analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Документы 15е апреля.gz

Full analysis: https://app.any.run/tasks/8e75ed3c-b81a-4fad-b46b-2b418f03426d
Verdict: Malicious activity
Analysis date: April 15, 2019, 09:14:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

CA734A85D3B9E6FB19C9074E7A301089

SHA1:

7BFD71CC5BE2736A17B964B9260268751D1FE329

SHA256:

50B8C34F3F7DAEF4333A776B53B0D47220B30BFFB2DC3905A630B87DA582C715

SSDEEP:

6144:CCaoo/AqV3oM6eDB6RB4Nm+2uEO+ffhnkwkwyyU:CCDDqloABCx+9Enf5nk8yj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Документы 15е апреля.exe (PID: 2788)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 3608)
      • rundll32.exe (PID: 3988)
      • WinRAR.exe (PID: 2924)
    • Changes the autorun value in the registry

      • Документы 15е апреля.exe (PID: 2788)
    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 3608)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2924)
      • Документы 15е апреля.exe (PID: 2788)
      • rundll32.exe (PID: 3608)
    • Uses RUNDLL32.EXE to load library

      • Документы 15е апреля.exe (PID: 2788)
    • Creates files in the program directory

      • rundll32.exe (PID: 3608)
    • Connects to server without host name

      • rundll32.exe (PID: 3988)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start winrar.exe документы 15е апреля.exe rundll32.exe rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2924"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Документы 15е апреля.gz.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2788"C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.20530\Документы 15е апреля.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.20530\Документы 15е апреля.exe
WinRAR.exe
User:
admin
Company:
Корпорация Майкрософт
Integrity Level:
MEDIUM
Description:
Самоизвлечение CAB-файлов Win32
Exit code:
0
Version:
6.00.2900.5512 (xpsp.080413-2105)
3608rundll32.exe 467.dll,DllGetClassObject root 000000000000 Post Install program: <None>C:\Windows\system32\rundll32.exe
Документы 15е апреля.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3988rundll32.exe "C:\ProgramData\2401bf603c90\2702bc633f93.dat",DllGetClassObject rootC:\Windows\system32\rundll32.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
463
Read events
446
Write events
17
Delete events
0

Modification events

(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2924) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Документы 15е апреля.gz.rar
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3608rundll32.exeC:\ProgramData\2401bf603c90\2702bc633f93.datexecutable
MD5:A33B3C4565CC61ECC2771A0105A8B8B6
SHA256:33CBA9145F53DC22C8F5CEE83C692B671FA088099BB5E592BC4F5A4543A4742E
2788Документы 15е апреля.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\467.dllexecutable
MD5:A33B3C4565CC61ECC2771A0105A8B8B6
SHA256:33CBA9145F53DC22C8F5CEE83C692B671FA088099BB5E592BC4F5A4543A4742E
2924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2924.20530\Документы 15е апреля.exeexecutable
MD5:B4847906E21457D8CF1CC78C819833A9
SHA256:3AEF332D23FE5FF97B5E8DD47EAA2A02F97B8444D5F7DE839543BBD6F70008C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3988
rundll32.exe
POST
200
185.203.119.104:80
http://185.203.119.104/index.php
BG
binary
9 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3988
rundll32.exe
52.36.204.116:443
namecoin.cyphrs.com
Amazon.com, Inc.
US
unknown
3988
rundll32.exe
188.165.200.156:53
OVH SAS
FR
malicious
3988
rundll32.exe
185.203.119.104:80
BelCloud Hosting Corporation
BG
unknown

DNS requests

Domain
IP
Reputation
namecoin.cyphrs.com
  • 52.36.204.116
unknown

Threats

PID
Process
Class
Message
3988
rundll32.exe
Potentially Bad Traffic
ET CURRENT_EVENTS DNS Query Domain .bit
1 ETPRO signatures available at the full report
No debug info