analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Debug.7z

Full analysis: https://app.any.run/tasks/cce75404-beb7-4e61-94fe-9ce85131176b
Verdict: Malicious activity
Analysis date: June 27, 2022, 10:09:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

6D4FA8AB3B7C2D9433C92141D1897608

SHA1:

88DA8EE0C7E27DF69103B0719BDE71804A6714FB

SHA256:

83DFA333E40CAFC2C7E62FECDDC9F66A3441498C1EB5D5E36B31C469BC6E8506

SSDEEP:

98304:LuLx3GvI4FtQJIgtVAu02ZBzJE66S3AEO9J+wSAq0iujUvR4bEQP+mM2y8CIHr:sx3GvI4F2JIsAUL6wAEMAzADiuo2V+X4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3740)
      • Explorer.EXE (PID: 1172)

    • Loads dropped or rewritten executable

      • Explorer.EXE (PID: 1172)
      • SearchProtocolHost.exe (PID: 2484)
      • nhjj.exe (PID: 2488)
      • nhjj.exe (PID: 2532)
      • nhjj.exe (PID: 3056)

    • Application was dropped or rewritten from another process

      • nhjj.exe (PID: 2200)
      • nhjj.exe (PID: 2488)
      • nhjj.exe (PID: 568)
      • nhjj.exe (PID: 2532)
      • nhjj.exe (PID: 3228)
      • nhjj.exe (PID: 3056)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3740)
      • nhjj.exe (PID: 2488)
      • nhjj.exe (PID: 3056)
      • nhjj.exe (PID: 2532)

    • Checks supported languages

      • WinRAR.exe (PID: 3740)
      • nhjj.exe (PID: 2488)
      • nhjj.exe (PID: 2532)
      • nhjj.exe (PID: 3056)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3740)
      • Explorer.EXE (PID: 1172)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3740)
      • Explorer.EXE (PID: 1172)

    • Reads default file associations for system extensions

      • Explorer.EXE (PID: 1172)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
9
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe searchprotocolhost.exe no specs explorer.exe nhjj.exe no specs nhjj.exe nhjj.exe no specs nhjj.exe nhjj.exe no specs nhjj.exe

Process information

PID
CMD
Path
Indicators
Parent process
3740"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Debug.7z"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2484"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
1172C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2200"C:\Users\admin\Desktop\nhjj.exe" C:\Users\admin\Desktop\nhjj.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
nhjj
Exit code:
3221226540
Version:
1.0.0.0
2488"C:\Users\admin\Desktop\nhjj.exe" C:\Users\admin\Desktop\nhjj.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
nhjj
Exit code:
3762504530
Version:
1.0.0.0
568"C:\Users\admin\Desktop\nhjj.exe" C:\Users\admin\Desktop\nhjj.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
nhjj
Exit code:
3221226540
Version:
1.0.0.0
2532"C:\Users\admin\Desktop\nhjj.exe" C:\Users\admin\Desktop\nhjj.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
nhjj
Exit code:
3762504530
Version:
1.0.0.0
3228"C:\Users\admin\Desktop\nhjj.exe" C:\Users\admin\Desktop\nhjj.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
nhjj
Exit code:
3221226540
Version:
1.0.0.0
3056"C:\Users\admin\Desktop\nhjj.exe" C:\Users\admin\Desktop\nhjj.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
nhjj
Exit code:
3762504530
Version:
1.0.0.0
Total events
22 304
Read events
22 034
Write events
0
Delete events
0

Modification events

No data
Executable files
64
Suspicious files
87
Text files
75
Unknown types
21

Dropped files

PID
Process
Filename
Type
3740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3740.26688\Microsoft.CodeAnalysis.CSharp.pdbbinary
MD5:A98122874E2FF3CD6E6378BFE703A1E7
SHA256:810D3B427272E97806404359EA1D20EBF10C473B72E3F2B823101DEFED7003B8
3740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3740.26688\Microsoft.CodeAnalysis.pdbbinary
MD5:13E36F552634395ED7D3F5B21B54037C
SHA256:3A5D2A21B207930DD9F3A3CACDB24461284828DF951FEF88B8964A553DC411DC
3740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3740.26688\Microsoft.CodeAnalysis.CSharp.xmlxml
MD5:C2BFE8D888685BCD19E9AAE5B04EA61C
SHA256:8501B3B28FB245FCF9604B67EAC1FA528717A9920172CBFA79CF3E478611EE45
3740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3740.26688\Microsoft.CodeAnalysis.xmlxml
MD5:B82470C782EABD9D3F092EE1E3B9D110
SHA256:BC0E92D9A074985A65ED76F17D812FADCDB99A34E78BB879A4DBE3AAFAF915CE
3740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3740.26688\nhjj.pdbpdb
MD5:2F9015EF6A0CFDBE0D95CE8997AB5D29
SHA256:708AA936682CBB901DDB8D718FC7F670F486A36A4C3F4DCD869DC53F9BA2A46A
3740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3740.26688\System.Reflection.Metadata.xmlxml
MD5:DFC3787EACDA55856359EE7403552979
SHA256:4F809E9285F67D2B76DF26FB84D27ED20C1CD573A8804A5B076D146D7D8D844C
3740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3740.26688\cs\Microsoft.CodeAnalysis.CSharp.resources.dllexecutable
MD5:C8AAC6A5B0EBBF6098B96963758684C6
SHA256:3E20DA06FD49B2F388198FE725878FD6F8CFA330CC34BCC7C00AFD981E6E6A4B
3740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3740.26688\cs\Microsoft.CodeAnalysis.resources.dllexecutable
MD5:5F409411204666BC1AF78F0EE0D57D9C
SHA256:E9E762EAC8F66D93BA644E19DA627C4132CA015FDF032E474DDE9A75CE6C12F3
3740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3740.26688\es\Microsoft.CodeAnalysis.CSharp.resources.dllexecutable
MD5:0B5EC84B7957CB8C31DF0EDE4CF5F8E7
SHA256:518FA2EE48EB447D76D728483C2D87E415EB981B33B5452F7A928FAABB56987B
3740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3740.26688\System.Buffers.xmlxml
MD5:1C55860DD93297A6EA2FAD2974834C3A
SHA256:2EC7FB12E11F9831E40524427F6D88A3C9FFDD56CCFA81D373467B75B479A578
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Debug.7z