File name:

soft_analysis.zip

Full analysis: https://app.any.run/tasks/f24716a5-7d49-4f3a-9945-c856265662a0
Verdict: Malicious activity
Analysis date: June 12, 2024, 09:30:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:

B0B98F1BC3B026CCBA20AC07A6F44152

SHA1:

3988D78F54006132B271DAADBC8EDE1178891B02

SHA256:

9198CEAB0FDE4A20B6D50694C455DB3D8F85DC5F1626B6732A20FEF9FF175035

SSDEEP:

98304:XsWEbsAE4LWx3fv24pCXP9qq8PDrCGwPQgWx8N3uwaps14LXihck/ikMSrQmumT8:wGEVu/al7ULa6YE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • sdiagnhost.exe (PID: 2476)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 2188)
      • csc.exe (PID: 1888)
      • csc.exe (PID: 1408)

  • SUSPICIOUS

    • Reads the Internet Settings

      • sdiagnhost.exe (PID: 2476)
      • msdt.exe (PID: 2480)

    • Probably uses Microsoft diagnostics tool to execute malicious payload

      • pcwrun.exe (PID: 2452)

    • Uses .NET C# to load dll

      • sdiagnhost.exe (PID: 2476)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 1888)
      • csc.exe (PID: 1408)
      • csc.exe (PID: 2188)

    • Uses RUNDLL32.EXE to load library

      • msdt.exe (PID: 2480)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3972)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3972)
      • msdt.exe (PID: 2480)

    • Reads the software policy settings

      • msdt.exe (PID: 2480)

    • Create files in a temporary directory

      • pcwrun.exe (PID: 2452)
      • sdiagnhost.exe (PID: 2476)
      • msdt.exe (PID: 2480)
      • csc.exe (PID: 1888)
      • cvtres.exe (PID: 1868)
      • csc.exe (PID: 1408)
      • cvtres.exe (PID: 856)
      • cvtres.exe (PID: 2612)
      • csc.exe (PID: 2188)

    • Reads security settings of Internet Explorer

      • sdiagnhost.exe (PID: 2476)
      • msdt.exe (PID: 2480)

    • Manual execution by a user

      • pcwrun.exe (PID: 2452)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 2188)
      • csc.exe (PID: 1888)
      • cvtres.exe (PID: 1868)
      • cvtres.exe (PID: 2612)
      • csc.exe (PID: 1408)
      • cvtres.exe (PID: 856)

    • Checks supported languages

      • csc.exe (PID: 1888)
      • cvtres.exe (PID: 1868)
      • csc.exe (PID: 1408)
      • cvtres.exe (PID: 2612)
      • csc.exe (PID: 2188)
      • cvtres.exe (PID: 856)

    • Creates files or folders in the user directory

      • msdt.exe (PID: 2480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0801
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0x1204ac8d
ZipCompressedSize: 6784090
ZipUncompressedSize: 6944356
ZipFileName: Device/HarddiskVolume3/Cadence/SPB_23.1/tools/bin/relpn.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
14
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe pcwrun.exe no specs msdt.exe no specs sdiagnhost.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES1660.tmp" "c:\Users\admin\AppData\Local\Temp\CSC164F.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
1408"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\c-vu3sf7.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
sdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1868C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES16FC.tmp" "c:\Users\admin\AppData\Local\Temp\CSC16EB.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
1888"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\k8u738e-.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
sdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2188"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\tdbzkeue.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
sdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2372"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\Desktop\Device\HarddiskVolume3\Cadence\SPB_23.1\tools\bin\relpn.exe"C:\Windows\System32\rundll32.exemsdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2400"C:\Windows\System32\rundll32.exe" C:\Windows\system32\pcwutl.dll,CreateAndRunTask -path "C:\Users\admin\Desktop\Device\HarddiskVolume3\Cadence\SPB_23.1\tools\bin\relpn.exe"C:\Windows\System32\rundll32.exemsdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2452C:\Windows\system32\pcwrun.exe "C:\Users\admin\Desktop\Device\HarddiskVolume3\Cadence\SPB_23.1\tools\bin\relpn.exe"C:\Windows\System32\pcwrun.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Program Compatibility Troubleshooter Invoker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\pcwrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2476C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2480C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\admin\AppData\Local\Temp\PCWCAA.xml /skip TRUEC:\Windows\System32\msdt.exepcwrun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
11 511
Read events
11 446
Write events
63
Delete events
2

Modification events

(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\soft_analysis.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
7
Suspicious files
15
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
2480msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_a1d5f57d-161f-4c63-8862-7f0e67a07908\en-US\CL_LocalizationData.psd1text
MD5:863DC7FD9D5E14BB639EAAF596D64416
SHA256:97EB6F256A278FF10B200FA6E248B7A89BA956D9F533D138302C7F3721A95D8E
2480msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_a1d5f57d-161f-4c63-8862-7f0e67a07908\DiagPackage.diagpkghtml
MD5:18A906A43C1C3E27064DB30C81505234
SHA256:041430D1F0AE14300C46BDCD917C882F4850DA3D6010E3FBF692023655BC406E
2480msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_a1d5f57d-161f-4c63-8862-7f0e67a07908\VF_ProgramCompatibilityWizard.ps1text
MD5:C219205ABF50BB950B93D0824D483780
SHA256:5284D805B918F161565150EC64B787E4EA681DE69B1AD832F316F94DB6DBCB75
2480msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_a1d5f57d-161f-4c63-8862-7f0e67a07908\TS_ProgramCompatibilityWizard.ps1text
MD5:46E22C2582B54BE56D80D7A79FEC9BB5
SHA256:459AF2960B08E848573D45A7350223657ADB2115F24A3C37E69FFE61DEA647F9
2452pcwrun.exeC:\Users\admin\AppData\Local\Temp\PCWCAA.xmlxml
MD5:80681B26E76818EC8BB3F99F3C1B1D97
SHA256:B32857E34DD8099890EC37E3D642C8738D942DEBA5FB85C0EDCB09FADCB7F0C2
856cvtres.exeC:\Users\admin\AppData\Local\Temp\RES1660.tmpbinary
MD5:D259EC28A2A0F0CB029C6F30B3FD6515
SHA256:EFC1CAC9CBBE0824D510B84D31173C62F8BECCDBB5212F0613961D2567D52A6D
2476sdiagnhost.exeC:\Users\admin\AppData\Local\Temp\k8u738e-.cmdlinetext
MD5:03D85CCF54145BE503DBD1C3F45AF03B
SHA256:41E1FE65050E6576B677D7F37DA659B481B4F550283A81BFE8358D266534BB8A
2188csc.exeC:\Users\admin\AppData\Local\Temp\CSC164F.tmpbinary
MD5:CBD3AC7251686A2D868E84BD0BC091C1
SHA256:C18DB43025AFE17A8DB52E3C0CCFD8F018D0A66840B7C4F4163FF341FAF665EE
2476sdiagnhost.exeC:\Users\admin\AppData\Local\Temp\tdbzkeue.cmdlinetext
MD5:D1400F9DC48CA8E694772BC408C7AE99
SHA256:9627190ACC95ACC254CDCADE96AD184492F598485BC8A47CEF1EF3DD4A07A369
2188csc.exeC:\Users\admin\AppData\Local\Temp\tdbzkeue.dllexecutable
MD5:5F68407E8C0C65ADAF736AEC7181F73C
SHA256:2E0E1050CE578C4B46515B09BEF50274A27FA7CEF99FE7E4F9AA07620D837BC7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
soft_analysis.zip