Malware analysis Pain_Exist_3.9.rar Malicious activity

Add for printing

File name:	Pain_Exist_3.9.rar
Full analysis:	https://app.any.run/tasks/1a606752-9826-407b-901c-97cd040221e8
Verdict:	Malicious activity
Analysis date:	February 26, 2019, 22:18:42
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	05D0F7ABDA32034DA3379ABC0EFC21F7
SHA1:	FD4C70342067C10088D46D3967C88D6F90F47314
SHA256:	7AA7CB157DC989BB7C6A19A0BCA065801CC33EA2D880280EA01B4AAD3A704DA1
SSDEEP:	196608:+ZT4xisjbuBnVCmdnfodapcRLp5MxCDNzFdINxdxj2ksLjbvthkKavd5VMKm7X4Q:q4gC3mBQA2RLA4z/i6ksTnkLvV31Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - Pain Exist 3.9.exe (PID: 3248)
- Application was dropped or rewritten from another process
  - Pain Exist 3.9.exe (PID: 3248)
SUSPICIOUS
- Reads Environment values
  - Pain Exist 3.9.exe (PID: 3248)
- Reads the BIOS version
  - Pain Exist 3.9.exe (PID: 3248)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3316)
INFO
- Dropped object may contain Bitcoin addresses
  - WinRAR.exe (PID: 3316)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

348

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\taskmgr.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Task Manager

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

3248

"C:\Users\admin\AppData\Local\Temp\Rar$EXa3316.4909\Pain Exist 3.9\Pain Exist 3.9.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa3316.4909\Pain Exist 3.9\Pain Exist 3.9.exe

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Pain Exist 3.9

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa3316.4909\pain exist 3.9\pain exist 3.9.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

3316

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Pain_Exist_3.9.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll

Add for printing

Total events

517

Read events

480

Write events

Delete events

Modification events


(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Pain_Exist_3.9.rar
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3316	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3316.4909\Pain Exist 3.9\LogIn.dll		executable
		MD5:03621CCA4EDFDA4752AB77E5D3F824B3	SHA256:332D7006B1D7815E8792371BA4CF32BE0261A36E1EDA34B38E4C92163157410B
3316	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa3316.8234\LogIn.dll		executable
		MD5:03621CCA4EDFDA4752AB77E5D3F824B3	SHA256:332D7006B1D7815E8792371BA4CF32BE0261A36E1EDA34B38E4C92163157410B
3316	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3316.4909\Pain Exist 3.9\PainModule.dll		executable
		MD5:7F6B46E3491E23870C2A88250F65A546	SHA256:EFD49E59F9299E0A838DD4AF7AA1413E1EB388AAC9487164B4C7C2FBC0368050
3316	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3316.4909\Pain Exist 3.9\Bunifu_UI_v1.5.3.dll		executable
		MD5:E0EF2817EE5A7C8CD1EB837195768BD2	SHA256:76E1D3EC95FDEF74ABAF90392DD6F4AA5E344922ABF11E572707287D467F2930
3316	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3316.4909\Pain Exist 3.9\FastColoredTextBox.dll		executable
		MD5:7D315038DA4CB77039DC315C64946E22	SHA256:777C68C5C47CF91E18583A0FA50B556B1551898A07097F296A0811943A493FA6
3316	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3316.4909\Pain Exist 3.9\MetroFramework.dll		executable
		MD5:34EA7F7D66563F724318E322FF08F4DB	SHA256:C2C12D31B4844E29DE31594FC9632A372A553631DE0A0A04C8AF91668E37CF49
3316	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3316.4909\Pain Exist 3.9\ScintillaNET.dll		executable
		MD5:9166536C31F4E725E6BEFE85E2889A4B	SHA256:AD0CC5A4D4A6AAE06EE360339C851892B74B8A275CE89C1B48185672179F3163
3316	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3316.4909\Pain Exist 3.9\Pain Exist 3.9.exe		executable
		MD5:8674EAA73AB289F2BA0ED35FB0BF4D06	SHA256:382149653B1DBD7A7C6D802B6B0E4027C794ACE8E6F3AEE991131CD93A1B7F84

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3248	Pain Exist 3.9.exe	68.65.123.241:443	roxploits.com	Namecheap, Inc.	US	suspicious

DNS requests

Domain	IP	Reputation
roxploits.com	68.65.123.241	whitelisted

Threats

No threats detected

Add for printing

Process	Message
Pain Exist 3.9.exe	%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

General Info

Pain_Exist_3.9.rar

05D0F7ABDA32034DA3379ABC0EFC21F7

FD4C70342067C10088D46D3967C88D6F90F47314

7AA7CB157DC989BB7C6A19A0BCA065801CC33EA2D880280EA01B4AAD3A704DA1

196608:+ZT4xisjbuBnVCmdnfodapcRLp5MxCDNzFdINxdxj2ksLjbvthkKavd5VMKm7X4Q:q4gC3mBQA2RLA4z/i6ksTnkLvV31Y

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Reads Environment values

Reads the BIOS version

Executable content was dropped or overwritten

INFO

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings