File name:

soft_analysis.zip

Full analysis: https://app.any.run/tasks/f24716a5-7d49-4f3a-9945-c856265662a0
Verdict: Malicious activity
Analysis date: June 12, 2024, 09:30:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:

B0B98F1BC3B026CCBA20AC07A6F44152

SHA1:

3988D78F54006132B271DAADBC8EDE1178891B02

SHA256:

9198CEAB0FDE4A20B6D50694C455DB3D8F85DC5F1626B6732A20FEF9FF175035

SSDEEP:

98304:XsWEbsAE4LWx3fv24pCXP9qq8PDrCGwPQgWx8N3uwaps14LXihck/ikMSrQmumT8:wGEVu/al7ULa6YE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • sdiagnhost.exe (PID: 2476)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 2188)
      • csc.exe (PID: 1888)
      • csc.exe (PID: 1408)

  • SUSPICIOUS

    • Probably uses Microsoft diagnostics tool to execute malicious payload

      • pcwrun.exe (PID: 2452)

    • Reads the Internet Settings

      • sdiagnhost.exe (PID: 2476)
      • msdt.exe (PID: 2480)

    • Uses .NET C# to load dll

      • sdiagnhost.exe (PID: 2476)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 1888)
      • csc.exe (PID: 2188)
      • csc.exe (PID: 1408)

    • Uses RUNDLL32.EXE to load library

      • msdt.exe (PID: 2480)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3972)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3972)
      • msdt.exe (PID: 2480)

    • Manual execution by a user

      • pcwrun.exe (PID: 2452)

    • Create files in a temporary directory

      • pcwrun.exe (PID: 2452)
      • msdt.exe (PID: 2480)
      • sdiagnhost.exe (PID: 2476)
      • csc.exe (PID: 1888)
      • cvtres.exe (PID: 1868)
      • csc.exe (PID: 2188)
      • cvtres.exe (PID: 856)
      • cvtres.exe (PID: 2612)
      • csc.exe (PID: 1408)

    • Reads security settings of Internet Explorer

      • msdt.exe (PID: 2480)
      • sdiagnhost.exe (PID: 2476)

    • Reads the software policy settings

      • msdt.exe (PID: 2480)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 1888)
      • cvtres.exe (PID: 1868)
      • csc.exe (PID: 2188)
      • cvtres.exe (PID: 856)
      • cvtres.exe (PID: 2612)
      • csc.exe (PID: 1408)

    • Checks supported languages

      • csc.exe (PID: 1888)
      • cvtres.exe (PID: 1868)
      • csc.exe (PID: 2188)
      • cvtres.exe (PID: 856)
      • csc.exe (PID: 1408)
      • cvtres.exe (PID: 2612)

    • Creates files or folders in the user directory

      • msdt.exe (PID: 2480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0801
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0x1204ac8d
ZipCompressedSize: 6784090
ZipUncompressedSize: 6944356
ZipFileName: Device/HarddiskVolume3/Cadence/SPB_23.1/tools/bin/relpn.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
14
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe pcwrun.exe no specs msdt.exe no specs sdiagnhost.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES1660.tmp" "c:\Users\admin\AppData\Local\Temp\CSC164F.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
1408"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\c-vu3sf7.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
sdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1868C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES16FC.tmp" "c:\Users\admin\AppData\Local\Temp\CSC16EB.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
1888"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\k8u738e-.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
sdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2188"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\tdbzkeue.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
sdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2372"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\Desktop\Device\HarddiskVolume3\Cadence\SPB_23.1\tools\bin\relpn.exe"C:\Windows\System32\rundll32.exemsdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2400"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\Desktop\Device\HarddiskVolume3\Cadence\SPB_23.1\tools\bin\relpn.exe"C:\Windows\System32\rundll32.exemsdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2452C:\Windows\system32\pcwrun.exe "C:\Users\admin\Desktop\Device\HarddiskVolume3\Cadence\SPB_23.1\tools\bin\relpn.exe"C:\Windows\System32\pcwrun.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Program Compatibility Troubleshooter Invoker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\pcwrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2476C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2480C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\admin\AppData\Local\Temp\PCWCAA.xml /skip TRUEC:\Windows\System32\msdt.exepcwrun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
11 511
Read events
11 446
Write events
63
Delete events
2

Modification events

(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\soft_analysis.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
7
Suspicious files
15
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
2452pcwrun.exeC:\Users\admin\AppData\Local\Temp\PCWCAA.xmlxml
MD5:80681B26E76818EC8BB3F99F3C1B1D97
SHA256:B32857E34DD8099890EC37E3D642C8738D942DEBA5FB85C0EDCB09FADCB7F0C2
2480msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_a1d5f57d-161f-4c63-8862-7f0e67a07908\TS_ProgramCompatibilityWizard.ps1text
MD5:46E22C2582B54BE56D80D7A79FEC9BB5
SHA256:459AF2960B08E848573D45A7350223657ADB2115F24A3C37E69FFE61DEA647F9
2480msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_a1d5f57d-161f-4c63-8862-7f0e67a07908\DiagPackage.dllexecutable
MD5:4B9F845D6FF4BCED0EA8D7B0EA4AE7E7
SHA256:21369005C8400B68D8CAB1A9A6C4D5809F5A685A8E18D311272467BB25D3D3C8
2480msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_a1d5f57d-161f-4c63-8862-7f0e67a07908\RS_ProgramCompatibilityWizard.ps1text
MD5:367FE5F4C6DB87E1600F46687E5AAC54
SHA256:177625AC9B07BBFFCBBB47101C2D1121F47B03B42226861BFD7974B9CEBC0C98
2476sdiagnhost.exeC:\Users\admin\AppData\Local\Temp\tdbzkeue.0.cstext
MD5:B0DC59B099CA7C12FB8AD72D3C50C82C
SHA256:E75EAAA3D7908FB05000C0A957048D20091A0D2575E87D091D11CDB3A5B562E5
2480msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_a1d5f57d-161f-4c63-8862-7f0e67a07908\en-US\DiagPackage.dll.muiexecutable
MD5:C31BD28AB34E75BC65A5458AC8D37539
SHA256:5FB9E280013D58043C5689478F9DCFAD3212F4681534627EB33998DDD6F63308
2480msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_a1d5f57d-161f-4c63-8862-7f0e67a07908\result\results.xslxml
MD5:310E1DA2344BA6CA96666FB639840EA9
SHA256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
3972WinRAR.exeC:\Users\admin\Desktop\Device\HarddiskVolume3\Cadence\SPB_23.1\tools\bin\relpn.exeexecutable
MD5:2282237725100346075ABC5425428130
SHA256:2C604DC8AFFB7A76BE2231C2A11B8A0A3EDA7BC32AE508F9264D308F06358365
2480msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_a1d5f57d-161f-4c63-8862-7f0e67a07908\en-US\CL_LocalizationData.psd1text
MD5:863DC7FD9D5E14BB639EAAF596D64416
SHA256:97EB6F256A278FF10B200FA6E248B7A89BA956D9F533D138302C7F3721A95D8E
2188csc.exeC:\Users\admin\AppData\Local\Temp\CSC164F.tmpbinary
MD5:CBD3AC7251686A2D868E84BD0BC091C1
SHA256:C18DB43025AFE17A8DB52E3C0CCFD8F018D0A66840B7C4F4163FF341FAF665EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
soft_analysis.zip