analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

install-809.rar

Full analysis: https://app.any.run/tasks/ed8a59bf-8df3-433c-a6af-fc9aa6d0e78a
Verdict: Malicious activity
Analysis date: May 21, 2022, 04:37:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

851875EB4D4EC083C25239A40AA7AF0C

SHA1:

40CC2D8CF87C43E5DE25ACC91A495BBDCB67FF2A

SHA256:

7E0287564B654063C45B93D2D2404C76505BE037F91BF0E0E86BC694B2B00F32

SSDEEP:

49152:BMhSQ8L4fDmVXOgwGfpGW3QAeCczjmfrF2taFAe3A:BMwQGVXOrUpx3QAejfmfrQt+AeQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • install-809.exe (PID: 3700)
      • install-809.exe (PID: 2800)
      • apmanager.exe (PID: 316)
      • uninstall.exe (PID: 1040)
      • uninstall.exe (PID: 2344)
      • Au_.exe (PID: 2916)
    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 824)
      • install-809.exe (PID: 2800)
      • uninstall.exe (PID: 1040)
      • Au_.exe (PID: 2916)
    • Changes the autorun value in the registry

      • install-809.exe (PID: 2800)
    • Changes the login/logoff helper path in the registry

      • install-809.exe (PID: 2800)
      • Au_.exe (PID: 2916)
    • Loads dropped or rewritten executable

      • Au_.exe (PID: 2916)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 824)
      • install-809.exe (PID: 2800)
      • apmanager.exe (PID: 316)
      • uninstall.exe (PID: 1040)
      • Au_.exe (PID: 2916)
    • Checks supported languages

      • WinRAR.exe (PID: 824)
      • install-809.exe (PID: 2800)
      • apmanager.exe (PID: 316)
      • uninstall.exe (PID: 1040)
      • Au_.exe (PID: 2916)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 824)
      • install-809.exe (PID: 2800)
      • uninstall.exe (PID: 1040)
      • Au_.exe (PID: 2916)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 824)
      • install-809.exe (PID: 2800)
      • uninstall.exe (PID: 1040)
      • Au_.exe (PID: 2916)
    • Creates a software uninstall entry

      • install-809.exe (PID: 2800)
    • Creates files in the user directory

      • install-809.exe (PID: 2800)
      • apmanager.exe (PID: 316)
    • Executed via COM

      • DllHost.exe (PID: 3496)
    • Reads Microsoft Outlook installation path

      • apmanager.exe (PID: 316)
    • Starts itself from another location

      • uninstall.exe (PID: 1040)
  • INFO

    • Manual execution by user

      • install-809.exe (PID: 3700)
      • install-809.exe (PID: 2800)
      • taskmgr.exe (PID: 2316)
      • NOTEPAD.EXE (PID: 2328)
      • uninstall.exe (PID: 2344)
      • NOTEPAD.EXE (PID: 780)
      • uninstall.exe (PID: 1040)
    • Reads the computer name

      • taskmgr.exe (PID: 2316)
      • DllHost.exe (PID: 3496)
    • Checks supported languages

      • taskmgr.exe (PID: 2316)
      • DllHost.exe (PID: 3496)
      • NOTEPAD.EXE (PID: 2328)
      • NOTEPAD.EXE (PID: 780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: install-809.ex1
PackingMethod: Best Compression
ModifyDate: 2010:04:26 00:44:17
OperatingSystem: Win32
UncompressedSize: 1836531
CompressedSize: 1647100
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
11
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winrar.exe install-809.exe no specs install-809.exe apmanager.exe taskmgr.exe no specs PhotoViewer.dll no specs notepad.exe no specs notepad.exe no specs uninstall.exe no specs uninstall.exe au_.exe

Process information

PID
CMD
Path
Indicators
Parent process
824"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\install-809.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3700"C:\Users\admin\Desktop\install-809.exe" C:\Users\admin\Desktop\install-809.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\install-809.exe
c:\windows\system32\ntdll.dll
2800"C:\Users\admin\Desktop\install-809.exe" C:\Users\admin\Desktop\install-809.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\install-809.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
316C:\Users\admin\AppData\Roaming\APManager\apmanager.exeC:\Users\admin\AppData\Roaming\APManager\apmanager.exe
install-809.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\apmanager\apmanager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
2316"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3496C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
780"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Roaming\APManager\settings.iniC:\Windows\system32\NOTEPAD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2328"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Roaming\APManager\settings.iniC:\Windows\system32\NOTEPAD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2344"C:\Users\admin\AppData\Roaming\APManager\uninstall.exe" C:\Users\admin\AppData\Roaming\APManager\uninstall.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\roaming\apmanager\uninstall.exe
c:\windows\system32\ntdll.dll
1040"C:\Users\admin\AppData\Roaming\APManager\uninstall.exe" C:\Users\admin\AppData\Roaming\APManager\uninstall.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\apmanager\uninstall.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
5 822
Read events
5 754
Write events
66
Delete events
2

Modification events

(PID) Process:(824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(824) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\install-809.rar
(PID) Process:(824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
5
Suspicious files
1
Text files
13
Unknown types
2

Dropped files

PID
Process
Filename
Type
824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb824.48356\install-809.ex1binary
MD5:E5A12569714E0170CF7DD70D2CEAD94B
SHA256:C9A28D42210D4ABAD7CE6DD90829744BB9D9EF70DE58F8FCB6635C380F661DCC
2800install-809.exeC:\Users\admin\AppData\Roaming\APManager\languages\Danish.lngtext
MD5:1E8739ED929D702F6E8A9762C15249C2
SHA256:9084FEF116AE779255B4F02558F0E702A607FCD93B94A0C82BB641024097764A
2800install-809.exeC:\Users\admin\AppData\Roaming\APManager\languages\English.lngtext
MD5:07085DE5F288A4AF975301D446B5E33B
SHA256:5026F9AF6CE420F4C30853758D9B5E1B9F0042DED6026A925EE180AEA661E872
824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb824.48866\install-809.ex1executable
MD5:663BE6DF6004F677D3D3E223FD8B0DDB
SHA256:DA33DE94D959F9F195A95F6063ED1575653F4B839E6046F12126F019D65B5917
2800install-809.exeC:\Users\admin\AppData\Roaming\APManager\wallpaper.jpgimage
MD5:9A96E0C4848609AF12690DC9D2450DD8
SHA256:044737DE8F5072781B926FD60814834FA4FAD375ABEC0FAF81EDF51EF706A0AC
2800install-809.exeC:\Users\admin\AppData\Roaming\APManager\apmanager.exeexecutable
MD5:244FCD5F107657D07BB87EFCBEB02619
SHA256:326DF344386B5CFBAB77544D642DF2D92BDF6D98AE2F00B6785A6E232CEAC050
2800install-809.exeC:\Users\admin\AppData\Roaming\APManager\uninstall.exeexecutable
MD5:B160228B65284CFFB270DF786B97E42F
SHA256:D55930758A9B074E75FAD33A195D2F8757240DDB151C48E3FDAF8E5FF9F86257
2800install-809.exeC:\Users\admin\AppData\Roaming\APManager\languages\Portuguese.lngtext
MD5:34788C48C5D67583EA2BAC179037A182
SHA256:84152BDAFBDAAA209C2A0E8BBF400D71663C92E10C50D247490A4F6849692F68
2800install-809.exeC:\Users\Administrator\Desktop\AP Manager.lnklnk
MD5:A2E41AA0D53C522CBF8D4658B51A905A
SHA256:6185D3A6C92C4367E0B54B7EDCF4AE108123F20070A5027689F72080BAB6BD7B
2800install-809.exeC:\Users\admin\AppData\Roaming\APManager\languages\Czech.lngtext
MD5:DDDBCE036DADAAC069230B1343F59270
SHA256:D5631B1F16E08AA03A619582B181034851454B4876573C457BA96A6D38448223
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
316
apmanager.exe
GET
91.209.238.10:80
http://91.209.238.10/m5tools/whois.php?short
GB
unknown
316
apmanager.exe
GET
91.209.238.10:80
http://91.209.238.10/m5install/809/1
GB
unknown
316
apmanager.exe
GET
91.209.238.10:80
http://91.209.238.10/m5lawsuits/page2.php?lng=English
GB
unknown
316
apmanager.exe
GET
91.209.238.10:80
http://91.209.238.10/m5tools/ip.php
GB
unknown
316
apmanager.exe
GET
91.209.238.10:80
http://91.209.238.10/m5lawsuits/page1.php?lng=English
GB
unknown
316
apmanager.exe
GET
91.209.238.10:80
http://91.209.238.10/m5tools/whois.php?lng=English
GB
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
316
apmanager.exe
91.209.238.10:80
Crown Office and Procurator Fiscal Service
GB
unknown

DNS requests

No data

Threats

No threats detected
No debug info