File name:

CB-Keygen31.rar

Full analysis: https://app.any.run/tasks/20a0cdf8-c41e-4e5c-9605-62dabcbbfd5b
Verdict: Malicious activity
Analysis date: July 14, 2024, 21:04:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

85BEC0369134CBA764A518636695054B

SHA1:

B82942ECC68BC1D8864A0263E7989D6B04D28652

SHA256:

8BB5D275C7CB2115514788C4545C4062FA8CC9A9B477649928BA305C7879EC34

SSDEEP:

98304:T+1a9KkbaValpZLTNIdZM9rTijpqo9r/zaV8HRmVZxeaRspcCES2MkoVM9kvpqqo:1rHIhitX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3400)
      • CB-Keygen.exe (PID: 3308)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3400)
      • CB-Keygen.exe (PID: 3308)
      • TaskShell.exe (PID: 3100)

    • Process drops legitimate windows executable

      • CB-Keygen.exe (PID: 3308)

    • The process creates files with name similar to system file names

      • CB-Keygen.exe (PID: 3308)

    • Executable content was dropped or overwritten

      • CB-Keygen.exe (PID: 3308)

    • The process executes VB scripts

      • CB-Keygen.exe (PID: 3308)

    • The process drops C-runtime libraries

      • CB-Keygen.exe (PID: 3308)

    • Reads the Internet Settings

      • CB-Keygen.exe (PID: 3308)
      • TaskShell.exe (PID: 3100)
      • wscript.exe (PID: 3208)

    • Starts a Microsoft application from unusual location

      • TaskShell.exe (PID: 3100)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3208)

    • Starts POWERSHELL.EXE for commands execution

      • TaskShell.exe (PID: 3100)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3400)

    • Checks supported languages

      • CB-Keygen.exe (PID: 3308)
      • CB_KG.exe (PID: 2936)
      • TaskShell.exe (PID: 3100)

    • Create files in a temporary directory

      • CB-Keygen.exe (PID: 3308)

    • Reads the computer name

      • CB-Keygen.exe (PID: 3308)
      • TaskShell.exe (PID: 3100)

    • Reads Environment values

      • TaskShell.exe (PID: 3100)

    • Reads the machine GUID from the registry

      • TaskShell.exe (PID: 3100)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2940)

    • Disables trace logs

      • TaskShell.exe (PID: 3100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe cb-keygen.exe wscript.exe no specs cb_kg.exe no specs taskshell.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2936"C:\Users\admin\AppData\Local\Temp\RarSFX0\CB_KG.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\CB_KG.exewscript.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\cb_kg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2940"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com; Test-Connection yahoo.com; Test-Connection youtube.com; Test-Connection google.comC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeTaskShell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3100"C:\Users\admin\AppData\Local\Temp\RarSFX0\TaskShell.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\TaskShell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Version:
10.0.22000.65
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\taskshell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3208"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\RarSFX0\sfdgdgfghdsertrgdfsfwrrerggr.vbs" C:\Windows\System32\wscript.exeCB-Keygen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3308"C:\Users\admin\AppData\Local\Temp\Rar$EXa3400.41737\CB-Keygen31\CB-Keygen\CB-Keygen.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3400.41737\CB-Keygen31\CB-Keygen\CB-Keygen.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3400.41737\cb-keygen31\cb-keygen\cb-keygen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3400"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\CB-Keygen31.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
12 828
Read events
12 772
Write events
56
Delete events
0

Modification events

(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3400) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\CB-Keygen31.rar
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
7
Suspicious files
3
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3308CB-Keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\SView3.dllexecutable
MD5:42C88D91B51436BB0D3D5B2F35FA73DE
SHA256:F8399BCD60601667B3A23BC6893F9D3E6B1683C53C8A3D39E92271F557F84E0A
3308CB-Keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Messages\Deutsch\Countries.stringstext
MD5:E831412DB1A96BBA8BEFA223EF2849D6
SHA256:637829E1E9198E5ED1C6B6B2AB2D8E8FF7E9B0BD02005272FD56E6C48C093555
3308CB-Keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Messages\English\Countries.stringstext
MD5:90B850C19BDFDA9A852A786878B31CB0
SHA256:C52A78C82F7EEDD0CE5BE7BC678837496632C9DFD53A965E29F90D4367C8D211
3308CB-Keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Messages\Countries.inctext
MD5:200710201C95F4E8A612299B132289DA
SHA256:A1FF5302B95A293433F77DB64B40F04A2BD6706521CF0A8702991D88378B015C
3308CB-Keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Messages\English\Frame.stringstext
MD5:E36408CB00A14AC57E433630F5183940
SHA256:2C2FFC14CF941043059FED65DF26D7DFEE77950FB99096BA7A07EEDC4937C236
2940powershell.exeC:\Users\admin\AppData\Local\Temp\bv3ugnq3.f3b.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3308CB-Keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\msvcp140.dllexecutable
MD5:C092885EA11BD80D35CB55C7D488F1E2
SHA256:885A0A146A83B0D5A19B88C4EB6372B648CFAED817BD31D8CD3FB91313DEA13D
3308CB-Keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\vcruntime140.dllexecutable
MD5:31CE620CB32AC950D31E019E67EFC638
SHA256:1E0F8F7F13502F5CEE17232E9BEBCA7B44DD6EC29F1842BB61033044C65B2BBF
3308CB-Keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Messages\Frame.inctext
MD5:87EFF47C8E462AC2FDC5C1C78D2FDEFB
SHA256:E7CB8B1F5F5865EE029C792E7E9E7E8FC9B5ED6896F0E45B2F2563A0B9FB7EC1
3308CB-Keygen.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\mfc140.dllexecutable
MD5:C594917D6C51B6696CAA3C707BC435BF
SHA256:6E668ACF6F4FC3FBED14C89CFA80AE38E49B09AC9035DF698C191A217C6D0BC0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?67a3611ec3c0260d
unknown
whitelisted
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1372
svchost.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
yahoo.com
  • 74.6.143.26
  • 74.6.231.21
  • 74.6.143.25
  • 98.137.11.164
  • 98.137.11.163
  • 74.6.231.20
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.193
  • 23.48.23.141
  • 23.48.23.162
  • 23.48.23.194
  • 23.48.23.176
  • 23.48.23.158
  • 23.48.23.169
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
youtube.com
  • 142.250.185.206
whitelisted
taskmgrdev.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CB-Keygen31.rar