analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PPURCHASE-ORDER-MMDW.tar.lz

Full analysis: https://app.any.run/tasks/20d783e9-abd0-4819-a324-89fa0e4965cf
Verdict: Malicious activity
Analysis date: January 25, 2022, 04:07:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-lzip
File info: lzip compressed data, version: 1
MD5:

DF0D4D66659BDD8708017140D7217ABD

SHA1:

FF391D76F6A9B848BB863DB94AA6C5FF48CDD03A

SHA256:

6D7C04210975253E7708E8408087C986711BDE270B60BE50E2AD53AEB3D8010F

SSDEEP:

12288:4I+9xz171Q3QzICKXw9QSpx509NXj75TKVQf9gIi4n3oRCbcBiCsn+2z4KD07mmw:J4xrM0LWSpDGNzVeVdiYmcjs7Rcw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PPURCHASE ORDER-MMDW.exe (PID: 1144)
      • PPURCHASE ORDER-MMDW.exe (PID: 3196)
      • PPURCHASE ORDER-MMDW.exe (PID: 676)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3148)
      • dw20.exe (PID: 2868)
      • dw20.exe (PID: 560)
      • dw20.exe (PID: 3284)
    • Checks supported languages

      • WinRAR.exe (PID: 3148)
      • dw20.exe (PID: 2868)
      • PPURCHASE ORDER-MMDW.exe (PID: 1144)
      • PPURCHASE ORDER-MMDW.exe (PID: 3196)
      • dw20.exe (PID: 560)
      • PPURCHASE ORDER-MMDW.exe (PID: 676)
      • dw20.exe (PID: 3284)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3148)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3148)
    • Reads Environment values

      • dw20.exe (PID: 560)
      • dw20.exe (PID: 3284)
  • INFO

    • Manual execution by user

      • PPURCHASE ORDER-MMDW.exe (PID: 676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lz | LZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe ppurchase order-mmdw.exe dw20.exe no specs ppurchase order-mmdw.exe dw20.exe ppurchase order-mmdw.exe dw20.exe

Process information

PID
CMD
Path
Indicators
Parent process
3148"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PPURCHASE-ORDER-MMDW.tar.lz"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
1144"C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.29800\PPURCHASE ORDER-MMDW.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.29800\PPURCHASE ORDER-MMDW.exe
WinRAR.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
CSMDown
Exit code:
3762507597
Version:
1.0.0.0
2868dw20.exe -x -s 420C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exePPURCHASE ORDER-MMDW.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
3196"C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.31355\PPURCHASE ORDER-MMDW.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.31355\PPURCHASE ORDER-MMDW.exe
WinRAR.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
CSMDown
Exit code:
3762507597
Version:
1.0.0.0
560dw20.exe -x -s 420C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PPURCHASE ORDER-MMDW.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
676"C:\Users\admin\Desktop\PPURCHASE ORDER-MMDW.exe" C:\Users\admin\Desktop\PPURCHASE ORDER-MMDW.exe
Explorer.EXE
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
CSMDown
Exit code:
3762507597
Version:
1.0.0.0
3284dw20.exe -x -s 408C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PPURCHASE ORDER-MMDW.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.5483 (Win7SP1GDR.050727-5400)
Total events
2 218
Read events
2 195
Write events
23
Delete events
0

Modification events

(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3148) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PPURCHASE-ORDER-MMDW.tar.lz
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
4
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2868dw20.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_ppurchase order-_bd257857f0a46cba95a91ae8497187dbedf78f_0b2038e1\Report.wer
MD5:
SHA256:
560dw20.exeC:\Users\admin\AppData\Local\Temp\WER5DDF.tmp.hdmp
MD5:
SHA256:
560dw20.exeC:\Users\admin\AppData\Local\Temp\WER6B1E.tmp.mdmp
MD5:
SHA256:
560dw20.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_ppurchase order-_bd257857f0a46cba95a91ae8497187dbedf78f_cab_02246b99\WER5DDF.tmp.hdmp
MD5:
SHA256:
560dw20.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_ppurchase order-_bd257857f0a46cba95a91ae8497187dbedf78f_cab_02246b99\WER6B1E.tmp.mdmp
MD5:
SHA256:
560dw20.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_ppurchase order-_bd257857f0a46cba95a91ae8497187dbedf78f_cab_02246b99\Report.wer
MD5:
SHA256:
3284dw20.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_ppurchase order-_bd257857f0a46cba95a91ae8497187dbedf78f_0cc1192f\Report.wer
MD5:
SHA256:
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3148.31355\PPURCHASE ORDER-MMDW.exeexecutable
MD5:BF25C97E5D33C4458FBA29D4445C61E6
SHA256:B4F317E79D77BB45E5DB5167268956D4527CBFBF458D46C8F08ED297CCB9F917
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3148.29800\PPURCHASE ORDER-MMDW.exeexecutable
MD5:BF25C97E5D33C4458FBA29D4445C61E6
SHA256:B4F317E79D77BB45E5DB5167268956D4527CBFBF458D46C8F08ED297CCB9F917
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\PPURCHASE-ORDER-MMDW\PPURCHASE ORDER-MMDW.exeexecutable
MD5:BF25C97E5D33C4458FBA29D4445C61E6
SHA256:B4F317E79D77BB45E5DB5167268956D4527CBFBF458D46C8F08ED297CCB9F917
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
560
dw20.exe
20.189.173.22:443
watson.microsoft.com
Microsoft Corporation
US
suspicious
3284
dw20.exe
104.208.16.93:443
watson.microsoft.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 20.189.173.22
  • 104.208.16.93
whitelisted

Threats

No threats detected
No debug info