File name:

NetSarangX.zip

Full analysis: https://app.any.run/tasks/89b4a599-d3da-44cd-a741-2916aa364e43
Verdict: Malicious activity
Analysis date: March 08, 2024, 06:55:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

4598618AEE2785B173BD10F854FBA7F8

SHA1:

BC00743334FFF84126BBA899D2967D135D384CEA

SHA256:

7DB3738DA8DF4E536C053B3FFDFBFCCB12DDDDE5A9A5E82A772EB7736C0587AE

SSDEEP:

24576:sd1g/qIoQ8a80sqtFNmgMwFwam4S5N5CVZ8GVGYV:sd1g/qIoQ8a8EtFNmRwFwam4m5CVZ8GT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3288)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3288)

    • Reads the Windows owner or organization settings

      • tr_ul.exe (PID: 3652)
      • tr_ul.exe (PID: 2844)
      • tr_ul.exe (PID: 3848)

  • INFO

    • Reads the computer name

      • tr_ul.exe (PID: 3652)
      • tr_ul.exe (PID: 2844)
      • tr_ul.exe (PID: 3848)

    • Checks supported languages

      • tr_ul.exe (PID: 3652)
      • tr_ul.exe (PID: 2844)
      • tr_ul.exe (PID: 3848)

    • Create files in a temporary directory

      • tr_ul.exe (PID: 3652)
      • tr_ul.exe (PID: 2844)
      • tr_ul.exe (PID: 3848)

    • Manual execution by a user

      • tr_ul.exe (PID: 2844)
      • tr_ul.exe (PID: 3848)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:05:23 18:49:04
ZipCRC: 0x5d48e38a
ZipCompressedSize: 76042
ZipUncompressedSize: 76253
ZipFileName: NetSarangX/tr_ul.dat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe tr_ul.exe no specs tr_ul.exe no specs tr_ul.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Users\admin\Desktop\tr_ul.exe" C:\Users\admin\Desktop\tr_ul.exeexplorer.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
MEDIUM
Description:
TrueUpdate Client
Exit code:
4294967295
Version:
3.8.0.0
Modules
Images
c:\users\admin\desktop\tr_ul.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
3288"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NetSarangX.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3652"C:\Users\admin\AppData\Local\Temp\Rar$EXa3288.44452\NetSarangX\tr_ul.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3288.44452\NetSarangX\tr_ul.exeWinRAR.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
MEDIUM
Description:
TrueUpdate Client
Exit code:
4294967295
Version:
3.8.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3288.44452\netsarangx\tr_ul.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
3848"C:\Users\admin\Desktop\tr_ul.exe" C:\Users\admin\Desktop\tr_ul.exeexplorer.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
MEDIUM
Description:
TrueUpdate Client
Exit code:
4294967295
Version:
3.8.0.0
Modules
Images
c:\users\admin\desktop\tr_ul.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
5 643
Read events
5 621
Write events
22
Delete events
0

Modification events

(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3288) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\NetSarangX.zip
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
2
Suspicious files
4
Text files
10
Unknown types
1

Dropped files

PID
Process
Filename
Type
3288WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3288.44452\NetSarangX\tr_ul.exeexecutable
MD5:9050AC019B4C8DDDBC5E250BB87CF9F2
SHA256:83D225323C8783C84D70AEE1DA5B507DDE1E717AB3233F784FBB1B749DBA11B9
3288WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3288.44452\NetSarangX\tr_ul.datcompressed
MD5:ED5CE3C2D78ACE16956117AB67D77C2C
SHA256:FFFC1D2F822B8DDABA16E86DDD445B70FC5CB4D5A910D24B62F5D9C1FFAA2B22
3652tr_ul.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG2.JPGimage
MD5:E39405E85E09F64CCDE0F59392317DD3
SHA256:CFD9677E1C0E10B1507F520C4ECD40F68DB78154C0D4E6563403D540F3BF829F
3652tr_ul.exeC:\Users\admin\AppData\Local\Temp\Xlpd 5 Update Log.txttext
MD5:4AB0D30C09AE787263E297D5029A781E
SHA256:1821C23F16AD6333FADBB26E749F22D5B062C204AC39A7BDBEB10EAC5B4D3974
3652tr_ul.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG1.JPGimage
MD5:E39405E85E09F64CCDE0F59392317DD3
SHA256:CFD9677E1C0E10B1507F520C4ECD40F68DB78154C0D4E6563403D540F3BF829F
3652tr_ul.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPGbinary
MD5:29B994BBBFA6110402D25849ACD61BAA
SHA256:165C99B55B3DCC4844D5066E4F3BEEA3181320D7E6C647439C0FE3035A4695FE
2844tr_ul.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_1\IRIMG2.JPGimage
MD5:E39405E85E09F64CCDE0F59392317DD3
SHA256:CFD9677E1C0E10B1507F520C4ECD40F68DB78154C0D4E6563403D540F3BF829F
2844tr_ul.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_1\_TUProjDT.dattext
MD5:67BF1F80834081FC794C6ED1F7C2FED5
SHA256:54FD2361602E82DB016D6EA62FBADC3984B566399DFAAC7E0A1181E4C70B90C2
3848tr_ul.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_2\_TUProjDT.dattext
MD5:67BF1F80834081FC794C6ED1F7C2FED5
SHA256:54FD2361602E82DB016D6EA62FBADC3984B566399DFAAC7E0A1181E4C70B90C2
3848tr_ul.exeC:\Users\admin\AppData\Local\Temp\_ir_tu2_temp_2\IRIMG2.JPGimage
MD5:E39405E85E09F64CCDE0F59392317DD3
SHA256:CFD9677E1C0E10B1507F520C4ECD40F68DB78154C0D4E6563403D540F3BF829F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NetSarangX.zip