analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Megaskin_1.rar

Full analysis: https://app.any.run/tasks/1e74c754-bbf1-4d85-a562-22f6bfbf55a3
Verdict: Malicious activity
Analysis date: October 14, 2019, 20:34:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

22381C4F392843C19948254A19AFF6E2

SHA1:

6F9598FAEB50665049EC3393480374C9BCB8D7DC

SHA256:

8E0BB0591BBD77925EFD4AE3AF225633AD25CC03E97521E710F98795CEAFFE82

SSDEEP:

24576:DPcRoDhZD9COs9qqIqLRBlk9n7tciuiSfR1Z3VkCFwAPui:DPcRShV7HvkRBqeJjR1RVkCSAPn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MegaSkin.exe (PID: 1852)
      • MegaSkin.exe (PID: 3096)
    • Loads dropped or rewritten executable

      • MegaSkin.exe (PID: 3096)
    • Changes settings of System certificates

      • MegaSkin.exe (PID: 3096)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2112)
    • Reads Environment values

      • MegaSkin.exe (PID: 3096)
    • Reads Internet Cache Settings

      • MegaSkin.exe (PID: 3096)
    • Adds / modifies Windows certificates

      • MegaSkin.exe (PID: 3096)
  • INFO

    • Manual execution by user

      • NOTEPAD.EXE (PID: 856)
    • Reads settings of System Certificates

      • MegaSkin.exe (PID: 3096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe megaskin.exe no specs megaskin.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2112"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Megaskin_1.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1852"C:\Users\admin\AppData\Local\Temp\Rar$EXa2112.30125\Megaskin\MegaSkin.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2112.30125\Megaskin\MegaSkin.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MegaSkin
Exit code:
3221226540
Version:
1.0.0.0
3096"C:\Users\admin\AppData\Local\Temp\Rar$EXa2112.30125\Megaskin\MegaSkin.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2112.30125\Megaskin\MegaSkin.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Description:
MegaSkin
Version:
1.0.0.0
856"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\combo.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 188
Read events
1 025
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
5
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
3096MegaSkin.exeC:\Users\admin\AppData\Local\Temp\CabB8B7.tmp
MD5:
SHA256:
3096MegaSkin.exeC:\Users\admin\AppData\Local\Temp\TarB8B8.tmp
MD5:
SHA256:
3096MegaSkin.exeC:\Users\admin\AppData\Local\Temp\CabB8E7.tmp
MD5:
SHA256:
3096MegaSkin.exeC:\Users\admin\AppData\Local\Temp\TarB8E8.tmp
MD5:
SHA256:
3096MegaSkin.exeC:\Users\admin\AppData\Local\Temp\CabB966.tmp
MD5:
SHA256:
3096MegaSkin.exeC:\Users\admin\AppData\Local\Temp\TarB977.tmp
MD5:
SHA256:
3096MegaSkin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015compressed
MD5:93871E1433144C58CAB0DEDDD1D46925
SHA256:3193F3035A4F457D66BAB3048880AAC2EB8557027F6373E606D4621609AF1068
856NOTEPAD.EXEC:\Users\admin\Desktop\combo.txttext
MD5:802DF11C6338A1FA55F46EFC11784DF0
SHA256:B4495E15C1B59044183DB44085A062BDC14965AF33DB427A5C47B8F87A594489
2112WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2112.30125\Megaskin\MegaSkin.exeexecutable
MD5:281BF428DF89623D3B5F455DC6BB3F5F
SHA256:C63DD082907097F7EB8F5532E8575D18B4ABC3403F6CC32512B478D58D8DC651
3096MegaSkin.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416binary
MD5:E4E46D7D8D2BF56044EA1A80B4945292
SHA256:062DFAF7B80AFB0853E9D39090BAE9398CF425A424FE74C9C3692D0B6ACF305F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
42
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3096
MegaSkin.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.0 Kb
whitelisted
3096
MegaSkin.exe
GET
200
13.35.254.82:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3096
MegaSkin.exe
205.185.216.42:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3096
MegaSkin.exe
3.223.122.20:443
account-public-service-prod03.ol.epicgames.com
US
unknown
3096
MegaSkin.exe
13.35.254.82:80
x.ss2.us
US
suspicious
3.223.122.20:443
account-public-service-prod03.ol.epicgames.com
US
unknown

DNS requests

Domain
IP
Reputation
account-public-service-prod03.ol.epicgames.com
  • 3.223.122.20
  • 54.84.53.231
  • 107.22.123.15
  • 54.84.157.57
  • 54.210.61.39
  • 54.84.183.247
  • 54.85.38.98
  • 3.208.250.126
suspicious
x.ss2.us
  • 13.35.254.82
  • 13.35.254.34
  • 13.35.254.176
  • 13.35.254.54
whitelisted
www.download.windowsupdate.com
  • 205.185.216.42
  • 205.185.216.10
whitelisted

Threats

No threats detected
No debug info