File name:

vag-tacho.zip

Full analysis: https://app.any.run/tasks/1cf404e5-416a-43b6-bf4c-4a7b94eb2437
Verdict: Malicious activity
Analysis date: March 28, 2021, 18:45:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E1728ED089E2E6DD7D2F353F88D27C8D

SHA1:

E5DDED50FFDA710E08498967752DEC01F2D81DAE

SHA256:

9B792F5CA6482700DB99F55F49217CE1C4D489C072408BB05F84918537CAA1D5

SSDEEP:

49152:zFfvvGx2kfZWuSUm16lSWLbH6xr8/9qHJj3+PJbq3P:zRXuZWuST16lSWaNGQH2U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vagtacho.exe (PID: 1360)

    • Loads dropped or rewritten executable

      • vagtacho.exe (PID: 1360)

  • SUSPICIOUS

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2988)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2988)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 2988)

  • INFO

    • Application launched itself

      • AcroRd32.exe (PID: 2200)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2021:02:05 10:36:21
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: drivers_Win7/amd64/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe vagtacho.exe no specs acrord32.exe no specs acrord32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
872"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\Rar$DIa2988.4911\LogoVerificationReport.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.23.20070.215641
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1360"C:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\vagtacho.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\vagtacho.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2988.684\vagtacho.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2200"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2988.4911\LogoVerificationReport.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeWinRAR.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.23.20070.215641
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2988"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\vag-tacho.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
473
Read events
453
Write events
20
Delete events
0

Modification events

(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\vag-tacho.zip
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
Executable files
18
Suspicious files
4
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\amd64\ftbusui.dllexecutable
MD5:49424524EC55EDCB9F448239DCAC04F5
SHA256:B4C5A11AC96F61F04A1AF46BBC7507FA9E356EE928D5662E5303B23A0EDDA834
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\CDM 2 06 00 Release Info.rtftext
MD5:65430128D59CBD56C181F462E264201E
SHA256:558DC38A7C7E76678B60688575A97EF1289993B66E9EB48CC42BCEA6738DF19D
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\amd64\ftcserco.dllexecutable
MD5:F23C05F647A3A8EADCD53107E8F3C12A
SHA256:9004408BBFC81E35A21C444F7C1F6B41C422EB8CEDB54A4C610CA6036ABD29E7
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\ftdiport.infbinary
MD5:C94170EC43E861C43831537029789380
SHA256:714EF681C28A88AA90EBEBAE3CAFCA58A743D191FC872FBCA169B79A7AFE18A6
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\amd64\ftlang.dllexecutable
MD5:3EBB56D3A9601B778586E9F696A821E2
SHA256:D530434F0AD2B7CE43CB1C38700C38942E25A7816375729FCD339C2175BC61E5
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\ftdibus.catcat
MD5:719C0C5A7CB6312F13A9BAE4B3110152
SHA256:B2508E8AB1ABC297DF0881F60C40AB495749E7F6C4C76D0DA4AA72CB071453C3
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\ftdibus.infbinary
MD5:F4302A452767A833B6CE545953D51263
SHA256:28C5D483663F238EEB286D53D9A61E1618BFA914AC3128E774623BD09BB04600
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\amd64\ftserui2.dllexecutable
MD5:BADB676621EE28E1C87EA39D7E7BE179
SHA256:32E3F24C267137549EE23C0BF4DA1DA28E07CFE04C56F6D2E6D309214B06B101
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\ftdiport.catcat
MD5:3A52D058A5203C5EFD4E0027017E3E58
SHA256:661CE147A903A951E217B177A9BA793E50EC1073E0660412B671E81D652E8131
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\amd64\ftser2k.sysexecutable
MD5:121AF3148CDDA212CFFBC4F6240699C2
SHA256:866D8CA649144502DCF2975905100ABC8BA068C6A1AAF503421B2FA97FFD2514
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
vag-tacho.zip