Malware analysis PDF%20785%20547.rar Malicious activity

Add for printing

download:	PDF%20785%20547.rar
Full analysis:	https://app.any.run/tasks/b8335b10-c53e-4eac-8beb-f4e0f63a98cc
Verdict:	Malicious activity
Threats:	Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 21, 2019, 09:52:06
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	trojan
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v4, os: Win32
MD5:	213077162689A7B89CD7DA26710BB0C8
SHA1:	4DA2B8E343982F8007DA4590FB21177F2B1FB55B
SHA256:	49168BDE5ACAE92DC0CFE0F4085BA6662EB6AAE8880A966162B233B43527479F
SSDEEP:	24576:qR6SHwAiEaetkd5h0wIJg3jMzIhsuxtgCxnIUPhzvWIGILfwUA:qRzvaes5Z3jmIhqCxnIPqA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - TeamViewer.exe (PID: 2676)
  - PDF.pdf.scr (PID: 2912)
  - TeamViewer.exe (PID: 2408)
- Loads dropped or rewritten executable
  - TeamViewer.exe (PID: 2676)
  - TeamViewer.exe (PID: 2408)
- Connects to CnC server
  - TeamViewer.exe (PID: 2408)
- Changes the autorun value in the registry
  - TeamViewer.exe (PID: 2408)
SUSPICIOUS
- Executable content was dropped or overwritten
  - PDF.pdf.scr (PID: 2912)
  - WinRAR.exe (PID: 3072)
- Connects to unusual port
  - TeamViewer.exe (PID: 2408)
INFO
- Dropped object may contain Bitcoin addresses
  - PDF.pdf.scr (PID: 2912)
- Application launched itself
  - RdrCEF.exe (PID: 3628)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v-4.x) (58.3)
.rar	\|	RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName:	PDF.pdf.scr
PackingMethod:	Best Compression
ModifyDate:	2019:03:11 12:36:20
OperatingSystem:	Win32
UncompressedSize:	1759168
CompressedSize:	1476706

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3072	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\9c0d2bf1-f1a5-4134-bc3c-6c639668721e.rar"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
2912	"C:\Users\admin\Desktop\PDF.pdf.scr" /S	C:\Users\admin\Desktop\PDF.pdf.scr		explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 3.0.1.9002
4076	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\invoice.pdf"	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	—	PDF.pdf.scr
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641
3220	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\invoice.pdf"	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	—	AcroRd32.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641
3628	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	—	AcroRd32.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Exit code: 3221225547 Version: 15.23.20053.211670
2876	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3628.0.439022354\1790914040" --allow-no-sandbox-job /prefetch:673131151	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	—	RdrCEF.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670
2972	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3628.1.1140068338\1436833943" --allow-no-sandbox-job /prefetch:673131151	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	—	RdrCEF.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670
2676	"C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\TeamViewer.exe" r	C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\TeamViewer.exe	—	PDF.pdf.scr
User: admin Integrity Level: MEDIUM Exit code: 0
2408	C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\TeamViewer.exe	C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\TeamViewer.exe		TeamViewer.exe
User: admin Integrity Level: MEDIUM
3424	"C:\Windows\system32\taskmgr.exe" /4	C:\Windows\system32\taskmgr.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

956

Read events

814

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3220	AcroRd32.exe	C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal		—
		MD5:—	SHA256:—
3220	AcroRd32.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3220		—
		MD5:—	SHA256:—
3220	AcroRd32.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3220		—
		MD5:—	SHA256:—
3220	AcroRd32.exe	C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages		sqlite
		MD5:0B8BDBB076B08E5036ED7E9D59564860	SHA256:60E1FE70C2C455F22D9BE3E19CAB4FF36C4D12D92B5058EE5CE71A8C8373E3EB
2912	PDF.pdf.scr	C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\invoice.pdf		pdf
		MD5:5DDD79C00702769AD37C0B55A65100A7	SHA256:05AC18D1D48B31A5ED7D481A962566437AC0FDFA48C86DA628C37D3C65EE12D5
2912	PDF.pdf.scr	C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\tv.dll		executable
		MD5:822589DF8E2B08818E731B7356B6C10C	SHA256:DAD6204F8795A77CD163431800F3ACCC28F581F3C00210496631F628E3DB7ECF
2912	PDF.pdf.scr	C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\tv.ini		text
		MD5:9219E22809A1DFF78AAC5FFF7C80933C	SHA256:770450245EDC7EBA822B9E947B81ECB3C772E7A39CAE24AFA5C1173B841CFE70
2912	PDF.pdf.scr	C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\Teamviewer_Resource_en.dll		executable
		MD5:295CD05E2690B1427AA84E7C5853F8D1	SHA256:9AC1C4D00A5A17EE8CBE6088E7D0C14760BF9B03AE27AC33EDCFAA51CF4DC2EF
2912	PDF.pdf.scr	C:\Users\admin\AppData\Local\Temp\HZ$D.373.015\TeamViewer.ini		text
		MD5:DB7C9F22AD98757E37D2F361DAAB1877	SHA256:45B14995FEAD488ED1E6AE870F971EBD4ECE15426E75C6818050AE9EA7FFC6CC
3072	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3072.46079\PDF.pdf.scr		executable
		MD5:E16025C837A697DA4B4E44D8CF3CDD51	SHA256:8163D20920D38F484402EE62D0BA941294DB63A420D4B1FE246490E1DA2D41B9

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2408	TeamViewer.exe	POST	200	209.99.16.15:80	http://liveupdate.online/command.php	US	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2408	TeamViewer.exe	209.99.16.15:80	liveupdate.online	PDR	US	suspicious
2408	TeamViewer.exe	213.227.168.189:5938	ping3.dyngate.com	ANEXIA Internetdienstleistungs GmbH	AT	suspicious
2408	TeamViewer.exe	185.188.32.2:5938	master10.teamviewer.com	TeamViewer GmbH	DE	suspicious
2408	TeamViewer.exe	178.255.154.133:5938	—	ANEXIA Internetdienstleistungs GmbH	CZ	suspicious

DNS requests

Domain	IP	Reputation
ping3.dyngate.com	213.227.168.189 188.172.219.157 188.172.246.189 213.227.162.125 188.172.198.157	suspicious
master10.teamviewer.com	185.188.32.2	shared
liveupdate.online	209.99.16.15	malicious

Threats

PID	Process	Class	Message
2408	TeamViewer.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] TeamViewer connection
2408	TeamViewer.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] TeamViewer connection
2408	TeamViewer.exe	Potential Corporate Privacy Violation	SUSPICIOUS [PTsecurity] RMS.RAT.UserAgent

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

PDF%20785%20547.rar

213077162689A7B89CD7DA26710BB0C8

4DA2B8E343982F8007DA4590FB21177F2B1FB55B

49168BDE5ACAE92DC0CFE0F4085BA6662EB6AAE8880A966162B233B43527479F

24576:qR6SHwAiEaetkd5h0wIJg3jMzIhsuxtgCxnIUPhzvWIGILfwUA:qRzvaes5Z3jmIhqCxnIPqA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Connects to CnC server

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Connects to unusual port

INFO

Dropped object may contain Bitcoin addresses

Application launched itself

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings