File name:

MS USB Display.zip

Full analysis: https://app.any.run/tasks/ee95a1a0-3cfa-44d4-8000-22ae239625c7
Verdict: Malicious activity
Analysis date: May 02, 2024, 14:44:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

9B57B5195633822FE544754C754F3296

SHA1:

705C158C735FC8581DF96E94CD2996995654152A

SHA256:

5D2F2B2270B70700F2107BF966D9D06EC2867A7594AA85BFC85FEE1640F27067

SSDEEP:

98304:59O61IPz9jpyWgQYfU8kfq8eoKMRP4CrT2Kw5oZx8YQqbSlT2X0EZouhqfbMOn4g:5Kz3goCP78LQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3980)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3980)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 3980)

  • INFO

    • Checks supported languages

      • WinUsbDisplay.exe (PID: 820)
      • WinUsbDisplay.exe (PID: 2304)

    • Reads the computer name

      • WinUsbDisplay.exe (PID: 820)

    • Manual execution by a user

      • WinUsbDisplay.exe (PID: 820)
      • WinUsbDisplay.exe (PID: 2304)
      • taskmgr.exe (PID: 1764)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:12:02 08:43:52
ZipCRC: 0xb59041e9
ZipCompressedSize: 272
ZipUncompressedSize: 353
ZipFileName: MS USB Display/config.ini
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe winusbdisplay.exe no specs winusbdisplay.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
820"C:\Users\admin\Desktop\MS USB Display\WinUsbDisplay.exe" C:\Users\admin\Desktop\MS USB Display\WinUsbDisplay.exeexplorer.exe
User:
admin
Company:
MS
Integrity Level:
MEDIUM
Description:
Windows USB Display
Exit code:
1
Version:
1.0.0.7
Modules
Images
c:\users\admin\desktop\ms usb display\winusbdisplay.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
1764"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2304"C:\Users\admin\Desktop\MS USB Display\WinUsbDisplay.exe" C:\Users\admin\Desktop\MS USB Display\WinUsbDisplay.exeexplorer.exe
User:
admin
Company:
MS
Integrity Level:
MEDIUM
Description:
Windows USB Display
Exit code:
4294967295
Version:
1.0.0.7
Modules
Images
c:\users\admin\desktop\ms usb display\winusbdisplay.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
3980"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MS USB Display.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
4 128
Read events
4 113
Write events
15
Delete events
0

Modification events

(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\MS USB Display.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
32
Suspicious files
4
Text files
4
Unknown types
11

Dropped files

PID
Process
Filename
Type
3980WinRAR.exeC:\Users\admin\Desktop\MS USB Display\logpath.Battext
MD5:F9E5204741AC0FFEC1662139FD77C62F
SHA256:33A17C00E1AD43CA60D0146F3ED783108D64FCA426CD3F97D97A60FB2B1E57DF
3980WinRAR.exeC:\Users\admin\Desktop\MS USB Display\config.initext
MD5:AB5BD4D46AA4F19ED52961F81635AD76
SHA256:A1C6CEDAB9EC5850C98D5FED2CB0A2253FBBCCA7B8C5974F57F34FBDE4DC3C3F
3980WinRAR.exeC:\Users\admin\Desktop\MS USB Display\libusb0.dllexecutable
MD5:A969E398CC9319DD9BD9EEDCAE288DA7
SHA256:3165D5E9212E9C4F009A594F67BD9E6D899B026CE1E3B0D6EBB994F423D6B1D1
3980WinRAR.exeC:\Users\admin\Desktop\MS USB Display\logo.icoimage
MD5:2098EF97358FBBDFAE0206BBCB4E2234
SHA256:DE96747834EF6ED07618AA7EB89F643444F3BA01140EED263468C08A0B7BF8FE
3980WinRAR.exeC:\Users\admin\Desktop\MS USB Display\Feedback Note.txttext
MD5:7F4207EA1304993E8533B7A58F3A51B0
SHA256:EE8078A7D68D5F9B702C1F5E322D67227A6512E75247D9E950D497E753C62565
3980WinRAR.exeC:\Users\admin\Desktop\MS USB Display\libyuv.dllexecutable
MD5:1954CD248E65C7C5C2D3D93DD7F91604
SHA256:761EC2283460F3E641F9C815A015698B3EB77090808768A4BF3C17439CCD0018
3980WinRAR.exeC:\Users\admin\Desktop\MS USB Display\libVMonitor.dllexecutable
MD5:10BB929E9FD8B028738B46F4D3EA741E
SHA256:8817EAF691058E091E3A240547B74C3E396DAFF1312F66971274C1D30C55BDE1
3980WinRAR.exeC:\Users\admin\Desktop\MS USB Display\unins000.exeexecutable
MD5:DEF2E0EFA04057381F04119980D6D4E4
SHA256:3E9EE9509BB992CFE08EF8605B2F10F0B633D8B26BF6D2DCC2C5D2C94F37A3D4
3980WinRAR.exeC:\Users\admin\Desktop\MS USB Display\displayproxy\x64\DisplayProxyUmd32.dllexecutable
MD5:160036A7249B9C509CD5852A27F4DE34
SHA256:D16382DD9E7334C8B518C164AB6CA7AA9F5E31D482A995F7548DDB345A0AB181
3980WinRAR.exeC:\Users\admin\Desktop\MS USB Display\displayproxy\x86\DisplayProxyUmd.dllexecutable
MD5:6768220C7151A3538529D3B589B51809
SHA256:63DAAEBE01CD4C7F80CFA82C4BD7FEE3EB86FC5F98EA1DB86B240E46DF125740
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MS USB Display.zip