Malware analysis HQTYK.rar Malicious activity | ANY.RUN

Add for printing

File name:	HQTYK.rar
Full analysis:	https://app.any.run/tasks/6daeb029-8092-4ab4-9837-47fa61d6b7da
Verdict:	Malicious activity
Analysis date:	January 23, 2019, 08:51:07
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v4, os: Win32
MD5:	EC3AFF3566A5E5332EEC8BF93F6D6A6C
SHA1:	C153ADB4644D45FE10E856C0E77F23EBB634788C
SHA256:	7426711453DAE875DAECF8A2E3F21373CB85EEACD4EBD4114260812A6BC22219
SSDEEP:	3072:plmal9jtbg3Beh6VW7AX5EjcGD/pgHt3fXyb0UcHsuxWdjLel43lMT4MNhSGmSoP:BBKjY7+KjdDeHtvXyfZshiGM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Server.exe (PID: 4064)
- Loads dropped or rewritten executable
  - Server.exe (PID: 4064)
  - SearchProtocolHost.exe (PID: 1520)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2972)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v-4.x) (58.3)
.rar	\|	RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName:	HQTYK\c1.dll
PackingMethod:	Normal
ModifyDate:	2008:09:20 16:41:29
OperatingSystem:	Win32
UncompressedSize:	110592
CompressedSize:	51306

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

32

Monitored processes

3

Malicious processes

2

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2972	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HQTYK.rar"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
1520	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"	C:\Windows\System32\SearchProtocolHost.exe	—	SearchIndexer.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255)
4064	"C:\Users\admin\Desktop\HQTYK\Server.exe"	C:\Users\admin\Desktop\HQTYK\Server.exe		explorer.exe
User: admin Company: Startsoft Integrity Level: MEDIUM Description: FlashControl Server Version: 3, 1, 0, 0

Add for printing

Total events

786

Read events

765

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

9

Suspicious files

1

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
2972	WinRAR.exe	C:\Users\admin\Desktop\HQTYK\s1.dll		executable
		MD5:3456424B3B3BFE09B0DE9CB966F2A28A	SHA256:91F0BFF6FF2C8EBD5F97F3BE972D3EA6950EAFACCDB1E90F9C15BDD939C68152
2972	WinRAR.exe	C:\Users\admin\Desktop\HQTYK\Client.exe		executable
		MD5:12FBDEF44A31B0209317A6312638B7C7	SHA256:F81CE54ED9657C850BD1933063D0E33843C7480084D29901056A3C337969CB81
2972	WinRAR.exe	C:\Users\admin\Desktop\HQTYK\sc.dll		executable
		MD5:6BCC75365C3494FDD87C920B89A9B322	SHA256:48E2D2EC725AC72B0541E56606FEC1A012AE428AAA079B8D90B72086413F5A76
2972	WinRAR.exe	C:\Users\admin\Desktop\HQTYK\server.dat		binary
		MD5:5E28BA7BF5140F80AB6521709721AEBD	SHA256:DA1A68D263619E955587FFEFF70DE3694BE0DBF1E05A09861900EB90BE9A46BC
2972	WinRAR.exe	C:\Users\admin\Desktop\HQTYK\Server.exe		executable
		MD5:CEC467595944E97F1BDF9BC6F871F697	SHA256:10DABD7FA1C5019E00C11960DD5810E95159E3E63E1D3670366B0007F66E04C7
2972	WinRAR.exe	C:\Users\admin\Desktop\HQTYK\Setup.exe		executable
		MD5:2BA72DD1658665A254CEF1F4F7692335	SHA256:B573F85785002D2C8C44D3E105A5180E633E5916226CD99DD32EB89C15BA486D
2972	WinRAR.exe	C:\Users\admin\Desktop\HQTYK\c1.dll		executable
		MD5:D453BC9E9940B22F01EB0FE683E3E410	SHA256:C5BD0C262C1D9F066B4370A6A4CED9DD872D74E8B2823374016CC36CCC204151
2972	WinRAR.exe	C:\Users\admin\Desktop\HQTYK\QHSock.dll		executable
		MD5:C5433978C599E2C2B50C9E539C162B84	SHA256:053E75DDA007FCDE0E15D5CA42F449E287F7DBCC603510A4E9467E433D0291C9
2972	WinRAR.exe	C:\Users\admin\Desktop\HQTYK\s2.dll		executable
		MD5:3E5C3C30D374966FDEBDE646907566F8	SHA256:E328AC99FCBF1392A54CC3DF2027A6DEB3B8C04F92499110893F838F7451542B
2972	WinRAR.exe	C:\Users\admin\Desktop\HQTYK\c2.dll		executable
		MD5:84F171CDEFCE63CF15513788A0BD2A82	SHA256:57468268CE1F8645EBFAE84C26A49F28B8FE744DF5FC3AEA218D34E84AEE52AA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

0

TCP/UDP connections

0

DNS requests

0

Threats

0

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

Process	Message
Server.exe	send input thread start.
Server.exe	ListenThread start.
Server.exe	recv thread start.

General Info

HQTYK.rar

EC3AFF3566A5E5332EEC8BF93F6D6A6C

C153ADB4644D45FE10E856C0E77F23EBB634788C

7426711453DAE875DAECF8A2E3F21373CB85EEACD4EBD4114260812A6BC22219

3072:plmal9jtbg3Beh6VW7AX5EjcGD/pgHt3fXyb0UcHsuxWdjLel43lMT4MNhSGmSoP:BBKjY7+KjdDeHtvXyfZshiGM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings