Malware analysis C2R-R2V_5.7z Malicious activity | ANY.RUN

Add for printing

File name:	C2R-R2V_5.7z
Full analysis:	https://app.any.run/tasks/07eeb633-f93b-482f-aa86-5f8eb34ad1fd
Verdict:	Malicious activity
Analysis date:	October 03, 2019, 22:45:42
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	85086648BE3F3280581115BE82AB369D
SHA1:	8365F5F61B64B8269708C5463FFB2AA712B7EB9B
SHA256:	811E6F82B41E4263FC3F676C57DED8ECD1FB789C2A51B4D17273886370B6FB32
SSDEEP:	12288:uV3+4umF/ztkUjPkS8I8Gy+jnQaXeJyWYouPHc/E4xg8eZ:m3+4X/z/kS8PgjhektogyTuFZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - cscript.exe (PID: 2316)
- Application was dropped or rewritten from another process
  - CleanOSPP.exe (PID: 2116)
  - cleanospp.exe (PID: 3228)
- Loads dropped or rewritten executable
  - CleanOSPP.exe (PID: 2116)
  - cleanospp.exe (PID: 3228)
SUSPICIOUS
- Uses REG.EXE to modify Windows registry
  - cmd.exe (PID: 2744)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2920)
- Application launched itself
  - cmd.exe (PID: 2744)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 2744)
- Starts SC.EXE for service management
  - cmd.exe (PID: 2744)
- Executes scripts
  - WScript.exe (PID: 3896)
  - WScript.exe (PID: 2448)
INFO
- Manual execution by user
  - cmd.exe (PID: 2744)
  - WScript.exe (PID: 3896)
  - WScript.exe (PID: 2448)
  - WScript.exe (PID: 3128)
  - cleanospp.exe (PID: 3228)
  - NOTEPAD.EXE (PID: 3608)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1200

sc query ClickToRunSvc

C:\Windows\system32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2116

"C:\Users\admin\Desktop\C2R-R2V\x86\CleanOSPP.exe"

C:\Users\admin\Desktop\C2R-R2V\x86\CleanOSPP.exe

—

cscript.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\c2r-r2v\x86\cleanospp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\c2r-r2v\x86\msvcr100.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2240

sc query OfficeSvc

C:\Windows\system32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2292

cscript.exe

C:\Windows\System32\cscript.exe

—

WScript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Console Based Script Host

Exit code:

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2316

"C:\Windows\System32\cscript.exe" "C:\Users\admin\Desktop\C2R-R2V\OffScrub_O16msi.vbs" /NoElevate UAC

C:\Windows\System32\cscript.exe

WScript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft ® Console Based Script Host

Exit code:

3221225786

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2448

"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\C2R-R2V\OffScrubc2r.vbs"

C:\Windows\System32\WScript.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

3221225786

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2744

"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\C2R-R2V\Convert-C2R.cmd"

C:\Windows\System32\cmd.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2920

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\C2R-R2V_5.7z"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll

3128

"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\C2R-R2V\x86\key.vbs"

C:\Windows\System32\WScript.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

3216

"C:\Windows\System32\cscript.exe" "C:\Users\admin\Desktop\C2R-R2V\OffScrubc2r.vbs" /NoElevate UAC

C:\Windows\System32\cscript.exe

WScript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft ® Console Based Script Host

Exit code:

3221225786

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

Add for printing

Total events

879

Read events

843

Write events

Delete events

Modification events


(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\C2R-R2V_5.7z
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop
(PID) Process:	(3896) WScript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2316	cscript.exe	C:\Users\admin\AppData\Local\Temp\OffScrub_O16msi\USER-PC_20191003234648_ScrubLog.txt		text
		MD5:—	SHA256:—
3216	cscript.exe	C:\Users\admin\AppData\Local\Temp\OffScrubC2R\USER-PC_20191003234729_ScrubLog.txt		text
		MD5:—	SHA256:—
3216	cscript.exe	C:\Users\admin\AppData\Local\Temp\OffScrubC2R\ScrubRetValFile.txt		text
		MD5:07DDC9B29E487769E638DA3E8277818E	SHA256:44119689FD681E69B50FF356FACCD21BC3DFBA827564DC1540910E7EE4FED75E
2920	WinRAR.exe	C:\Users\admin\Desktop\C2R-R2V\x86\msvcr100.dll		executable
		MD5:BF38660A9125935658CFA3E53FDC7D65	SHA256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
2920	WinRAR.exe	C:\Users\admin\Desktop\C2R-R2V\ReadMe.txt		text
		MD5:133FAC2255E749C176DBC1C8BF34D50E	SHA256:5822348EF723FB6AE37054B8B21976DEEAB82896BBA566EE6879F13F29488111
2316	cscript.exe	C:\Users\admin\AppData\Local\Temp\OffScrub_O16msi\ScrubRetValFile.txt		text
		MD5:F3B25701FE362EC84616A93A45CE9998	SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2920	WinRAR.exe	C:\Users\admin\Desktop\C2R-R2V\x86\key.vbs		text
		MD5:C264487F146AF23BE8B8C65E32D8A211	SHA256:CE647840ADAB3A9B403DF557CA993A42032EB57F768B5992B022839787C2D0CE
2920	WinRAR.exe	C:\Users\admin\Desktop\C2R-R2V\Convert-C2R.cmd		text
		MD5:353CDE65B538019CA139E3E790ABD8CD	SHA256:D450D67F57F2B28EDEB22044D1107E35AF8AC3CC940E79F78B59601A3718B1FB
2920	WinRAR.exe	C:\Users\admin\Desktop\C2R-R2V\x64\msvcr100.dll		executable
		MD5:DF3CA8D16BDED6A54977B30E66864D33	SHA256:1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
2920	WinRAR.exe	C:\Users\admin\Desktop\C2R-R2V\x86\cleanospp.exe		executable
		MD5:5FD363D52D04AC200CD24F3BCC903200	SHA256:3FDEFE2AD092A9A7FE0EDF0AC4DC2DE7E5B9CE6A0804F6511C06564194966CF9

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

C2R-R2V_5.7z

85086648BE3F3280581115BE82AB369D

8365F5F61B64B8269708C5463FFB2AA712B7EB9B

811E6F82B41E4263FC3F676C57DED8ECD1FB789C2A51B4D17273886370B6FB32

12288:uV3+4umF/ztkUjPkS8I8Gy+jnQaXeJyWYouPHc/E4xg8eZ:m3+4X/z/kS8PgjhektogyTuFZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Uses REG.EXE to modify Windows registry

Executable content was dropped or overwritten

Application launched itself

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Executes scripts

INFO

Manual execution by user

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings