File name:

IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.uue

Full analysis: https://app.any.run/tasks/827fbd7d-017f-418d-a7f9-f6bdd034c74c
Verdict: Malicious activity
Analysis date: February 21, 2020, 19:05:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

3AEE9BDF92C0F5CF7C496F9B7B94CA7F

SHA1:

11E45C38F139625B5E40A13002BBFEE9F9387242

SHA256:

8C672076E07537C4256B468AAE7533FE1917B2CD7BDA5A9FA22959D4731199C6

SSDEEP:

3072:7WexA+YwgeyiWU0bMBHav22+q125bvHaqzRRO2BPe8JM:FA+PgOWUoMNY22+l5hK2BPe8q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe (PID: 4092)
      • IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe (PID: 3032)

    • Application was dropped or rewritten from another process

      • IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe (PID: 4092)
      • calc.exe (PID: 1832)
      • IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe (PID: 3032)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2892)
      • IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe (PID: 3032)

    • Creates files in the user directory

      • IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe (PID: 3032)

    • Connects to unusual port

      • IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe (PID: 4092)

    • Starts CMD.EXE for commands execution

      • IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe (PID: 3032)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 179178
UncompressedSize: 352256
OperatingSystem: Win32
ModifyDate: 2020:02:19 08:13:08
PackingMethod: Normal
ArchivedFileName: IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe img-827364 confirmacion de transaccion mismo titular banco agrario de colombia.exe img-827364 confirmacion de transaccion mismo titular banco agrario de colombia.exe cmd.exe no specs timeout.exe no specs calc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1492cmd /c ""C:\Users\admin\AppData\Local\Temp\tmpD961.tmp.bat""C:\Windows\system32\cmd.exeIMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1832"C:\Users\admin\AppData\Roaming\calc.exe" C:\Users\admin\AppData\Roaming\calc.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\calc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2500timeout 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
2892"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.uue.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3032"C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.43316\IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.43316\IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2892.43316\img-827364 confirmacion de transaccion mismo titular banco agrario de colombia.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
4092"C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.44388\IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.44388\IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2892.44388\img-827364 confirmacion de transaccion mismo titular banco agrario de colombia.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
479
Read events
443
Write events
36
Delete events
0

Modification events

(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2892) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.uue.rar
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2892) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
3
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3032IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exeC:\Users\admin\AppData\Roaming\calc.exe
MD5:
SHA256:
2892WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2892.43316\IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exeexecutable
MD5:
SHA256:
3032IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exeC:\Users\admin\AppData\Local\sZqwQR\sZqwQRlus.htahtml
MD5:
SHA256:
3032IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exeC:\Users\admin\AppData\Local\sZqwQR\sZqwQ.vbstext
MD5:
SHA256:
3032IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exeC:\Users\admin\AppData\Local\Temp\tmpD961.tmp.battext
MD5:
SHA256:
2892WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2892.44388\IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exeexecutable
MD5:
SHA256:
3032IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exeC:\Users\admin\AppData\Local\sZqwQR\sZqwQ.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4092
IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.exe
181.141.0.182:1881
fghff.duckdns.org
EPM Telecomunicaciones S.A. E.S.P.
CO
malicious

DNS requests

Domain
IP
Reputation
fghff.duckdns.org
  • 181.141.0.182
malicious

Threats

PID
Process
Class
Message
1052
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IMG-827364 CONFIRMACION DE TRANSACCION MISMO TITULAR BANCO AGRARIO DE COLOMBIA.uue