| File name: | 0087f1c1d77d9ba1d81939d4718a0951f680171f7e4dbcf7d144ff6a05e911a4.7z |
| Full analysis: | https://app.any.run/tasks/37588ec8-230d-4e55-b25f-5682602ff731 |
| Verdict: | Malicious activity |
| Analysis date: | September 19, 2023, 09:56:17 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | C857B4F6A7D0A96F1591AD6CBA2757CF |
| SHA1: | 489B15B890D177452D77A98FE6E8999D8BE6D07E |
| SHA256: | 7F911B242E702831FF1B58FD9DFA416EF18451DE107FCA679F3662D9E0F297B7 |
| SSDEEP: | 98304:7RsyNe4jbMZ53TSNKyFHlOOEjYolJKyWy+0kd65Wxhi/Tna:71esDKeYPKyN+kWxhiLa |
MALICIOUS
Application was dropped or rewritten from another process
- 123.exe (PID: 3676)
- 123.exe (PID: 2872)
Starts NET.EXE for service management
- cmd.exe (PID: 1196)
- net.exe (PID: 2396)
SUSPICIOUS
Starts CMD.EXE for commands execution
- 123.exe (PID: 3676)
INFO
Checks supported languages
- 123.exe (PID: 3676)
Manual execution by a user
- 123.exe (PID: 3676)
- 123.exe (PID: 2872)
Reads the computer name
- 123.exe (PID: 3676)
Creates files or folders in the user directory
- 123.exe (PID: 3676)
Reads the machine GUID from the registry
- 123.exe (PID: 3676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
47
Monitored processes
7
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1196 | cmd.exe /c net stop Spooler | C:\Windows\System32\cmd.exe | — | 123.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1872 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\0087f1c1d77d9ba1d81939d4718a0951f680171f7e4dbcf7d144ff6a05e911a4.7z" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2396 | net stop Spooler | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2716 | C:\Windows\system32\net1 stop Spooler | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2760 | C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2872 | "C:\Users\admin\Desktop\123.exe" | C:\Users\admin\Desktop\123.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 3676 | "C:\Users\admin\Desktop\123.exe" | C:\Users\admin\Desktop\123.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
1 031
Read events
1 022
Write events
9
Delete events
0
Modification events
| (PID) Process: | (1872) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (1872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (1872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (1872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1872) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
2
Suspicious files
158
Text files
14
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3676 | 123.exe | C:\drmsoft\rc\CIDtoUnicode\Adobe-CNS1.cidToUnicode | text | |
MD5:36A3E7C0A71DD2B73F283A94F7E7D92C | SHA256:0FE1DDB3AC644FC548B7D0375AD0CAA2869A23F1CB450EC61F406F79ADA8F043 | |||
| 3676 | 123.exe | C:\drmsoft\rc\CIDtoUnicode\Adobe-Korea1.cidToUnicode | text | |
MD5:03E2D96005E3751E62EABB48B68B35D7 | SHA256:DE295BE9D14E14C2991A02E5A07682086FB12DA1B1465C35C9F1A6E86FD9CBA6 | |||
| 3676 | 123.exe | C:\drmsoft\rc\cmap\JP\78-RKSJ-V | binary | |
MD5:49E289FBCDDE46B7B3C573D38D62427B | SHA256:F621873C0C4AD57C3FAA714B081D7649D64C09BB0F5311489F115A91D3DAC9D7 | |||
| 3676 | 123.exe | C:\drmsoft\rc\cmap\JP\78-EUC-V | binary | |
MD5:ACB90944815C247C9E7F2306252A5DB6 | SHA256:620FF42DF9E9B41EFFB84C9FE9657D1828406B54B857804E00A46F4BD5E6A6DA | |||
| 3676 | 123.exe | C:\drmsoft\rc\cmap\JP\78ms-RKSJ-V | ps | |
MD5:06C75E34244F4039EBA5471DB9622E99 | SHA256:B23C0DCE9D96EBB70304F928D636768CDB1FD75BF3E2B3ECD94776B4EF9C0B56 | |||
| 3676 | 123.exe | C:\drmsoft\rc\CIDtoUnicode\Adobe-Japan1.cidToUnicode | text | |
MD5:05FCDE38B25EE37ADBA6289895120AB7 | SHA256:E2205728C311DBCC068DD6E04515AF2B27D72D1DB7D5FD09749F99750F5A147B | |||
| 3676 | 123.exe | C:\drmsoft\rc\cmap\JP\78-EUC-H | binary | |
MD5:D34B899C75D9BFC6F12D3C261C3EB4D9 | SHA256:8E03CD82A11FE53383781D94DF59BB73B20BCF47C6B190D224F15B112C3C31AC | |||
| 3676 | 123.exe | C:\drmsoft\rc\cmap\JP\78ms-RKSJ-H | binary | |
MD5:EAD4643637942A8D95D7DFE02161B7AD | SHA256:7AE29C5DCD32BC99FC708E4737EA5126C33ED7C3C3B1603C93681A488A287F38 | |||
| 3676 | 123.exe | C:\drmsoft\rc\cmap\JP\78-RKSJ-H | binary | |
MD5:859D9E47668AE7416C7D028557057FED | SHA256:6A62380B8C171EB6B517FC19185A39D99774CA5CB836CCB645D82B71CB4DA2B5 | |||
| 3676 | 123.exe | C:\drmsoft\rc\cmap\JP\78-H | binary | |
MD5:DA6D8B8BDEB65A18B275CD9DC685EA61 | SHA256:46AE91F5A21359240256D628DA74CB522FE69044184C5370D08BB8B14292F48F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |