File name:

gifs-colors.rar

Full analysis: https://app.any.run/tasks/98717897-a761-46dd-9524-d235e03a89e7
Verdict: Malicious activity
Analysis date: January 10, 2025, 19:54:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
python
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

BA6C03DD0D60E51F2875A19361320E5C

SHA1:

8B9A518D358C731E2B44FCCB664A01D6B73BE9F9

SHA256:

836831DA409E8E3AC692E74D10C2B5C713C4810AAEBB4291DE5C4E7AB81E617E

SSDEEP:

98304:PiW3l6c7nKvq1+P1RNjMbxUmurfLMHJ+HyLAKleWYMEmPeiENjle+4sW8UBzi3O8:sOlh4Il+kcBhVCI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 2100)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2100)

    • The process drops C-runtime libraries

      • XOR GRADIENT TOOL.exe (PID: 6444)

    • Process drops legitimate windows executable

      • XOR GRADIENT TOOL.exe (PID: 6444)

    • Executable content was dropped or overwritten

      • XOR GRADIENT TOOL.exe (PID: 6444)

    • Process drops python dynamic module

      • XOR GRADIENT TOOL.exe (PID: 6444)

    • Application launched itself

      • XOR GRADIENT TOOL.exe (PID: 6444)

    • Start notepad (likely ransomware note)

      • WinRAR.exe (PID: 2100)

    • Starts CMD.EXE for commands execution

      • XOR GRADIENT TOOL.exe (PID: 6516)

    • Loads Python modules

      • XOR GRADIENT TOOL.exe (PID: 6516)

  • INFO

    • Checks supported languages

      • XOR GRADIENT TOOL.exe (PID: 6516)
      • XOR GRADIENT TOOL.exe (PID: 6444)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2100)

    • Reads the computer name

      • XOR GRADIENT TOOL.exe (PID: 6444)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 2100)

    • The sample compiled with english language support

      • XOR GRADIENT TOOL.exe (PID: 6444)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 2100)

    • Create files in a temporary directory

      • XOR GRADIENT TOOL.exe (PID: 6444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 199
UncompressedSize: 349
OperatingSystem: Win32
ArchivedFileName: Authentication Key.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
7
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe xor gradient tool.exe conhost.exe no specs xor gradient tool.exe no specs notepad.exe no specs notepad.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2100"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\gifs-colors.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6444"C:\Users\admin\AppData\Local\Temp\Rar$EXa2100.18138\XOR GRADIENT TOOL.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2100.18138\XOR GRADIENT TOOL.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2100.18138\xor gradient tool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeXOR GRADIENT TOOL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6516"C:\Users\admin\AppData\Local\Temp\Rar$EXa2100.18138\XOR GRADIENT TOOL.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2100.18138\XOR GRADIENT TOOL.exeXOR GRADIENT TOOL.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2100.18138\xor gradient tool.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6812"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2100.19058\Tutorial.txtC:\Windows\System32\notepad.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
6940"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2100.19624\Authentication Key.txtC:\Windows\System32\notepad.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7164C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeXOR GRADIENT TOOL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 959
Read events
2 949
Write events
10
Delete events
0

Modification events

(PID) Process:(2100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(2100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\gifs-colors.rar
(PID) Process:(2100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2100) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:writeName:txtfile
Value:
Executable files
13
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2100WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2100.18138\Tutorial.txttext
MD5:9963347A672E26D0D6A883D172350A83
SHA256:9F4F1970A582A707F2532AEDD8AB94F1A83D52241F7B3CA48348039201521F35
2100WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2100.18138\Authentication Key.txttext
MD5:D371A08E65E413E11E1CEB7D52343D5B
SHA256:01AFA5CABCB74B9E5DD5B9D3606FAD1987FDFA630F1A9B407346F8612117A949
2100WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2100.19058\Tutorial.txttext
MD5:9963347A672E26D0D6A883D172350A83
SHA256:9F4F1970A582A707F2532AEDD8AB94F1A83D52241F7B3CA48348039201521F35
6444XOR GRADIENT TOOL.exeC:\Users\admin\AppData\Local\Temp\_MEI64442\libcrypto-3.dllexecutable
MD5:123AD0908C76CCBA4789C084F7A6B8D0
SHA256:4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
6444XOR GRADIENT TOOL.exeC:\Users\admin\AppData\Local\Temp\_MEI64442\_bz2.pydexecutable
MD5:CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA256:FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
6444XOR GRADIENT TOOL.exeC:\Users\admin\AppData\Local\Temp\_MEI64442\_lzma.pydexecutable
MD5:1BA022D42024A655CF289544AE461FB8
SHA256:D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
6444XOR GRADIENT TOOL.exeC:\Users\admin\AppData\Local\Temp\_MEI64442\_hashlib.pydexecutable
MD5:32D76C9ABD65A5D2671AEEDE189BC290
SHA256:838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
6444XOR GRADIENT TOOL.exeC:\Users\admin\AppData\Local\Temp\_MEI64442\base_library.zipcompressed
MD5:A9CBD0455B46C7D14194D1F18CA8719E
SHA256:DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
2100WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2100.19624\Authentication Key.txttext
MD5:D371A08E65E413E11E1CEB7D52343D5B
SHA256:01AFA5CABCB74B9E5DD5B9D3606FAD1987FDFA630F1A9B407346F8612117A949
6444XOR GRADIENT TOOL.exeC:\Users\admin\AppData\Local\Temp\_MEI64442\_socket.pydexecutable
MD5:FE896371430BD9551717EF12A3E7E818
SHA256:35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
32
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6180
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7044
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7044
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3220
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
1176
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1076
svchost.exe
2.23.242.9:443
go.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.133
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.68
  • 20.190.160.22
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
gifs-colors.rar