analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

legal_paypal.tar

Full analysis: https://app.any.run/tasks/70457721-f251-4715-827f-9252c9efecf5
Verdict: Malicious activity
Analysis date: July 18, 2019, 11:42:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-tar
File info: POSIX tar archive (GNU)
MD5:

609CDC2ADDADFED562F8AE035C9FFF35

SHA1:

0FA5F97683685CA59590D6D298CC44D730D271C2

SHA256:

6FFC43D5C14AA08E2503CAD6F975258D9881CE50D253CC6635F217A4D18555B5

SSDEEP:

6144:UBAkFcirrrrY+RuBb7xIcCxbHNVV2ZvpKiuGz0SJJPB4Pk4KhsMDiWf:UBAORuB3xIcC3VV2ZvZ0xk4K6MD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • legal.exe (PID: 3520)

    • Loads the Task Scheduler COM API

      • MsiExec.exe (PID: 312)
      • MsiExec.exe (PID: 3788)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AcroRd32.exe (PID: 2548)
      • AdobeARM.exe (PID: 1960)
      • AcroRd32.exe (PID: 3140)
      • msiexec.exe (PID: 3120)

    • Creates files in the program directory

      • AdobeARM.exe (PID: 1960)

    • Creates files in the user directory

      • notepad++.exe (PID: 3740)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3784)

    • Reads Internet Cache Settings

      • AcroRd32.exe (PID: 3844)

    • Reads settings of System Certificates

      • AcroRd32.exe (PID: 3844)
      • msiexec.exe (PID: 3120)

    • Application launched itself

      • RdrCEF.exe (PID: 3512)
      • AcroRd32.exe (PID: 3280)
      • msiexec.exe (PID: 3120)
      • RdrCEF.exe (PID: 3068)

    • Manual execution by user

      • AcroRd32.exe (PID: 3280)
      • legal.exe (PID: 3520)
      • notepad++.exe (PID: 3740)

    • Creates files in the user directory

      • AcroRd32.exe (PID: 3844)
      • AcroRd32.exe (PID: 3764)

    • Creates files in the program directory

      • msiexec.exe (PID: 3120)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.tar | TAR - Tape ARchive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
21
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs acrord32.exe acrord32.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs adobearm.exe reader_sl.exe no specs acrord32.exe no specs acrord32.exe no specs legal.exe notepad++.exe gup.exe acrord32.exe no specs acrord32.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3784"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\legal_paypal.tar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3844"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3784.16591\legal_paypal.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
WinRAR.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
2548"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\Rar$DIa3784.16591\legal_paypal.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3512"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
3221225547
Version:
15.23.20053.211670
1532"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3512.0.90562465\2114048118" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
2488"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3512.1.658466009\1966665134" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
1960"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:15.0 /MODE:3C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Reader and Acrobat Manager
Version:
1.824.27.2646
2816"C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe" C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exeAdobeARM.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat SpeedLauncher
Exit code:
0
Version:
15.23.20053.211670
3280"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\legal.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeexplorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3284"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\Desktop\legal.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
Total events
2 330
Read events
1 911
Write events
393
Delete events
26

Modification events

(PID) Process:(3784) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3784) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3784) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3784) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\legal_paypal.tar
(PID) Process:(3784) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3784) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3784) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3784) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2548) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(3844) AcroRd32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
Executable files
5
Suspicious files
15
Text files
38
Unknown types
20

Dropped files

PID
Process
Filename
Type
2548AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
2548AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rukryqa_1w47bib_1ys.tmp
MD5:
SHA256:
2548AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Ry36rnl_1w47bia_1ys.tmp
MD5:
SHA256:
2548AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1eo5gpu_1w47bi9_1ys.tmp
MD5:
SHA256:
2548AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R15oyupb_1w47bi8_1ys.tmp
MD5:
SHA256:
2548AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1l4d09v_1w47bic_1ys.tmp
MD5:
SHA256:
1960AdobeARM.exeC:\Users\admin\AppData\Local\Temp\TmpE848.tmp
MD5:
SHA256:
1960AdobeARM.exeC:\Users\admin\AppData\Local\Temp\TmpE869.tmp
MD5:
SHA256:
2548AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\UserCache.binbinary
MD5:88DCF68FAA71D88D6FA903B07E1877B7
SHA256:AEDFFF6A63A29FB216D673FAB1C9E00FB4AF5305C01CC40313C5C5B405D21677
2548AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
8
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3844
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip
unknown
whitelisted
3844
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip
unknown
whitelisted
3844
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip
unknown
whitelisted
3844
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
3844
AcroRd32.exe
GET
304
2.16.186.32:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip
unknown
whitelisted
GET
200
2.21.242.197:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.36 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3844
AcroRd32.exe
2.16.186.32:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
3756
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
104.111.214.232:443
ardownload2.adobe.com
Akamai International B.V.
NL
whitelisted
3844
AcroRd32.exe
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
2.21.242.197:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
acroipm2.adobe.com
  • 2.16.186.32
  • 2.16.186.33
whitelisted
armmf.adobe.com
  • 2.18.233.74
whitelisted
ardownload2.adobe.com
  • 104.111.214.232
whitelisted
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.21.242.197
  • 2.21.242.187
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
legal_paypal.tar