analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

KRNLWRD.rar

Full analysis: https://app.any.run/tasks/8b19ca68-4fad-446b-993c-7570e2369c58
Verdict: Malicious activity
Analysis date: November 29, 2020, 20:58:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

49115182E3BF2F393B8A4701E0F8B282

SHA1:

80497BF9CF7BDEF09BB37254D3F66B656A217EBB

SHA256:

911B0A7A9DC23DD67069EB5AD1931967B3C676A5DFD60ED2B241A73759CFFB5D

SSDEEP:

196608:OYrQxWjTK092F9okBeR5e4xPkHRowREe3HJX0AX32wRi4/U7G0Wjvp9jVkVsbv6x:OYrQxWju0YjokBea4xPcR1T3GymiiU0Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • krnl.exe (PID: 3668)
      • krnl.exe (PID: 656)
      • krnl.exe (PID: 2800)
      • krnl.exe (PID: 2476)
    • Loads dropped or rewritten executable

      • krnl.exe (PID: 656)
      • krnl.exe (PID: 2800)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2804)
      • krnl.exe (PID: 656)
    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2804)
      • krnl.exe (PID: 656)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2804)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start winrar.exe krnl.exe no specs krnl.exe krnl.exe no specs krnl.exe

Process information

PID
CMD
Path
Indicators
Parent process
2804"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KRNLWRD.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3668"C:\Users\admin\AppData\Local\Temp\Rar$EXa2804.36038\KRNLWRD\krnl.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2804.36038\KRNLWRD\krnl.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
krnlss
Exit code:
3221226540
Version:
1.0.0.0
656"C:\Users\admin\AppData\Local\Temp\Rar$EXa2804.36038\KRNLWRD\krnl.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2804.36038\KRNLWRD\krnl.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Description:
krnlss
Exit code:
1
Version:
1.0.0.0
2476"C:\Users\admin\AppData\Local\Temp\Rar$EXa2804.38668\KRNLWRD\krnl.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2804.38668\KRNLWRD\krnl.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
krnlss
Exit code:
3221226540
Version:
1.0.0.0
2800"C:\Users\admin\AppData\Local\Temp\Rar$EXa2804.38668\KRNLWRD\krnl.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2804.38668\KRNLWRD\krnl.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Description:
krnlss
Exit code:
1
Version:
1.0.0.0
Total events
461
Read events
441
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2804.36038\KRNLWRD\Indicium-Supra.dllexecutable
MD5:A2B0D88EB999664799E5263C055B90DA
SHA256:CB9F94AC4F4E2BB1576B7178FDD68035067F5836996CB2ADEF2CAB4E7F192CBC
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2804.38668\KRNLWRD\Indicium-Supra.dllexecutable
MD5:A2B0D88EB999664799E5263C055B90DA
SHA256:CB9F94AC4F4E2BB1576B7178FDD68035067F5836996CB2ADEF2CAB4E7F192CBC
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2804.36038\KRNLWRD\krnl.dllexecutable
MD5:B00B14D56A6CAF1304136C72F2867B9F
SHA256:5B4DAAC49CFC5380882979DFD985137E1D8C7146B9D6FC3B34C8057FE4C394A6
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2804.36038\KRNLWRD\Bunifu_UI_v1.5.3.dllexecutable
MD5:2ECB51AB00C5F340380ECF849291DBCF
SHA256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2804.36038\KRNLWRD\krnl.exeexecutable
MD5:6B227D7255696FA1873148316D5D58F9
SHA256:FEB7669B2D21C3158805A30BAD366334F9599DE86FC63B502EE8A4294260C9CA
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2804.38668\KRNLWRD\krnl.exeexecutable
MD5:6B227D7255696FA1873148316D5D58F9
SHA256:FEB7669B2D21C3158805A30BAD366334F9599DE86FC63B502EE8A4294260C9CA
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2804.38668\KRNLWRD\krnl.dllexecutable
MD5:B00B14D56A6CAF1304136C72F2867B9F
SHA256:5B4DAAC49CFC5380882979DFD985137E1D8C7146B9D6FC3B34C8057FE4C394A6
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2804.38668\KRNLWRD\Bunifu_UI_v1.5.3.dllexecutable
MD5:2ECB51AB00C5F340380ECF849291DBCF
SHA256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2804.36038\KRNLWRD\ScintillaNET.dllexecutable
MD5:9166536C31F4E725E6BEFE85E2889A4B
SHA256:AD0CC5A4D4A6AAE06EE360339C851892B74B8A275CE89C1B48185672179F3163
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2804.38668\KRNLWRD\ScintillaNET.dllexecutable
MD5:9166536C31F4E725E6BEFE85E2889A4B
SHA256:AD0CC5A4D4A6AAE06EE360339C851892B74B8A275CE89C1B48185672179F3163
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info