analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

03_magic8ball.7z

Full analysis: https://app.any.run/tasks/bc549d22-0fa4-4495-9820-031b0e1fd865
Verdict: Malicious activity
Analysis date: October 05, 2022, 06:48:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

1A2E8F0ACB29A5895889093F34576C32

SHA1:

B2C9700DF5B57B91B045AD8A0FF7F7EA5F638C84

SHA256:

59C799396D92368CCA9AEE449020B41AA50FE9E9613422E56AF4F6397E888003

SSDEEP:

49152:y5kSAkvKxQ3SBPH9fvAy/1DTTwBDFwiT5MDCcs8BY9d:fSZvKqCfxvAydDQBhwiTWvid

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Magic8Ball.exe (PID: 2856)

    • Application was dropped or rewritten from another process

      • Magic8Ball.exe (PID: 2856)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 3228)

  • INFO

    • Checks supported languages

      • WinRAR.exe (PID: 3228)
      • Magic8Ball.exe (PID: 2856)

    • Reads the computer name

      • Magic8Ball.exe (PID: 2856)
      • WinRAR.exe (PID: 3228)

    • Process checks LSA protection

      • WinRAR.exe (PID: 3228)

    • Manual execution by user

      • Magic8Ball.exe (PID: 2856)

    • Creates files in the user directory

      • WinRAR.exe (PID: 3228)

    • Creates a file in a temporary directory

      • WinRAR.exe (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs magic8ball.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3228"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\03_magic8ball.7z"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2856"C:\Users\admin\AppData\Local\Temp\03_magic8ball\Magic8Ball.exe" C:\Users\admin\AppData\Local\Temp\03_magic8ball\Magic8Ball.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Total events
1 231
Read events
1 217
Write events
14
Delete events
0

Modification events

(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3228) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\03_magic8ball.7z
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
9
Suspicious files
0
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\assets\OFL.txttext
MD5:053F21BB22E6D0BEE98B6610EC19D521
SHA256:02F254589F3CC0E6B751FAA152144B632041392B36DCE0986DC1ABF9D58AC21F
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\assets\ball_paint.pngimage
MD5:AAE7A06BA5AA91E0D18D05C1D6FC835A
SHA256:068F466D176B389CEE73FA8B5DB2E6412002FF5F39C9A3A2B10307603B0747D4
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\SDL2_ttf.dllexecutable
MD5:AD98B18C72EF580E3C12454BFCDB79E5
SHA256:31A92F01504CF7F21D1A89E400841E1A9DC94397236733FCACEAF65BB57A4B8D
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\SDL2.dllexecutable
MD5:A399B08B541A11C56D88F32881231F4F
SHA256:D78456C65B1E8BAD7E17CE96EBF9DE30BCD6C40EE753A069EE12B1521375D3E5
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\Magic8Ball.exeexecutable
MD5:3C2D4EA7B946596096BF039D0043A07B
SHA256:2FCEAD898D8F900715C9201F246D040EB9686B8F732E683518E8EF92D26DFA89
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\assets\DroidSans.ttfttf
MD5:9D83FB20700A3A7C45DC9ACD64AB121E
SHA256:4E2371BC0E4CF6983342E150412F140DA79D674C9BE0B56458401F581072ECD3
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\libtiff-5.dllexecutable
MD5:9A1CB436AD5E3CD0442DF1B99FDC041A
SHA256:879C188F4D199384E1D752A3F07F6EFCF5F2DCA139605B19513642C16CB8F8E2
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\libpng16-16.dllexecutable
MD5:C156897A9C8616877D199CAB89FCD42B
SHA256:71DBD2B080DF373B24B869900B96036FA3DD5B0295F5B074E8B27052D73C2794
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\assets\NotoSans_Regular.ttfpi2
MD5:AC08E269B7F479624B266C0EA20013B4
SHA256:4C8D67001D3C2977E5D6BF0A4F8ADD80CD564BD1DF60B7569FD23751E7DDA02A
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\libjpeg-9.dllexecutable
MD5:18BCC235D2A04409AEADFAF01F0CBED1
SHA256:D445EFDD297E85576BAD1E0FB8CEBFD4868004C4544F87A2E958A9ECAD48BD0C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
03_magic8ball.7z