analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Debug.7z

Full analysis: https://app.any.run/tasks/72d4b0c6-dfb4-4e6d-aec0-5039476d3583
Verdict: Malicious activity
Analysis date: June 27, 2022, 10:08:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

6D4FA8AB3B7C2D9433C92141D1897608

SHA1:

88DA8EE0C7E27DF69103B0719BDE71804A6714FB

SHA256:

83DFA333E40CAFC2C7E62FECDDC9F66A3441498C1EB5D5E36B31C469BC6E8506

SSDEEP:

98304:LuLx3GvI4FtQJIgtVAu02ZBzJE66S3AEO9J+wSAq0iujUvR4bEQP+mM2y8CIHr:sx3GvI4F2JIsAUL6wAEMAzADiuo2V+X4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3212)
      • Explorer.EXE (PID: 764)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3604)
      • Explorer.EXE (PID: 764)

    • Application was dropped or rewritten from another process

      • nhjj.exe (PID: 3176)
      • nhjj.exe (PID: 4024)
      • nhjj.exe (PID: 2152)
      • nhjj.exe (PID: 2804)
      • nhjj.exe (PID: 2068)
      • nhjj.exe (PID: 2360)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3212)
      • nhjj.exe (PID: 4024)
      • nhjj.exe (PID: 2804)
      • nhjj.exe (PID: 2068)

    • Reads the computer name

      • WinRAR.exe (PID: 3212)
      • nhjj.exe (PID: 4024)
      • nhjj.exe (PID: 2804)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3212)
      • Explorer.EXE (PID: 764)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3212)
      • Explorer.EXE (PID: 764)

    • Starts Internet Explorer

      • nhjj.exe (PID: 4024)
      • nhjj.exe (PID: 2804)

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3380)
      • iexplore.exe (PID: 3948)

  • INFO

    • Manual execution by user

      • nhjj.exe (PID: 3176)
      • nhjj.exe (PID: 4024)
      • nhjj.exe (PID: 2152)
      • nhjj.exe (PID: 2804)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3212)

    • Reads the computer name

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 3380)
      • iexplore.exe (PID: 3520)
      • iexplore.exe (PID: 3948)

    • Checks supported languages

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 3380)
      • iexplore.exe (PID: 3520)
      • iexplore.exe (PID: 3948)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3380)
      • iexplore.exe (PID: 3948)

    • Changes internet zones settings

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 3520)

    • Application launched itself

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 3520)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3380)
      • iexplore.exe (PID: 3948)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 3520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
13
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe searchprotocolhost.exe no specs nhjj.exe no specs nhjj.exe iexplore.exe no specs iexplore.exe nhjj.exe no specs nhjj.exe iexplore.exe no specs iexplore.exe explorer.exe nhjj.exe no specs nhjj.exe

Process information

PID
CMD
Path
Indicators
Parent process
3212"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Debug.7z"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3604"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
3176"C:\Users\admin\Desktop\nhjj.exe" C:\Users\admin\Desktop\nhjj.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
nhjj
Exit code:
3221226540
Version:
1.0.0.0
4024"C:\Users\admin\Desktop\nhjj.exe" C:\Users\admin\Desktop\nhjj.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
nhjj
Exit code:
2148734720
Version:
1.0.0.0
2520"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.7.2&processName=nhjj.exe&platform=0000&osver=5&isServer=0&shimver=4.0.30319.34209C:\Program Files\Internet Explorer\iexplore.exenhjj.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3380"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2520 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2152"C:\Users\admin\Desktop\nhjj.exe" C:\Users\admin\Desktop\nhjj.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
nhjj
Exit code:
3221226540
Version:
1.0.0.0
2804"C:\Users\admin\Desktop\nhjj.exe" C:\Users\admin\Desktop\nhjj.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
nhjj
Exit code:
2148734720
Version:
1.0.0.0
3520"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.7.2&processName=nhjj.exe&platform=0000&osver=5&isServer=0&shimver=4.0.30319.34209C:\Program Files\Internet Explorer\iexplore.exenhjj.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3948"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3520 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
21 811
Read events
21 440
Write events
0
Delete events
0

Modification events

No data
Executable files
56
Suspicious files
32
Text files
31
Unknown types
12

Dropped files

PID
Process
Filename
Type
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3212.17101\Microsoft.CodeAnalysis.CSharp.pdbbinary
MD5:A98122874E2FF3CD6E6378BFE703A1E7
SHA256:810D3B427272E97806404359EA1D20EBF10C473B72E3F2B823101DEFED7003B8
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3212.17101\Microsoft.CodeAnalysis.xmlxml
MD5:B82470C782EABD9D3F092EE1E3B9D110
SHA256:BC0E92D9A074985A65ED76F17D812FADCDB99A34E78BB879A4DBE3AAFAF915CE
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3212.17101\Microsoft.CodeAnalysis.CSharp.xmlxml
MD5:C2BFE8D888685BCD19E9AAE5B04EA61C
SHA256:8501B3B28FB245FCF9604B67EAC1FA528717A9920172CBFA79CF3E478611EE45
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3212.17101\cs\Microsoft.CodeAnalysis.CSharp.resources.dllexecutable
MD5:C8AAC6A5B0EBBF6098B96963758684C6
SHA256:3E20DA06FD49B2F388198FE725878FD6F8CFA330CC34BCC7C00AFD981E6E6A4B
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3212.17101\nhjj.pdbpdb
MD5:2F9015EF6A0CFDBE0D95CE8997AB5D29
SHA256:708AA936682CBB901DDB8D718FC7F670F486A36A4C3F4DCD869DC53F9BA2A46A
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3212.17101\de\Microsoft.CodeAnalysis.CSharp.resources.dllexecutable
MD5:32EB03D9F08052661973130ADDD79FB9
SHA256:42028FB07B22CE3BFCDA10352ECFAC64E6A9B88FA488CFBAC5F2142647A995CB
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3212.17101\es\Microsoft.CodeAnalysis.CSharp.resources.dllexecutable
MD5:0B5EC84B7957CB8C31DF0EDE4CF5F8E7
SHA256:518FA2EE48EB447D76D728483C2D87E415EB981B33B5452F7A928FAABB56987B
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3212.17101\Microsoft.CodeAnalysis.pdbbinary
MD5:13E36F552634395ED7D3F5B21B54037C
SHA256:3A5D2A21B207930DD9F3A3CACDB24461284828DF951FEF88B8964A553DC411DC
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3212.17101\nhjj.exe.configxml
MD5:98DBB4A9BC384DCA6B79A47886C42891
SHA256:4E12056F6C6FF7D05F4DFD957586AEB41FE563677C57AE2FC43AFF8AA2BCF970
3212WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3212.17101\es\Microsoft.CodeAnalysis.resources.dllexecutable
MD5:7980A9D365D8BFD1A644C23CF84CFCFD
SHA256:DBB5C7D7CB2898FEACE653BF3055776D0D581CF8DB0845DD306F0BB16EBE70FE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
9
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3948
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3380
iexplore.exe
GET
200
178.79.242.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?19a1f92e954799a8
DE
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3948
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3380
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3948
iexplore.exe
104.89.38.104:443
go.microsoft.com
Akamai Technologies, Inc.
NL
malicious
3380
iexplore.exe
104.89.38.104:443
go.microsoft.com
Akamai Technologies, Inc.
NL
malicious
3380
iexplore.exe
178.79.242.128:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
DE
malicious
192.168.100.2:53
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
whitelisted
go.microsoft.com
  • 104.89.38.104
whitelisted
ctldl.windowsupdate.com
  • 178.79.242.128
  • 178.79.242.0
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
dotnet.microsoft.com
  • 13.107.227.45
  • 13.107.219.45
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Debug.7z