File name: | RW.rar |
Full analysis: | https://app.any.run/tasks/36f0eb5d-34f8-45a8-a148-a632e4d588c5 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 14:34:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 2C65DA7DB8D78C9C024E8C8E4853530C |
SHA1: | 230FF8449F35C12317F22B996A50BCB4083B5CFC |
SHA256: | 7FF71E4E853DF009F93A0E174EADBFD1E419C6A86F8FEBA2289FD7625E23BC3A |
SSDEEP: | 98304:vGayOq9LV6tJLaGSarg1wAGxH042kQrYpveZbTFgRe:6n6vLaGmGxHckQrfRTqRe |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | phanmem47.com--RemoveWAT.2.2.7\RemoveWAT.2.2.7.0.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2010:09:20 13:05:28 |
OperatingSystem: | Win32 |
UncompressedSize: | 6664704 |
CompressedSize: | 3937517 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3544 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RW.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1028 | "C:\Users\admin\Desktop\phanmem47.com--RemoveWAT.2.2.7\RemoveWAT.2.2.7.0.exe" | C:\Users\admin\Desktop\phanmem47.com--RemoveWAT.2.2.7\RemoveWAT.2.2.7.0.exe | explorer.exe | |
User: admin Company: Hazar & Co. Integrity Level: HIGH Description: RemoveWAT Version: 2.2.6.0 | ||||
2152 | "C:\Windows\System32\taskkill.exe" /f /im explorer.exe | C:\Windows\System32\taskkill.exe | — | RemoveWAT.2.2.7.0.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1700 | "C:\Windows\system32\wusa.exe" "C:\Windows\wat.MSU" /quiet | C:\Windows\system32\wusa.exe | — | RemoveWAT.2.2.7.0.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Standalone Installer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3632 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1952 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005C4" "00000580" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3536 | "C:\Windows\System32\cmd.exe" /c taskkill /f /im WatAdminSvc.exe & taskkill /f /im WatUX.exe | C:\Windows\System32\cmd.exe | — | RemoveWAT.2.2.7.0.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2344 | taskkill /f /im WatAdminSvc.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1460 | taskkill /f /im WatUX.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
304 | "C:\Windows\System32\cmd.exe" /c takeown /f "C:\Windows\System32\Wat\WatAdminSvc.exe" & icacls "C:\Windows\System32\Wat\WatAdminSvc.exe" /reset & icacls "C:\Windows\System32\Wat\WatAdminSvc.exe" /deny *S-1-1-0:(X) | C:\Windows\System32\cmd.exe | — | RemoveWAT.2.2.7.0.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1700 | wusa.exe | C:\9db1f398289f13d73ce10aaec23f\$dpx$.tmp\17957a4cc808414ebcd3069f6c664ab5.tmp | — | |
MD5:— | SHA256:— | |||
1700 | wusa.exe | C:\9db1f398289f13d73ce10aaec23f\$dpx$.tmp\26b5c2e43a1c6846ad39bf7ed5ead212.tmp | — | |
MD5:— | SHA256:— | |||
1700 | wusa.exe | C:\9db1f398289f13d73ce10aaec23f\$dpx$.tmp\59d824e80d1bdb44a6168c2103111335.tmp | — | |
MD5:— | SHA256:— | |||
1700 | wusa.exe | C:\9db1f398289f13d73ce10aaec23f\$dpx$.tmp\a3278428233d2144b92e74ad2db77cba.tmp | — | |
MD5:— | SHA256:— | |||
1952 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:D82D9CE0AB3C5AFC0E0E38D0827BFD67 | SHA256:AB2AEFC34EC8391F76404CEFD924821EA2B73447D4B02D508D549F0536D7D19E | |||
1700 | wusa.exe | C:\9db1f398289f13d73ce10aaec23f\WSUSSCAN.cab | compressed | |
MD5:63B344025100243B997D5E2756A11F7A | SHA256:9B3FC7CAC1E02935F5D59D96D76844780DCCAE81CCC275FB0847A81E5BDB8594 | |||
1952 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
1952 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:57D02ECB849B7CB0CE2648B9338292E1 | SHA256:E40A4335A0A1A34499F59103B669413734508B843F26192B1E2B950958178EF5 | |||
1700 | wusa.exe | C:\9db1f398289f13d73ce10aaec23f\Windows6.1-KB971033-x86-pkgProperties.txt | text | |
MD5:2A935916F7EA88AA5EE735B1775C228E | SHA256:D71B35046C13D0638ADBC20F5D9835E5E363AE685E23CECC3A47E66C79510337 | |||
3544 | WinRAR.exe | C:\Users\admin\Desktop\phanmem47.com--RemoveWAT.2.2.7\RemoveWAT.2.2.7.0.exe | executable | |
MD5:BFACF78644CA41FD6D4B23976E7574A1 | SHA256:94A1A26F61B015C2CED2FD50BDBA4070B6C9AEC7D2938FBF7EB9E99960D3B7A9 |