analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Downloads.zip

Full analysis: https://app.any.run/tasks/2d4f35ac-643d-4add-8f3c-2f5eeefd5017
Verdict: Malicious activity
Analysis date: May 21, 2022, 04:46:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

68A5E7CBEC87D70CAF80DBCA64BC6BBD

SHA1:

49AF73644B517B3670B24B54DA19883E9111AA01

SHA256:

8A9AB0F9D93CA38336C6D0DC2262E89F24E0896A5E6E7B543028D3E4AFF5E7E5

SSDEEP:

24576:CjJqrCUpT3E53Myyzl0hMf1tr7Caw8M0u:CjJqrft3EZpBh211Waw30u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2884)

    • Application was dropped or rewritten from another process

      • Adamerax.exe (PID: 3036)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2884)
      • Adamerax.exe (PID: 3036)

    • Reads the computer name

      • WinRAR.exe (PID: 2884)
      • Adamerax.exe (PID: 3036)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2884)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2884)

    • Reads mouse settings

      • Adamerax.exe (PID: 3036)

  • INFO

    • Manual execution by user

      • Adamerax.exe (PID: 3036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Adamerax.au3
ZipUncompressedSize: 123663
ZipCompressedSize: 123663
ZipCRC: 0xd382159a
ZipModifyDate: 2022:05:21 05:41:27
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe adamerax.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Downloads.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3036"C:\Users\admin\Desktop\Adamerax.exe" C:\Users\admin\Desktop\Adamerax.exeExplorer.EXE
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Version:
3, 3, 14, 5
Total events
2 107
Read events
2 019
Write events
87
Delete events
1

Modification events

(PID) Process:(2884) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2884) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2884) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2884) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2884) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2884) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Downloads.zip
(PID) Process:(2884) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2884) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2884) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2884) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2884.8318\Adamerax.au3text
MD5:BE030B440F009016E0D2A6208FD3C524
SHA256:64DF1EECF9C4637ADBBB712267353E862E84A33B4383ADEEF7D1250C5027EF94
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2884.8318\Adamerax.exe.adexecutable
MD5:C56B5F0201A3B3DE53E561FE76912BFD
SHA256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Downloads.zip