File name:

13331398017.zip

Full analysis: https://app.any.run/tasks/859583fe-56c9-47d0-92de-1efbcf585267
Verdict: Malicious activity
Analysis date: December 02, 2023, 10:56:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2CE49A0A7850DE6EAFD9BF085163D443

SHA1:

76A098C34028D10ADCA7850F7E34024AA76D2ABB

SHA256:

524612F578B514BE8643D30687FDF123FABEA24476C2D9BB05D277D96D30457A

SSDEEP:

98304:vv4wW9kHAwPJeaceaCVUT7HuW6UiC1LFKE/eni5Lw7LvdixH29CNkqh842qKRTwC:DP8HTo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • _Main.exe (PID: 3680)
      • _Main.exe (PID: 2292)
      • _Main.exe (PID: 3652)
      • _Main.exe (PID: 3996)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3784)
      • WinRAR.exe (PID: 4040)
      • WinRAR.exe (PID: 3452)

    • The process checks if it is being run in the virtual environment

      • _Main.exe (PID: 3680)
      • _Main.exe (PID: 3652)
      • _Main.exe (PID: 2292)
      • _Main.exe (PID: 3996)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 1584)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1584)
      • WinRAR.exe (PID: 3784)
      • _Main.exe (PID: 2292)
      • _Main.exe (PID: 3680)
      • WinRAR.exe (PID: 3452)
      • WinRAR.exe (PID: 4040)
      • _Main.exe (PID: 3652)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1584)
      • _Main.exe (PID: 2292)
      • _Main.exe (PID: 3680)
      • _Main.exe (PID: 3652)
      • _Main.exe (PID: 3996)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3784)
      • WinRAR.exe (PID: 4040)
      • WinRAR.exe (PID: 3452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0x4b9f230b
ZipCompressedSize: 2135427
ZipUncompressedSize: 2134755
ZipFileName: 53d29a63230302bf1ff9f06fbc11b36068ecd024c758bcabaf4f363732432126
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wmpnscfg.exe no specs winrar.exe no specs _main.exe no specs _main.exe winrar.exe no specs _main.exe no specs winrar.exe no specs _main.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1584"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2144"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\13331398017.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2292"C:\Users\admin\Desktop\_Main.exe" C:\Users\admin\Desktop\_Main.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
OLE/COM Object Viewer
Exit code:
0
Version:
6.0.6001.17131 (longhorn_rtm.080108-2300)
Modules
Images
c:\users\admin\desktop\_main.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3452"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\File_Part1.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3652"C:\Users\admin\Desktop\File_Part1\_Main.exe" C:\Users\admin\Desktop\File_Part1\_Main.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
OLE/COM Object Viewer
Exit code:
0
Version:
6.0.6001.17131 (longhorn_rtm.080108-2300)
Modules
Images
c:\users\admin\desktop\file_part1\_main.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3680"C:\Users\admin\Desktop\_Main.exe" C:\Users\admin\Desktop\_Main.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
OLE/COM Object Viewer
Exit code:
0
Version:
6.0.6001.17131 (longhorn_rtm.080108-2300)
Modules
Images
c:\users\admin\desktop\_main.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3784"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\File_Part1.rar" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3996"C:\Users\admin\AppData\Local\Temp\Rar$EXa3452.15514\_Main.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3452.15514\_Main.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
OLE/COM Object Viewer
Exit code:
0
Version:
6.0.6001.17131 (longhorn_rtm.080108-2300)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3452.15514\_main.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4040"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\File_Part1.rar" "?\"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
2 423
Read events
2 387
Write events
36
Delete events
0

Modification events

(PID) Process:(2144) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3784) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3784) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
6
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3452.15514\_Main.exeexecutable
MD5:DF33C821C06835A1349CBE3B0C65F24C
SHA256:0263663C5375289FA2550D0CFF3553DFC160A767E718A9C38EFC0DA3D7A4B626
3784WinRAR.exeC:\Users\admin\Desktop\_Main.exeexecutable
MD5:DF33C821C06835A1349CBE3B0C65F24C
SHA256:0263663C5375289FA2550D0CFF3553DFC160A767E718A9C38EFC0DA3D7A4B626
3452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3452.15514\aclui.dllexecutable
MD5:FD8F5BE0D115B88CDD9F8C8799638171
SHA256:81B7D097AA98827558A2465BE70FCDFED5820E65E5FA8FE160F876125A45A035
2144WinRAR.exeC:\Users\admin\Desktop\53d29a63230302bf1ff9f06fbc11b36068ecd024c758bcabaf4f363732432126compressed
MD5:9684140AC0809CE21F08E456A62C4AF8
SHA256:53D29A63230302BF1FF9F06FBC11B36068ECD024C758BCABAF4F363732432126
3784WinRAR.exeC:\Users\admin\Desktop\aclui.dllexecutable
MD5:FD8F5BE0D115B88CDD9F8C8799638171
SHA256:81B7D097AA98827558A2465BE70FCDFED5820E65E5FA8FE160F876125A45A035
4040WinRAR.exeC:\Users\admin\Desktop\File_Part1\aclui.dllexecutable
MD5:FD8F5BE0D115B88CDD9F8C8799638171
SHA256:81B7D097AA98827558A2465BE70FCDFED5820E65E5FA8FE160F876125A45A035
4040WinRAR.exeC:\Users\admin\Desktop\File_Part1\_Main.exeexecutable
MD5:DF33C821C06835A1349CBE3B0C65F24C
SHA256:0263663C5375289FA2550D0CFF3553DFC160A767E718A9C38EFC0DA3D7A4B626
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
868
svchost.exe
23.32.184.135:80
armmf.adobe.com
AKAMAI-AS
BR
unknown

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 23.32.184.135
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
13331398017.zip