analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

_SolidSQUAD_.7z

Full analysis: https://app.any.run/tasks/55333df9-c3eb-4982-939b-b9a3ef833a28
Verdict: Malicious activity
Analysis date: November 14, 2021, 15:31:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

7B584255A78FD67FEF8784D412D33021

SHA1:

229BD088D6A52A2DFE4DDDCA1C292D886492E493

SHA256:

984D72782737937706DAEF1287E0624025EFF497B6959D3F0B88306E8D5B0960

SSDEEP:

49152:5XzVla2bI3n24bHDXXazK0rTs7CdPG5Sl7K+NS+hIhs:tz7RktX8KqG2PG5BEy+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3400)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3356)

    • Checks supported languages

      • WinRAR.exe (PID: 3356)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3356)

    • Creates a directory in Program Files

      • WinRAR.exe (PID: 3356)

    • Creates files in the program directory

      • WinRAR.exe (PID: 3356)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 3356)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3356)

  • INFO

    • Checks supported languages

      • regedit.exe (PID: 3008)
      • regedit.exe (PID: 3136)

    • Manual execution by user

      • regedit.exe (PID: 3008)
      • regedit.exe (PID: 1980)
      • regedit.exe (PID: 3136)
      • regedit.exe (PID: 2348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe

Process information

PID
CMD
Path
Indicators
Parent process
3356"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\_SolidSQUAD_.7z"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3400"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
1980"regedit.exe" "C:\Users\admin\Desktop\New folder\SolidSQUADLoaderEnabler.reg"C:\Windows\regedit.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3136"regedit.exe" "C:\Users\admin\Desktop\New folder\SolidSQUADLoaderEnabler.reg"C:\Windows\regedit.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2348"regedit.exe" "C:\Users\admin\Desktop\New folder\sw2020_network_serials_licensing.reg"C:\Windows\regedit.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3008"regedit.exe" "C:\Users\admin\Desktop\New folder\sw2020_network_serials_licensing.reg"C:\Windows\regedit.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 792
Read events
1 746
Write events
46
Delete events
0

Modification events

(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3356) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\_SolidSQUAD_.7z
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3356) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@C:\Windows\regedit.exe,-309
Value:
Registration Entries
Executable files
41
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\readme.txttext
MD5:640E27954331791B699F7763C863FB9A
SHA256:70496B458DB57549E72002D8B9BD25683CDE327BC9ADD048A32EF7E819804890
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\SolidWorks_Flexnet_Server\sw_d_SSQ.lictext
MD5:6C965362C44B0C4E62D83E68803EB877
SHA256:AB3D70A082B2F14F9B1BE48CC35C3093E420D1440418C93C32D9436EAF44A65E
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\SolidWorks_Flexnet_Server\server_remove.battext
MD5:950D94840CD6B889A8A9ED1FE93FF73B
SHA256:8B0B95E49330C8FC517061AB420E0DA66555A20A270AD88835EEA05A591AF04E
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\sw2020_network_serials_licensing.regtext
MD5:1FBC34CD66C96A2FF4C0F14B6427BE6E
SHA256:E13634DC0E20F9B56C4DC5DD153D5EFC7C239F9398A36FB42F27095D955EB824
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\SolidWorks_Flexnet_Server\server_install.battext
MD5:A052A4D56D383704FF24E8E873EF3400
SHA256:49F922495FE79151E8B1C7E5BFDCA11573EB4AC958888301E7D9126A1F000459
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\Program Files\SOLIDWORKS Corp\eDrawings\netapi32.dllexecutable
MD5:69559DEA95FB75855D47B07682D709B2
SHA256:06F5830CFC6284CC1FE5FD3EAEA98B35C61760EC9DDA023C2BDD235DC88F7D84
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\Program Files\SOLIDWORKS Corp\SOLIDWORKS Electrical\bin\netapi32.dllexecutable
MD5:69559DEA95FB75855D47B07682D709B2
SHA256:06F5830CFC6284CC1FE5FD3EAEA98B35C61760EC9DDA023C2BDD235DC88F7D84
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\Program Files\SOLIDWORKS Corp\SOLIDWORKS Explorer\SOLIDWORKS Explorer 2019\netapi32.dllexecutable
MD5:69559DEA95FB75855D47B07682D709B2
SHA256:06F5830CFC6284CC1FE5FD3EAEA98B35C61760EC9DDA023C2BDD235DC88F7D84
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\Program Files\SOLIDWORKS Corp\SOLIDWORKS Inspection\PDF\netapi32.dllexecutable
MD5:69559DEA95FB75855D47B07682D709B2
SHA256:06F5830CFC6284CC1FE5FD3EAEA98B35C61760EC9DDA023C2BDD235DC88F7D84
3356WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3356.6826\Program Files\SOLIDWORKS Corp\SOLIDWORKS Flow Simulation\binCFW\netapi32.dllexecutable
MD5:69559DEA95FB75855D47B07682D709B2
SHA256:06F5830CFC6284CC1FE5FD3EAEA98B35C61760EC9DDA023C2BDD235DC88F7D84
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
_SolidSQUAD_.7z