File name: | Ratool.zip |
Full analysis: | https://app.any.run/tasks/1dd91a8d-566d-4cba-8997-77a6ed6aeb90 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 13:56:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | CA2A75E392532DE2B6BBB3A586DB5ECB |
SHA1: | B55F2428D6ACA42CDA42D13CB262D0B80A7352A2 |
SHA256: | 99C3FE54A4F318FA495180D0EFD25376DCE6610EB9AFA44C46E113F555D1F977 |
SSDEEP: | 24576:DiYtxjdQcY7dgAs3tvx/x4kf6jhXT/ddDA4zk4SygAS9ToAZ2CEJ:eY3dQV83tvx/byjhXTj84z1/gAooAAV |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2020:05:20 11:51:12 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | Ratool_v1.4/ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3448 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ratool.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
2396 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa3448.23527\Ratool.ini | C:\Windows\system32\NOTEPAD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
416 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool.exe | — | WinRAR.exe |
User: admin Company: www.sordum.org Integrity Level: MEDIUM Description: Removable Access Tool Exit code: 3221226540 Version: 1.4.0.0 | ||||
3876 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool.exe | WinRAR.exe | |
User: admin Company: www.sordum.org Integrity Level: HIGH Description: Removable Access Tool Version: 1.4.0.0 | ||||
3944 | rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{e3f4257d-e19b-4d4d-91d3-63b4f2c2bc34} "(null)" | C:\Windows\system32\rundll32.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2972 | DrvInst.exe "1" "200" "{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01" "" "" "66583b687" "00000000" "0000039C" "00000404" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3108 | "C:\Windows\System32\dinotify.exe" pnpui.dll,SimplifiedDINotification | C:\Windows\System32\dinotify.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Device Installation Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2324 | DrvInst.exe "1" "200" "SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000001" "" "" "69911eaf3" "00000000" "000005C8" "00000640" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1560 | C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3352 | DrvInst.exe "1" "200" "SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&1f4adffe&0&000002" "" "" "6351683ab" "00000000" "0000063C" "00000630" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3448 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24050\Ratool_v1.4\Read_me.txt | text | |
MD5:DD943471DB59DA2D0ED51C4C91B63F03 | SHA256:DF6C183F66D23E87B33E58ACA1313E6AAE8283D6C259EBA78313177CBCA10603 | |||
3448 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3448.23527\Ratool.ini | text | |
MD5:48BCA3D2A69A56953EDFE830FD8560C9 | SHA256:0908A366B1FF6ED375C42D583615860C365F3EA0F9C840DCF244E7C34147F57B | |||
2972 | DrvInst.exe | C:\Windows\INF\setupapi.ev2 | binary | |
MD5:E2942171BC9F8B17E3E1142402B1AB97 | SHA256:8B47E258B08C46F1CFC99A7D547734B9751A278D537390A33DFA90D744DEDEA5 | |||
3448 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24050\Ratool_v1.4\Ratool_x64.exe | executable | |
MD5:696EE9B9E12B9657C75F5FA4B60C7D5E | SHA256:4A740E6001C7B0F5DEBEF0E28D4B6DB0BF07AD98F9037E04EF913C2CBCCC1E0D | |||
3448 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool.ini | text | |
MD5:48BCA3D2A69A56953EDFE830FD8560C9 | SHA256:0908A366B1FF6ED375C42D583615860C365F3EA0F9C840DCF244E7C34147F57B | |||
3448 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Ratool_x64.exe | executable | |
MD5:696EE9B9E12B9657C75F5FA4B60C7D5E | SHA256:4A740E6001C7B0F5DEBEF0E28D4B6DB0BF07AD98F9037E04EF913C2CBCCC1E0D | |||
3448 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24050\Ratool_v1.4\Ratool.ini | text | |
MD5:48BCA3D2A69A56953EDFE830FD8560C9 | SHA256:0908A366B1FF6ED375C42D583615860C365F3EA0F9C840DCF244E7C34147F57B | |||
3876 | Ratool.exe | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | binary | |
MD5:1A0F235F89F4D04F1AEDA5F70BAACCF0 | SHA256:FB28B2D3452E3CF432F83C80860D9FCF45A798B2E557BDD0C3FB790A6080042F | |||
3448 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.24830\Ratool_v1.4\Read_me.txt | text | |
MD5:DD943471DB59DA2D0ED51C4C91B63F03 | SHA256:DF6C183F66D23E87B33E58ACA1313E6AAE8283D6C259EBA78313177CBCA10603 | |||
2972 | DrvInst.exe | C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_x86_neutral_efa659e9a38d5b8c\vhdmp.PNF | pnf | |
MD5:677F2BB0CD9BF36113F249D57F9A15C9 | SHA256:94A01E4AA3CDC79DE76AF4D7D8650AC552981ACE0ED4C7B8967B9576BCCC6E24 |