution by user

      • cmd.exe (PID: 3984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe cmd.exe no specs chcp.com no specs cmd.exe no specs hydra.exe no specs avoid.exe no specs mapper.exe no specs mapper.exe no specs mapper.exe smap.exe no specs smap.exe no specs smap.exe ransomware2.0.exe

Process information

PID
CMD
Path
Indicators
Parent process
888"C:\Users\admin\Desktop\Project Devotion\Mapper.exe" C:\Users\admin\Desktop\Project Devotion\Mapper.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Description:
Rasomware2.0
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\project devotion\mapper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
956Hydra.exe C:\Users\admin\Desktop\Project Devotion\Hydra.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hydra
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\project devotion\hydra.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1016C:\Windows\system32\cmd.exe /K Driver.batC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2480"C:\Users\admin\Desktop\Project Devotion\Mapper.exe" C:\Users\admin\Desktop\Project Devotion\Mapper.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Rasomware2.0
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\project devotion\mapper.exe
c:\systemroot\system32\ntdll.dll
2540Avoid.exe C:\Users\admin\Desktop\Project Devotion\Avoid.execmd.exe
User:
admin
Company:
RJL Software, Inc.
Integrity Level:
MEDIUM
Description:
Start Button avoids the mouse cursor.
Exit code:
0
Version:
1.0.1.0
Modules
Images
c:\users\admin\desktop\project devotion\avoid.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2560Smap.exe C:\Users\admin\Desktop\Project Devotion\Smap.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
launcher2.0
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\project devotion\smap.exe
c:\systemroot\system32\ntdll.dll
2756Mapper.exe C:\Users\admin\Desktop\Project Devotion\Mapper.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Rasomware2.0
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\project devotion\mapper.exe
c:\systemroot\system32\ntdll.dll
3168chcp 65001C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3280"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Project Devotion.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
3688"C:\Program Files\System32\Ransomware2.0.exe" C:\Program Files\System32\Ransomware2.0.exe
Smap.exe
User:
admin
Integrity Level:
HIGH
Description:
Rasomware2.0
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\system32\ransomware2.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
693
Read events
623
Write events
70
Delete events
0

Modification events

(PID) Process:(3280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3280) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3280) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(3280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Project Devotion.rar
(PID) Process:(3280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ArcName
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Project Devotion.rar
Executable files
11
Suspicious files
22
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\__rar_3280.43725
MD5:
SHA256:
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3280.43540\Project Devotion\Driver.battext
MD5:
SHA256:
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3280.43540\Project Devotion\Mapper.exeexecutable
MD5:
SHA256:
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3280.43540\Project Devotion\Project Devotion.battext
MD5:
SHA256:
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Project Devotion.bak3280.43729compressed
MD5:
SHA256:
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3280.43929\Project Devotion\Project Devotion.battext
MD5:
SHA256:
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Project Devotion.rarcompressed
MD5:
SHA256:
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3280.43929\Project Devotion\Driver.battext
MD5:
SHA256:
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3280.43929\Project Devotion\Mapper.exeexecutable
MD5:
SHA256:
3280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3280.43540\Project Devotion\Smap.exeexecutable
MD5:AA6A0C57B4286B6F9EE2CEC4FFF9689E
SHA256:A0C094B0FCDFDCDD048A9EA563819BF8C16D6C9D528E8A6CFEF2B0E3D27960F3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3784
Smap.exe
185.199.109.133:443
raw.githubusercontent.com
GitHub, Inc.
NL
malicious
3784
Smap.exe
140.82.121.3:443
github.com
US
suspicious

DNS requests

Domain
IP
Reputation
github.com
  • 140.82.121.3
malicious
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Project Devotion.rar