Program did not start
General Info
- File name
-
超强样本.7z
- Verdict
- Malicious activity
- Analysis date
- 7/18/2019, 09:15:34
- OS:
- Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
- Indicators:
- MIME:
- application/x-7z-compressed
- File info:
- 7-zip archive data, version 0.4
- MD5
-
1d619f4f3236229f93e34fd2a6bc1c2d
- SHA1
-
a0aa2fbdc1c411497d8f106d697e0884b8a3ea08
- SHA256
-
5b646a74886239c8016d3e6aa819c10a4bd16de6fd7c8589525571b0e164dab4
- SSDEEP
-
49152:mH0i6NzUlDoIJpgP9rR578KIcAuJfl9DTo0W6a4b9:oygpCh72udjD001hp
Software environment set and analysis options
Launch configuration
- Task duration
- 60 seconds
- Additional time used
- none
- Fakenet option
- off
- Heavy Evaision option
- off
- MITM proxy
- off
- Route via Tor
- on
- Network geolocation
- off
- Privacy
- Public submission
- Autoconfirmation of UAC
- on
Software preset
- Internet Explorer 8.0.7601.17514
- Adobe Acrobat Reader DC MUI (15.023.20070)
- Adobe Flash Player 26 ActiveX (26.0.0.131)
- Adobe Flash Player 26 NPAPI (26.0.0.131)
- Adobe Flash Player 26 PPAPI (26.0.0.131)
- Adobe Refresh Manager (1.8.0)
- CCleaner (5.35)
- FileZilla Client 3.36.0 (3.36.0)
- Google Chrome (75.0.3770.100)
- Google Update Helper (1.3.34.7)
- Java 8 Update 92 (8.0.920.14)
- Java Auto Updater (2.8.92.14)
- Microsoft .NET Framework 4.7.2 (4.7.03062)
- Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Professional 2010 (14.0.6029.1000)
- Microsoft Office Proof (English) 2010 (14.0.6029.1000)
- Microsoft Office Proof (French) 2010 (14.0.6029.1000)
- Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
- Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
- Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Single Image 2010 (14.0.6029.1000)
- Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
- Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
- Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
- Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
- Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
- Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
- Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
- Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
- Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
- Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
- Notepad++ (32-bit x86) (7.5.1)
- Opera 12.15 (12.15.1748)
- Skype version 8.29 (8.29)
- Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
- VLC media player (2.2.6)
- WinRAR 5.60 (32-bit) (5.60.0)
Hotfixes
- Client LanguagePack Package
- Client Refresh LanguagePack Package
- CodecPack Basic Package
- Foundation Package
- IE Troubleshooters Package
- InternetExplorer Optional Package
- KB2534111
- KB2999226
- KB4019990
- KB976902
- LocalPack AU Package
- LocalPack CA Package
- LocalPack GB Package
- LocalPack US Package
- LocalPack ZA Package
- ProfessionalEdition
- UltimateEdition
Behavior activities
| MALICIOUS | SUSPICIOUS | INFO |
|---|---|---|
Application was dropped or rewritten from another process
|
No suspicious indicators. |
Manual execution by user
|
Static information
TRiD
.7z
|
7-Zip compressed archive (v0.4) (57.1%)
.7z
|
7-Zip compressed archive (gen) (42.8%)
Screenshots
Processes
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
–
+
Specs description
Integrity level
elevation
Task сontains an error
or was rebooted
Process has crashed
Task contains several
apps running
Executable file was
dropped
Debug information is
available
Process was injected
Network attacks were
detected
Application downloaded
the executable file
Actions similar to
stealing personal data
Behavior similar to
exploiting the vulnerability
Inspected object has
sucpicious PE structure
File is detected by
antivirus software
CPU overrun
RAM overrun
Process starts the
services
Process was added to
the startup
Behavior similar to
spam
Low-level access to
the HDD
Probably Tor was used
System was rebooted
Connects to the
network
Known threat
Process information
Click at the process to see the details.
- PID
- 3080
- CMD
- "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\超强样本.7z"
- Path
- C:\Program Files\WinRAR\WinRAR.exe
- Indicators
- No indicators
- Parent process
- ––
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Alexander Roshal
- Description
- WinRAR archiver
- Version
- 5.60.0
Modules
| Image |
|---|
| c:\program files\winrar\winrar.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\comdlg32.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\powrprof.dll |
| c:\windows\system32\setupapi.dll |
| c:\windows\system32\cfgmgr32.dll |
| c:\windows\system32\devobj.dll |
| c:\windows\system32\uxtheme.dll |
| c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll |
| c:\windows\system32\msimg32.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\clbcatq.dll |
| c:\windows\system32\propsys.dll |
| c:\windows\system32\ntmarta.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\system32\riched20.dll |
| c:\program files\common files\microsoft shared\ink\tiptsf.dll |
| c:\windows\system32\windowscodecs.dll |
| c:\windows\system32\apphelp.dll |
| c:\windows\system32\ehstorshell.dll |
| c:\windows\system32\cscui.dll |
| c:\windows\system32\cscdll.dll |
| c:\windows\system32\cscapi.dll |
| c:\windows\system32\ntshrui.dll |
| c:\windows\system32\srvcli.dll |
| c:\windows\system32\slc.dll |
| c:\windows\system32\imageres.dll |
| c:\windows\system32\mpr.dll |
| c:\windows\system32\drprov.dll |
| c:\windows\system32\winsta.dll |
| c:\windows\system32\ntlanman.dll |
| c:\windows\system32\davclnt.dll |
| c:\windows\system32\davhlpr.dll |
| c:\windows\system32\wkscli.dll |
| c:\windows\system32\netutils.dll |
| c:\windows\system32\wpdshext.dll |
| c:\windows\system32\winmm.dll |
| c:\windows\system32\portabledeviceapi.dll |
| c:\windows\system32\wintrust.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\audiodev.dll |
| c:\windows\system32\wmvcore.dll |
| c:\windows\system32\wmasf.dll |
| c:\windows\system32\ehstorapi.dll |
| c:\windows\system32\shdocvw.dll |
| c:\windows\system32\secur32.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\samcli.dll |
| c:\windows\system32\samlib.dll |
| c:\windows\system32\profapi.dll |
| c:\program files\winrar\7zxa.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\rpcrtremote.dll |
| c:\windows\system32\explorerframe.dll |
| c:\windows\system32\duser.dll |
| c:\windows\system32\dui70.dll |
- PID
- 2288
- CMD
- "C:\Users\admin\Desktop\y.exe"
- Path
- C:\Users\admin\Desktop\y.exe
- Indicators
- No indicators
- Parent process
- ––
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 3221226540
- Version:
- Company
- Description
- 易语言程序
- Version
- 1.0.0.0
- PID
- 2492
- CMD
- "C:\Users\admin\Desktop\y.exe"
- Path
- C:\Users\admin\Desktop\y.exe
- Indicators
- Parent process
- ––
- User
- admin
- Integrity Level
- HIGH
- Exit code
- 0
- Version:
- Company
- Description
- 易语言程序
- Version
- 1.0.0.0
Modules
| Image |
|---|
| c:\users\admin\desktop\y.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\winmm.dll |
| c:\windows\system32\rasapi32.dll |
| c:\windows\system32\rasman.dll |
| c:\windows\system32\ws2_32.dll |
| c:\windows\system32\nsi.dll |
| c:\windows\system32\msimg32.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\wininet.dll |
| c:\windows\system32\urlmon.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\iertutil.dll |
| c:\windows\system32\comdlg32.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\uxtheme.dll |
| c:\windows\system32\mswsock.dll |
| c:\windows\system32\wshtcpip.dll |
| c:\windows\system32\nlaapi.dll |
| c:\windows\system32\napinsp.dll |
| c:\windows\system32\pnrpnsp.dll |
| c:\windows\system32\dnsapi.dll |
| c:\windows\system32\winrnr.dll |
| c:\windows\system32\iphlpapi.dll |
| c:\windows\system32\winnsi.dll |
| c:\windows\system32\fwpuclnt.dll |
| c:\windows\system32\rasadhlp.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\ntmarta.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\system32\rtutils.dll |
| c:\windows\system32\sensapi.dll |
| c:\windows\system32\version.dll |
| c:\windows\system32\wship6.dll |
| c:\windows\system32\clbcatq.dll |
Registry activity
Total events
366
Read events
328
Write events
38
Delete events
0
Modification events
PID
Process
Operation
Key
Name
Value
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3080
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\超强样本.7z
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Desktop
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000A40102000000000039000000B40200000000000001000000
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C800000000000000000000000000A801020000000000160000002A0000000000000002000000
3080
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000940112000000000016000000640000000000000003000000
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASAPI32
EnableFileTracing
0
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASAPI32
EnableConsoleTracing
0
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASAPI32
FileTracingMask
4294901760
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASAPI32
ConsoleTracingMask
4294901760
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASAPI32
MaxFileSize
1048576
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASAPI32
FileDirectory
%windir%\tracing
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASMANCS
EnableFileTracing
0
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASMANCS
EnableConsoleTracing
0
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASMANCS
FileTracingMask
4294901760
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASMANCS
ConsoleTracingMask
4294901760
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASMANCS
MaxFileSize
1048576
2492
y.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\y_RASMANCS
FileDirectory
%windir%\tracing
2492
y.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2492
y.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2492
y.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2492
y.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
Files activity
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0
Network activity
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
7
Threats
1
Debug output strings
| Process | Message |
|---|---|
| y.exe | %s------------------------------------------------ --- Themida Professional --- --- (c)2010 Oreans Technologies --- ------------------------------------------------ |