File name:

03_magic8ball.7z

Full analysis: https://app.any.run/tasks/bc549d22-0fa4-4495-9820-031b0e1fd865
Verdict: Malicious activity
Analysis date: October 05, 2022, 06:48:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

1A2E8F0ACB29A5895889093F34576C32

SHA1:

B2C9700DF5B57B91B045AD8A0FF7F7EA5F638C84

SHA256:

59C799396D92368CCA9AEE449020B41AA50FE9E9613422E56AF4F6397E888003

SSDEEP:

49152:y5kSAkvKxQ3SBPH9fvAy/1DTTwBDFwiT5MDCcs8BY9d:fSZvKqCfxvAydDQBhwiTWvid

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Magic8Ball.exe (PID: 2856)

    • Loads dropped or rewritten executable

      • Magic8Ball.exe (PID: 2856)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 3228)

  • INFO

    • Checks supported languages

      • WinRAR.exe (PID: 3228)
      • Magic8Ball.exe (PID: 2856)

    • Creates files in the user directory

      • WinRAR.exe (PID: 3228)

    • Reads the computer name

      • WinRAR.exe (PID: 3228)
      • Magic8Ball.exe (PID: 2856)

    • Process checks LSA protection

      • WinRAR.exe (PID: 3228)

    • Manual execution by user

      • Magic8Ball.exe (PID: 2856)

    • Creates a file in a temporary directory

      • WinRAR.exe (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs magic8ball.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2856"C:\Users\admin\AppData\Local\Temp\03_magic8ball\Magic8Ball.exe" C:\Users\admin\AppData\Local\Temp\03_magic8ball\Magic8Ball.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\03_magic8ball\magic8ball.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\local\temp\03_magic8ball\sdl2.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3228"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\03_magic8ball.7z"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
1 231
Read events
1 217
Write events
14
Delete events
0

Modification events

(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3228) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\03_magic8ball.7z
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3228) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
9
Suspicious files
0
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\Magic8Ball.exeexecutable
MD5:
SHA256:
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\SDL2_ttf.dllexecutable
MD5:
SHA256:
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\assets\ball_paint.pngimage
MD5:
SHA256:
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\assets\OpenSans_regular.ttfttf
MD5:58B1F440729D267697BDDCDDB994BCE9
SHA256:4C4241959DDB26F3931A9BD611886CFB614250DFC64FF30BD3EE891BC15B6113
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\assets\NotoSans_Regular.ttfpi2
MD5:AC08E269B7F479624B266C0EA20013B4
SHA256:4C8D67001D3C2977E5D6BF0A4F8ADD80CD564BD1DF60B7569FD23751E7DDA02A
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\assets\LICENSE.txttext
MD5:D273D63619C9AEAF15CDAF76422C4F87
SHA256:3DDF9BE5C28FE27DAD143A5DC76EEA25222AD1DD68934A047064E56ED2FA40C5
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\assets\OFL.txttext
MD5:053F21BB22E6D0BEE98B6610EC19D521
SHA256:02F254589F3CC0E6B751FAA152144B632041392B36DCE0986DC1ABF9D58AC21F
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\libpng16-16.dllexecutable
MD5:C156897A9C8616877D199CAB89FCD42B
SHA256:71DBD2B080DF373B24B869900B96036FA3DD5B0295F5B074E8B27052D73C2794
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\libjpeg-9.dllexecutable
MD5:18BCC235D2A04409AEADFAF01F0CBED1
SHA256:D445EFDD297E85576BAD1E0FB8CEBFD4868004C4544F87A2E958A9ECAD48BD0C
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\03_magic8ball\SDL2_image.dllexecutable
MD5:129C15C173A927513D2FAC86E424F616
SHA256:7DDCEB00FFF15B05EF03ADBD1AB6D1514CAC6DD4646376A0A94F2248C66F6DB7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
03_magic8ball.7z