| File name: | StartIsBack2.9.20win10.rar |
| Full analysis: | https://app.any.run/tasks/e40c4978-cf5d-4c36-afd8-13d02dfc265a |
| Verdict: | Malicious activity |
| Analysis date: | March 18, 2025, 10:30:12 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 7C3405BE29158495707A8678E422E2AB |
| SHA1: | FA49E7DE1992217003D32CEA9C864E640F73DA08 |
| SHA256: | 5ED08F901E113E12EAD0D81624352744252513B0E985BE8C65DAC4665A380E84 |
| SSDEEP: | 49152:cAFzzFWyanwOwF3NXgxzobz6h1MqTd2werai5sup3J2SFuyiFq/mXPJNpiA6JTam:ccFHawz3+ygdTd23rvlp3bUoUJNpiDVH |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 1228)
SUSPICIOUS
Executable content was dropped or overwritten
- StartIsBack 2.9.20.exe (PID: 5892)
Reads security settings of Internet Explorer
- StartIsBack 2.9.20.exe (PID: 5892)
- WinRAR.exe (PID: 1228)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 1228)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 1228)
There is functionality for taking screenshot (YARA)
- StartIsBackCfg.exe (PID: 1532)
INFO
The sample compiled with russian language support
- StartIsBack 2.9.20.exe (PID: 5892)
Manual execution by a user
- StartIsBack 2.9.20.exe (PID: 5892)
The sample compiled with english language support
- StartIsBack 2.9.20.exe (PID: 5892)
- WinRAR.exe (PID: 1228)
Process checks computer location settings
- StartIsBack 2.9.20.exe (PID: 5892)
Reads the computer name
- StartIsBack 2.9.20.exe (PID: 5892)
- StartIsBackCfg.exe (PID: 1532)
- MpCmdRun.exe (PID: 456)
Create files in a temporary directory
- StartIsBack 2.9.20.exe (PID: 5892)
- MpCmdRun.exe (PID: 456)
Checks supported languages
- StartIsBackCfg.exe (PID: 1532)
- StartIsBack 2.9.20.exe (PID: 5892)
- MpCmdRun.exe (PID: 456)
Compiled with Borland Delphi (YARA)
- StartIsBackCfg.exe (PID: 1532)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1228)
Reads the software policy settings
- slui.exe (PID: 5392)
Checks proxy server information
- slui.exe (PID: 5392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
EXIF
ZIP
| FileVersion: | RAR v5 |
|---|---|
| CompressedSize: | 1518064 |
| UncompressedSize: | 1549856 |
| OperatingSystem: | Win32 |
| ArchivedFileName: | StartIsBack 2.9.20/StartIsBack 2.9.20.exe |
Total processes
125
Monitored processes
7
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 456 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR1228.16427" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1228 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\StartIsBack2.9.20win10.rar | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 1532 | "C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\StartIsBackCfg.exe" /install | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\StartIsBackCfg.exe | — | StartIsBack 2.9.20.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: StartIsBack configuration Version: 5.9.20.3594 Modules
| |||||||||||||||
| 5072 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR1228.16427\Rar$Scan33420.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5392 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5892 | "C:\Users\admin\Desktop\StartIsBack 2.9.20.exe" | C:\Users\admin\Desktop\StartIsBack 2.9.20.exe | explorer.exe | ||||||||||||
User: admin Company: www.startisback.com Integrity Level: MEDIUM Description: StartIsBack++ setup SFX Version: 1.0.0 Modules
| |||||||||||||||
| 6668 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 336
Read events
5 325
Write events
11
Delete events
0
Modification events
| (PID) Process: | (1228) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (1228) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (1228) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (1228) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\StartIsBack2.9.20win10.rar | |||
| (PID) Process: | (1228) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1228) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1228) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1228) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1228) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList |
| Operation: | write | Name: | ArcSort |
Value: 32 | |||
| (PID) Process: | (1228) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList |
| Operation: | write | Name: | ArcSort |
Value: 0 | |||
Executable files
12
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5892 | StartIsBack 2.9.20.exe | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\Orbs\StartIsBack_Ei8htOrb_v2_by_PainteR.bmp | image | |
MD5:641328C75E6B117545211DB22DAFCAA0 | SHA256:76A72C9AD77843B58223DD588483AC1265A31C15AAEB47EE66D1925DE787644B | |||
| 5892 | StartIsBack 2.9.20.exe | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\Orbs\Shamrock.orb | executable | |
MD5:EF55E07E1A2E47BB2BB749046CD150B2 | SHA256:1A8DAC51758C66A1BB03FBC227B5EDB52EF7379FA3603B62EB3307005D06C9B5 | |||
| 5892 | StartIsBack 2.9.20.exe | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\Orbs\Windows 7.orb | executable | |
MD5:85328E698E8A74852B4061A683915DC8 | SHA256:E5B74E9E7BD6758A0154B11462AE3328EDD143190865198104D8BD53B9AF7275 | |||
| 5892 | StartIsBack 2.9.20.exe | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\Styles\Plain10.msstyles | executable | |
MD5:A69385279536210958FB9C86CAB229D6 | SHA256:3955FC60D3B7C4A1BADD831FDE82269261407CF9D459C65B429E8ABC769ADEED | |||
| 5892 | StartIsBack 2.9.20.exe | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\Styles\Plain8.msstyles | executable | |
MD5:509FD060516D1971DA8D0C2173748358 | SHA256:43C7016D950248F52F9512C9E7393C38D61A3BA2235E5FB6DEED83564D8E9442 | |||
| 5892 | StartIsBack 2.9.20.exe | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\Styles\Windows 7.msstyles | executable | |
MD5:B6A2892C151CCD59D0B4C4C1777DAAC5 | SHA256:0C6E681A8091BA888E58473CCEEAE590C88A405BB30DCB344F940ACF27290CE8 | |||
| 5892 | StartIsBack 2.9.20.exe | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\StartIsBack64.dll | executable | |
MD5:1A8A24F517784EA606F42CD104EA55F8 | SHA256:458BFA42D621A2F28CF61241637503D970D3D9B7AF9E592D9930A1B6636B3F3A | |||
| 5892 | StartIsBack 2.9.20.exe | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\StartIsBackARM64.dll | executable | |
MD5:2C1FC71A32CF6B93968E6065EADD2EF0 | SHA256:FB3388ED3BF472E7600E7664BB25D019F8FE79D819B69E0AB4E57C36F4627CF1 | |||
| 5892 | StartIsBack 2.9.20.exe | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\StartIsBack32.dll | executable | |
MD5:075826B376A9D9EC86DA0D7A8FC812AB | SHA256:8C2A79ECCE2FB5780ED6A4726B338707864E55B4223FD9920AF45262A6C602B1 | |||
| 5892 | StartIsBack 2.9.20.exe | C:\Users\admin\AppData\Local\Temp\SIBSFX.081F6704\StartIsBackCfg.exe | executable | |
MD5:D7A319AD8F2493C97B09B3F8C878A76B | SHA256:5F69D9E29CDFDFFA73C9B24BB401C4284BEE06BD715B70CFDC124530E6650701 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
976 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5392 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |