| File name: | Запит.rar |
| Full analysis: | https://app.any.run/tasks/f69501cf-f1ce-45c7-b9f4-9ee6912252e0 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | January 09, 2024, 13:59:01 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 782A42EA9749013B1A65E99D506FE932 |
| SHA1: | 4C356B3672EAF5ADC44E2A6A75747588506BC0AB |
| SHA256: | 6DDEB2664B954665E4D38120A11FE4EC5E1FD5DF9C1E0A24B75ADC19A176F76B |
| SSDEEP: | 49152:OHfdq+jLmx4xwg/y/nmSU14HKRzF9DiuBVAWEU3bWCZtZ3OjIr0trQFlc/gbBSiY:iVpfO4Xq/nmSI4KRzFp5BNpLZeIr2/OU |
MALICIOUS
Uses Task Scheduler to run other applications
- cmd.exe (PID: 3060)
Create files in the Startup directory
- cmd.exe (PID: 2544)
SUSPICIOUS
Reads the Internet Settings
- Запит документів.pdf.exe (PID: 1424)
- Beginners.pif (PID: 2532)
- wscript.exe (PID: 2868)
Starts CMD.EXE for commands execution
- Запит документів.pdf.exe (PID: 1424)
- cmd.exe (PID: 2688)
- cmd.exe (PID: 2452)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 2688)
Get information on the list of running processes
- cmd.exe (PID: 2688)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 2688)
Starts application with an unusual extension
- cmd.exe (PID: 2688)
- wscript.exe (PID: 2868)
Runs shell command (SCRIPT)
- wscript.exe (PID: 2868)
INFO
Manual execution by a user
- Запит документів.pdf.exe (PID: 1424)
- WinRAR.exe (PID: 2444)
- WinRAR.exe (PID: 1544)
- cmd.exe (PID: 2544)
- cmd.exe (PID: 3060)
Application launched itself
- cmd.exe (PID: 2452)
- cmd.exe (PID: 2688)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2444)
- cmd.exe (PID: 2536)
- Beginners.pif (PID: 2532)
- Запит документів.pdf.exe (PID: 1424)
The executable file from the user directory is run by the CMD process
- Beginners.pif (PID: 2532)
Reads the computer name
- Запит документів.pdf.exe (PID: 1424)
- Beginners.pif (PID: 2532)
Reads mouse settings
- Beginners.pif (PID: 2532)
- PixelCraft.pif (PID: 3200)
Checks supported languages
- Beginners.pif (PID: 2532)
- PixelCraft.pif (PID: 3200)
- Запит документів.pdf.exe (PID: 1424)
Creates files or folders in the user directory
- Beginners.pif (PID: 2532)
Drops the AutoIt3 executable file
- Beginners.pif (PID: 2532)
- cmd.exe (PID: 2536)
Reads Environment values
- Beginners.pif (PID: 2532)
Reads the machine GUID from the registry
- Beginners.pif (PID: 2532)
Checks proxy server information
- Beginners.pif (PID: 2532)
REMCOS has been detected (SURICATA)
- Beginners.pif (PID: 2532)
The process executes via Task Scheduler
- wscript.exe (PID: 2868)
Create files in a temporary directory
- Запит документів.pdf.exe (PID: 1424)
Connects to unusual port
- Beginners.pif (PID: 2532)
Reads product name
- Beginners.pif (PID: 2532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
66
Monitored processes
20
Malicious processes
1
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 908 | cmd /c copy /b Punch + Springer + Xi 3539\x | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1196 | cmd /c mkdir 3539 | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1424 | "C:\Users\admin\Desktop\Запит\Запит документів.pdf.exe" | C:\Users\admin\Desktop\Запит\Запит документів.pdf.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1544 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Documents\Запит\Запит.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1860 | tasklist | C:\Windows\System32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1992 | findstr /I "wrsa.exe" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2044 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Запит.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2444 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Запит\Запит документів.part1.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2452 | "C:\Windows\System32\cmd.exe" /k cmd < Ob & exit | C:\Windows\System32\cmd.exe | — | Запит документів.pdf.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2520 | ping -n 5 localhost | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 654
Read events
4 565
Write events
89
Delete events
0
Modification events
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1544) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
4
Suspicious files
10
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1544 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1544.26689\Запит\Запит документів.part2.rar | compressed | |
MD5:99224A1A5CD93F482C4522ED4E729888 | SHA256:DBD0797BC22A0F84B00773DE7F818171DD95C8C47161FE3EBE91DCD75628C557 | |||
| 1424 | Запит документів.pdf.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Springer | text | |
MD5:31C9F09383DF4942519766DF33072AD6 | SHA256:F53C00742DC131F7FF92EC69FD8F40DE4D53C3F65BF20835D9B0245E443D89E4 | |||
| 2532 | Beginners.pif | C:\Users\admin\AppData\Local\DesignPixel Innovations\i | text | |
MD5:E0CA593D38A400A4B3BE0369D9987FDD | SHA256:1E9A6B2C081BA96B26A8B204BB92D5C41C738353863E07F4D2BA9DF93D6FE64E | |||
| 1424 | Запит документів.pdf.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Princess | binary | |
MD5:D34AC59C2EB257FF9A04E424B53126E6 | SHA256:6D3E063ABDBCF659CD3A29124956C19DADFD5F8DB5D24C9098A760FBF4B033F7 | |||
| 1544 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1544.26689\Запит\Код доступу - 7358975.txt | text | |
MD5:CF6009CB4990CBB84F5940682CE219F7 | SHA256:19BB6E5ADAE685F0CADA2E162336B594272B3FAABD45473B8E53800ECB047892 | |||
| 1424 | Запит документів.pdf.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Exceptional | executable | |
MD5:8A0B5A0CB6BD130B35253F17701B18A5 | SHA256:34035CCBEB5445AB0FE053CDAA7C9CBE456197763B19B5731D9A24BC574E173A | |||
| 2532 | Beginners.pif | C:\Users\admin\AppData\Local\DesignPixel Innovations\PixelCraft.pif | executable | |
MD5:848164D084384C49937F99D5B894253E | SHA256:F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3 | |||
| 2536 | cmd.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\3539\Beginners.pif | executable | |
MD5:848164D084384C49937F99D5B894253E | SHA256:F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3 | |||
| 908 | cmd.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\3539\x | text | |
MD5:E0CA593D38A400A4B3BE0369D9987FDD | SHA256:1E9A6B2C081BA96B26A8B204BB92D5C41C738353863E07F4D2BA9DF93D6FE64E | |||
| 1424 | Запит документів.pdf.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Xi | text | |
MD5:9099B22EB9896CBB9DBC2A9BE93F3810 | SHA256:045D7597AEA15FB8447EB8BDFC58596F6A2FB980998BC5156BAC0D263E5A5DA3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
3
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2532 | Beginners.pif | GET | 200 | 178.237.33.50:80 | http://geoplugin.net/json.gp | unknown | binary | 955 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2532 | Beginners.pif | 77.105.132.70:2404 | — | Plus Telecom LLC | RU | unknown |
2532 | Beginners.pif | 178.237.33.50:80 | geoplugin.net | Schuberg Philis B.V. | NL | malicious |
2532 | Beginners.pif | 77.105.132.70:5651 | — | Plus Telecom LLC | RU | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
gHgcksiaPezXgQNKDRBi.gHgcksiaPezXgQNKDRBi |
| unknown |
geoplugin.net |
| malicious |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2532 | Beginners.pif | Malware Command and Control Activity Detected | ET JA3 Hash - Remcos 3.x TLS Connection |
2532 | Beginners.pif | A Network Trojan was detected | REMOTE [ANY.RUN] REMCOS JA3 Hash |
1 ETPRO signatures available at the full report