File name:

Windows7Windows10.exe.7z

Full analysis: https://app.any.run/tasks/50d119ca-fe72-49b2-ba24-894bb4cd30c9
Verdict: Malicious activity
Analysis date: July 27, 2020, 18:37:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.3
MD5:

F9D55D9E544E3E53163009A33D3CF667

SHA1:

7BCD733E5F9B431528A6C2329AB74F8D210CBBBE

SHA256:

9690CF5DF0669EBF143FEE9C07B9480AE431C207C63668D710B5B0EA2898E3C9

SSDEEP:

49152:Om4M5vfdKQLMZcwnkq4ROrOl6mqKI+U/akeuoA/AdVAU3p7tlHFKy:Om4MyvZVnGOrosak3D/AdVAY7tllKy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Windows7Windows10.exe (PID: 3660)
      • WinUsbDisplay.exe (PID: 2420)
      • WinUsbDisplay.exe (PID: 128)
      • devcon.exe (PID: 1860)
      • unins000.exe (PID: 3960)
      • _iu14D2N.tmp (PID: 2296)
    • Changes the autorun value in the registry

      • Windows7Windows10.tmp (PID: 2624)
    • Loads dropped or rewritten executable

      • WinUsbDisplay.exe (PID: 2420)
      • WinUsbDisplay.exe (PID: 128)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2128)
      • Windows7Windows10.exe (PID: 3660)
      • Windows7Windows10.tmp (PID: 2624)
      • devcon.exe (PID: 1860)
      • DrvInst.exe (PID: 684)
      • unins000.exe (PID: 3960)
    • Reads Windows owner or organization settings

      • Windows7Windows10.tmp (PID: 2624)
      • _iu14D2N.tmp (PID: 2296)
    • Reads the Windows organization settings

      • Windows7Windows10.tmp (PID: 2624)
      • _iu14D2N.tmp (PID: 2296)
    • Creates files in the user directory

      • Windows7Windows10.tmp (PID: 2624)
    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 684)
    • Executed via COM

      • DrvInst.exe (PID: 684)
      • DllHost.exe (PID: 3316)
    • Creates files in the Windows directory

      • DrvInst.exe (PID: 684)
    • Creates files in the driver directory

      • DrvInst.exe (PID: 684)
    • Removes files from Windows directory

      • DrvInst.exe (PID: 684)
    • Executed as Windows Service

      • vssvc.exe (PID: 3180)
    • Starts application with an unusual extension

      • unins000.exe (PID: 3960)
  • INFO

    • Manual execution by user

      • Windows7Windows10.exe (PID: 3660)
      • explorer.exe (PID: 1004)
      • WinUsbDisplay.exe (PID: 2420)
      • WinUsbDisplay.exe (PID: 128)
    • Application was dropped or rewritten from another process

      • Windows7Windows10.tmp (PID: 2624)
    • Creates files in the program directory

      • Windows7Windows10.tmp (PID: 2624)
    • Creates a software uninstall entry

      • Windows7Windows10.tmp (PID: 2624)
    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 684)
    • Searches for installed software

      • DrvInst.exe (PID: 684)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3180)
    • Changes settings of System certificates

      • DrvInst.exe (PID: 684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (gen) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
13
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Program Files\HYC USB Display\WinUsbDisplay.exe" C:\Program Files\HYC USB Display\WinUsbDisplay.exeexplorer.exe
User:
admin
Company:
MS
Integrity Level:
MEDIUM
Description:
Windows USB Display
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\program files\hyc usb display\winusbdisplay.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
684DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{3c89bd73-e6ca-43fe-7303-3e4390637e7b}\MSUSBDisplay.inf" "0" "6bdd6f09b" "00000064" "WinSta0\Default" "00000304" "208" "C:\Program Files\HYC USB Display\lib_usb"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1004"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1860"C:\Program Files\HYC USB Display\tool\x86\devcon.exe" dp_add "C:\Program Files\HYC USB Display\lib_usb\MSUSBDisplay.inf" USB\VID_534D&PID_6021&MI_03C:\Program Files\HYC USB Display\tool\x86\devcon.exe
Windows7Windows10.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
10.0.10586.0 (th2_release.151029-1700)
Modules
Images
c:\program files\hyc usb display\tool\x86\devcon.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2128"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Windows7Windows10.exe.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2296"C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\HYC USB Display\unins000.exe" /FIRSTPHASEWND=$8015A C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmpunins000.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup
Exit code:
1
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\_iu14d2n.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2420"C:\Program Files\HYC USB Display\WinUsbDisplay.exe" C:\Program Files\HYC USB Display\WinUsbDisplay.exeexplorer.exe
User:
admin
Company:
MS
Integrity Level:
MEDIUM
Description:
Windows USB Display
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\hyc usb display\winusbdisplay.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
2624"C:\Users\admin\AppData\Local\Temp\is-9MG7S.tmp\Windows7Windows10.tmp" /SL5="$5012C,2285776,806912,C:\Users\admin\Desktop\Windows7Windows10.exe" C:\Users\admin\AppData\Local\Temp\is-9MG7S.tmp\Windows7Windows10.tmp
Windows7Windows10.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-9mg7s.tmp\windows7windows10.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2964rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{08345d9f-b757-7f3e-b515-f67d3e6f6c51} Global\{63521487-b9f8-7e6a-f5c5-d00f034a4938} C:\Windows\System32\DriverStore\Temp\{1164e075-d992-100c-e92b-6733cba0377f}\MSUSBDisplay.inf C:\Windows\System32\DriverStore\Temp\{1164e075-d992-100c-e92b-6733cba0377f}\MSUSBDisplay.catC:\Windows\system32\rundll32.exeDrvInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3180C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
995
Read events
761
Write events
228
Delete events
6

Modification events

(PID) Process:(2128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2128) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\132\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Windows7Windows10.exe.7z
(PID) Process:(2128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(2128) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
33
Suspicious files
10
Text files
71
Unknown types
18

Dropped files

PID
Process
Filename
Type
2624Windows7Windows10.tmpC:\Program Files\HYC USB Display\is-63B6I.tmp
MD5:
SHA256:
2624Windows7Windows10.tmpC:\Program Files\HYC USB Display\is-I43V1.tmp
MD5:
SHA256:
2624Windows7Windows10.tmpC:\Program Files\HYC USB Display\is-BRRQJ.tmp
MD5:
SHA256:
2624Windows7Windows10.tmpC:\Program Files\HYC USB Display\is-HV7AL.tmp
MD5:
SHA256:
2624Windows7Windows10.tmpC:\Program Files\HYC USB Display\is-9TDQ5.tmp
MD5:
SHA256:
2624Windows7Windows10.tmpC:\Program Files\HYC USB Display\is-0UN40.tmp
MD5:
SHA256:
2624Windows7Windows10.tmpC:\Program Files\HYC USB Display\is-PSQ2G.tmp
MD5:
SHA256:
2624Windows7Windows10.tmpC:\Program Files\HYC USB Display\tool\arm64\is-8UMT7.tmp
MD5:
SHA256:
2624Windows7Windows10.tmpC:\Program Files\HYC USB Display\tool\x64\is-4BLE3.tmp
MD5:
SHA256:
2624Windows7Windows10.tmpC:\Program Files\HYC USB Display\tool\x64\is-BGTQK.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info