Malware analysis C2R-R2V_5.7z No threats detected | ANY.RUN

Add for printing

File name:	C2R-R2V_5.7z
Full analysis:	https://app.any.run/tasks/83d74a64-4403-40af-816b-30dee09c9751
Verdict:	No threats detected
Analysis date:	October 03, 2019, 22:44:54
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	85086648BE3F3280581115BE82AB369D
SHA1:	8365F5F61B64B8269708C5463FFB2AA712B7EB9B
SHA256:	811E6F82B41E4263FC3F676C57DED8ECD1FB789C2A51B4D17273886370B6FB32
SSDEEP:	12288:uV3+4umF/ztkUjPkS8I8Gy+jnQaXeJyWYouPHc/E4xg8eZ:m3+4X/z/kS8PgjhektogyTuFZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2920)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

32

Monitored processes

1

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2920

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\C2R-R2V_5.7z"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

0

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

Add for printing

Total events

448

Read events

427

Write events

21

Delete events

0

Modification events


(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\C2R-R2V_5.7z
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\C2R-R2V_5
(PID) Process:	(2920) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000

Add for printing

Executable files

4

Suspicious files

0

Text files

5

Unknown types

0

Dropped files

PID	Process	Filename		Type
2920	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\C2R-R2V_5\C2R-R2V\Convert-C2R.cmd		text
		MD5:353CDE65B538019CA139E3E790ABD8CD	SHA256:D450D67F57F2B28EDEB22044D1107E35AF8AC3CC940E79F78B59601A3718B1FB
2920	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\C2R-R2V_5\C2R-R2V\ReadMe.txt		text
		MD5:133FAC2255E749C176DBC1C8BF34D50E	SHA256:5822348EF723FB6AE37054B8B21976DEEAB82896BBA566EE6879F13F29488111
2920	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\C2R-R2V_5\C2R-R2V\x86\key.vbs		text
		MD5:C264487F146AF23BE8B8C65E32D8A211	SHA256:CE647840ADAB3A9B403DF557CA993A42032EB57F768B5992B022839787C2D0CE
2920	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\C2R-R2V_5\C2R-R2V\x64\msvcr100.dll		executable
		MD5:DF3CA8D16BDED6A54977B30E66864D33	SHA256:1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
2920	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\C2R-R2V_5\C2R-R2V\x86\cleanospp.exe		executable
		MD5:5FD363D52D04AC200CD24F3BCC903200	SHA256:3FDEFE2AD092A9A7FE0EDF0AC4DC2DE7E5B9CE6A0804F6511C06564194966CF9
2920	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\C2R-R2V_5\C2R-R2V\OffScrubc2r.vbs		text
		MD5:930DC88EDCDDE90F7449CA55AA616928	SHA256:570F82344AD7300DD4A2993AD6C3A1ABE1987F37254BFF708DBA1801BFEF392C
2920	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\C2R-R2V_5\C2R-R2V\x64\cleanospp.exe		executable
		MD5:162AB955CB2F002A73C1530AA796477F	SHA256:5CE462E5F34065FC878362BA58617FAB28C22D631B9D836DDDCF43FB1AD4DE6E
2920	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\C2R-R2V_5\C2R-R2V\OffScrub_O16msi.vbs		text
		MD5:67885A2865E9B277EA5A623B5217782C	SHA256:C5903CD58467DE9BBA3614D03D637D002C2A24C6706729E105699B1214F938D1
2920	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\C2R-R2V_5\C2R-R2V\x86\msvcr100.dll		executable
		MD5:BF38660A9125935658CFA3E53FDC7D65	SHA256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

0

TCP/UDP connections

0

DNS requests

0

Threats

0

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

C2R-R2V_5.7z

85086648BE3F3280581115BE82AB369D

8365F5F61B64B8269708C5463FFB2AA712B7EB9B

811E6F82B41E4263FC3F676C57DED8ECD1FB789C2A51B4D17273886370B6FB32

12288:uV3+4umF/ztkUjPkS8I8Gy+jnQaXeJyWYouPHc/E4xg8eZ:m3+4X/z/kS8PgjhektogyTuFZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings