| File name: | main.zip |
| Full analysis: | https://app.any.run/tasks/c4c26e64-b8e4-4054-a659-935eae5f090e |
| Verdict: | Malicious activity |
| Analysis date: | November 20, 2024, 18:56:40 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | B667356D0FD2F2B950FAD9D9E92E6ECF |
| SHA1: | 9B89DCD2D459F51BFDE58ED6279E2E5E86A90B0A |
| SHA256: | 7B80B47BF8544DC821175720ADC89ED99FFADBCD4252C132E688F67C3AD11E2A |
| SSDEEP: | 786432:sIXSOzEUq5tK705Bo9f/a19pFVelzQRwau+z:sIXSiuV5Boda9pFVehow2z |
MALICIOUS
No malicious indicators.SUSPICIOUS
The process checks if it is being run in the virtual environment
- WinRAR.exe (PID: 3608)
Drops a system driver (possible attempt to evade defenses)
- WinRAR.exe (PID: 3608)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3608)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3608)
The process uses the downloaded file
- WinRAR.exe (PID: 3608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2021:09:25 21:14:06 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | VMProtect-Ultimate--main/ |
Total processes
110
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1472 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Confused.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Confused.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Panel Exit code: 3221226540 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2164 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Confused.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Confused.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Panel Version: 1.0.0.0 Modules
| |||||||||||||||
| 2940 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47492\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\VaporObfuscator.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47492\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\VaporObfuscator.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: VaporObfuscator Version: 1.0.0.0 Modules
| |||||||||||||||
| 3608 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\main.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
Total events
1 797
Read events
1 789
Write events
8
Delete events
0
Modification events
| (PID) Process: | (3608) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (3608) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (3608) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (3608) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\main.zip | |||
| (PID) Process: | (3608) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3608) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3608) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3608) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
43
Suspicious files
60
Text files
41
Unknown types
24
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Confused.exe | executable | |
MD5:81C6A8CCD47647C4297AFE20FCF87EEC | SHA256:CBAA687115266698F94F10CC0F7807B5F7D5AE2B734C36306BCC7DD0163C7885 | |||
| 3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Help\ru\_23.cfs | binary | |
MD5:42B57DDE629AB220606F4D43D57FAEDC | SHA256:E28ECE67BCAC17E2562CFA12B885B4558D0BCCF9EBBF678FC2AB05898B2D445A | |||
| 3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Help\ru.qhc | binary | |
MD5:0ACAAA400E412FB6A4F6C2735522E201 | SHA256:8CAFE2A9A915ED01E3C3384138D574807C580B656669A51F9656E218188596F9 | |||
| 3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Help\ru.qch | sqlite | |
MD5:BFB4841BD14E0CB3892B281C39D5F580 | SHA256:23D8DA7670F5E132241289AED576F014669AB4C6C061BF48A9EE9106EEF76A2A | |||
| 3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Include\Pascal\VMProtectSDK.pas | text | |
MD5:EA80A4C67C8D2BF78EC4D423866159A2 | SHA256:50D529438DC63B6F5749B5B42971268ABEEA818F9785FF162EA8D17C3BE926DF | |||
| 3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Langs\fr.lng | text | |
MD5:187E7FA4A2F429F45F339FC6FCFD224D | SHA256:BCF8B033A2FFBE657683CB2B94CC871F1D0FCDB99680BC54A7AF9BFAE751B4D7 | |||
| 3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Langs\en.lng | text | |
MD5:084857997D9856086E67F7F1BAD11B65 | SHA256:CF6B7752AEB778A85CE5822C01CB298F47250E74DF2925311ABD890A113CD9AF | |||
| 3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Langs\ru.lng | text | |
MD5:1DCBD2F926322A0A440A70EA42D244F4 | SHA256:B771EE3F64F218AA73566FE17B685CF8E0576E91F64327A79AB8E1E95FBA028F | |||
| 3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Help\en\_23.cfs | binary | |
MD5:5A56255B3A4220EE8952D39825F3A9A4 | SHA256:10F696C428B625BF0993BE4E012DF770994C55F19DC9B9DA63AE35D23F374D3C | |||
| 3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3608.47213\VMProtect-Ultimate--main\VMProtect Ultimate\VMProtect Ultimate x64\Help\en\deletable | binary | |
MD5:F1D3FF8443297732862DF21DC4E57262 | SHA256:DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
17
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4932 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4932 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |