analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1ae0e1b2.7z

Full analysis: https://app.any.run/tasks/21c4ba2e-5a37-4fa0-b800-3ad02a00eaee
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: May 21, 2022, 04:29:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.3
MD5:

611C8EA48409FB5CCF61B51A52B2A710

SHA1:

945CD52E3E081A3B056F5A2C979171ADA3A9F6C2

SHA256:

43982280B3325A77317E74E0D1BBA3B92AF4E7689DB3CFCCAF188B6402F89B6A

SSDEEP:

1536:EWJbNsboAi4kbziDR+Rqix080zG3w2SIA9:EUqoh4Oi9+P080CU9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 1976)
      • Explorer.EXE (PID: 764)
      • svchost.exe (PID: 2152)

    • Application was dropped or rewritten from another process

      • 1ae0e1b2.exe (PID: 2492)
      • 1ae0e1b2.exe (PID: 3068)

    • Uses SVCHOST.EXE for hidden code execution

      • Explorer.EXE (PID: 764)

    • Runs injected code in another process

      • explorer.exe (PID: 2088)

    • Application was injected by another process

      • Explorer.EXE (PID: 764)

    • Changes the login/logoff helper path in the registry

      • svchost.exe (PID: 2152)

    • Connects to CnC server

      • svchost.exe (PID: 2152)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 1976)
      • 1ae0e1b2.exe (PID: 2492)
      • 1ae0e1b2.exe (PID: 3068)

    • Reads the computer name

      • WinRAR.exe (PID: 1976)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1976)
      • Explorer.EXE (PID: 764)
      • svchost.exe (PID: 2152)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1976)
      • svchost.exe (PID: 2152)

    • Application launched itself

      • 1ae0e1b2.exe (PID: 2492)

    • Creates files in the user directory

      • svchost.exe (PID: 2152)

  • INFO

    • Manual execution by user

      • 1ae0e1b2.exe (PID: 2492)
      • svchost.exe (PID: 2152)

    • Checks supported languages

      • explorer.exe (PID: 2088)
      • svchost.exe (PID: 2152)

    • Reads the computer name

      • svchost.exe (PID: 2152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (gen) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start inject winrar.exe 1ae0e1b2.exe no specs 1ae0e1b2.exe no specs explorer.exe no specs explorer.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1976"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1ae0e1b2.7z"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2492"C:\Users\admin\Desktop\1ae0e1b2.exe" C:\Users\admin\Desktop\1ae0e1b2.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3068"c:\users\admin\desktop\1ae0e1b2.exe"c:\users\admin\desktop\1ae0e1b2.exe1ae0e1b2.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2088"C:\Windows\explorer.exe"C:\Windows\explorer.exe1ae0e1b2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
764C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2152"C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 344
Read events
3 282
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2152svchost.exeC:\Users\admin\AppData\Roaming\msconfig.datexecutable
MD5:2B3A787186DE556C77BAD6914DB44E0C
SHA256:28748DF1F59A083426B3477292FE9A9B06B661BCA9D8B9E3DC037A78F6D11087
1976WinRAR.exeC:\Users\admin\Desktop\1ae0e1b2.datexecutable
MD5:2B3A787186DE556C77BAD6914DB44E0C
SHA256:28748DF1F59A083426B3477292FE9A9B06B661BCA9D8B9E3DC037A78F6D11087
764Explorer.EXEC:\Users\admin\Desktop\1ae0e1b2.exeexecutable
MD5:2B3A787186DE556C77BAD6914DB44E0C
SHA256:28748DF1F59A083426B3477292FE9A9B06B661BCA9D8B9E3DC037A78F6D11087
2152svchost.exeC:\Users\admin\AppData\Roaming\msconfig.inibinary
MD5:9D8D888BB7B09FA4A054AD6DF5C6A6F9
SHA256:CA5D4975E6FC36BD0B1B978AA09E380CE847009C071BB1B42FDBD1900AD1297C
2152svchost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\555657555D8E3EA423FBB9670940B8544DC9B530DD0F550A1C1B[1].htmhtml
MD5:08BE1963E545078937503C2D90F15992
SHA256:EB7102C280B3C92E8FE27821424DB082416A317B3C16C5DBBB6D2043948CD207
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2152
svchost.exe
GET
200
23.202.231.167:80
http://hhrbn.ru/555657555D8E3EA423FBB9670940B8544DC9B530DD0F550A1C1B
US
html
412 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2152
svchost.exe
23.202.231.167:80
hhrbn.ru
Akamai Technologies, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
hhrbn.ru
  • 23.202.231.167
  • 23.217.138.108
malicious

Threats

PID
Process
Class
Message
2152
svchost.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Our_Agent)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1ae0e1b2.7z