analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

daprovare (1).rar

Full analysis: https://app.any.run/tasks/bbfa49e9-06d5-4965-97d8-cefd8a723bd0
Verdict: Malicious activity
Analysis date: November 16, 2019, 20:46:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

3B4503CEA21FDC60BC8F76EFBABBB8E5

SHA1:

6B474A089366B8EA4765B8ED0A33C5977E31F0EF

SHA256:

7017DD101CDD2C7CBB5F6AEE8D2F52DDFE443B42272505396D20DDA9256B8B07

SSDEEP:

196608:xHt3JIaIjWaRcOqATB9CFms5rhOSHkkdwA+tpOGtxwJjl1R4:TaewcOqkBoprb3dwAM0G3wNi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • X2.exe (PID: 3316)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3460)
      • X2.exe (PID: 3316)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2968)

  • INFO

    • Manual execution by user

      • X2.exe (PID: 3316)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs x2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\daprovare (1).rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3460"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3316"C:\Users\admin\Desktop\Files\LR\X2.exe" C:\Users\admin\Desktop\Files\LR\X2.exeexplorer.exe
User:
admin
Company:
<X2 ARQC>
Integrity Level:
MEDIUM
Description:
<X2>
Version:
2.1.0.1
Total events
787
Read events
764
Write events
23
Delete events
0

Modification events

(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2968) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\daprovare (1).rar
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(3460) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
7
Suspicious files
5
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\X2.pdb
MD5:
SHA256:
2968WinRAR.exeC:\Users\admin\Desktop\Files\bins-ok.pdfpdf
MD5:0439B26F57A09DC46ECF934E0D7AD268
SHA256:555BB305048744399528D65C00902FB429AF06F84403A8EB8B3B9FD2DC61F8F7
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\Bin.dbsqlite
MD5:E6C370D46734506107BB4858B8CCE6D8
SHA256:EB38EFAE4F1E8B9739597DFDAA48C8BF4B4E4C2251C113C63A64B24A71E3A513
2968WinRAR.exeC:\Users\admin\Desktop\Files\Cardpeek currency.pdfpdf
MD5:85CD66E15297BD83618EB610E2C51EDC
SHA256:13F04DFDD19C23CC0CD53FDB870D0B960C0E16FEB828CE4C6685A6F6574A2EF9
2968WinRAR.exeC:\Users\admin\Desktop\Files\cardpeek-0.8.1-win32-setup.exeexecutable
MD5:E294732C5941459F9837EEE662798E13
SHA256:2A522699BF4D1C3730BCBC1E071882389E2E3DAF3551D6492B351D98A05FC7D1
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\X2.exeexecutable
MD5:7D70650F98B77655EC5920B38E717121
SHA256:9AB475A639779B6BF2E55FF77BA9C368346B00BC9AB0E982E5EAC3A53AB10CE2
2968WinRAR.exeC:\Users\admin\Desktop\Files\Dump shops.txttext
MD5:E673B6D2655FDA22B6AAA93E73A4A065
SHA256:AA3F826577EA44A371D1EE8580597BBD02F4FE94D877CEF883D6794ABBA318F7
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\cardtemp.datbinary
MD5:F1D3FF8443297732862DF21DC4E57262
SHA256:DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\X2.libobj
MD5:C96884A9FD7E6305A5F4972222AAFD1A
SHA256:1600B8928CEA94572789182E8A97F5BBF545DC1281B698F4DDCDA8A98516070B
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\GlobalPlatform.dllexecutable
MD5:4696B9FAE32C96D487DAA887D830261B
SHA256:D516E641E63F4195C374ECEDBEE074C345AF178D703FA0761C990141E056B992
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
daprovare (1).rar