File name:

vag-tacho.zip

Full analysis: https://app.any.run/tasks/1cf404e5-416a-43b6-bf4c-4a7b94eb2437
Verdict: Malicious activity
Analysis date: March 28, 2021, 18:45:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E1728ED089E2E6DD7D2F353F88D27C8D

SHA1:

E5DDED50FFDA710E08498967752DEC01F2D81DAE

SHA256:

9B792F5CA6482700DB99F55F49217CE1C4D489C072408BB05F84918537CAA1D5

SSDEEP:

49152:zFfvvGx2kfZWuSUm16lSWLbH6xr8/9qHJj3+PJbq3P:zRXuZWuST16lSWaNGQH2U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • vagtacho.exe (PID: 1360)

    • Application was dropped or rewritten from another process

      • vagtacho.exe (PID: 1360)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2988)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2988)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 2988)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2988)

    • Application launched itself

      • AcroRd32.exe (PID: 2200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2021:02:05 10:36:21
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: drivers_Win7/amd64/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe vagtacho.exe no specs acrord32.exe no specs acrord32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
872"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\Rar$DIa2988.4911\LogoVerificationReport.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.23.20070.215641
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1360"C:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\vagtacho.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\vagtacho.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2988.684\vagtacho.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2200"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2988.4911\LogoVerificationReport.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeWinRAR.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.23.20070.215641
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2988"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\vag-tacho.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
473
Read events
453
Write events
20
Delete events
0

Modification events

(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\vag-tacho.zip
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
Executable files
18
Suspicious files
4
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\amd64\ftser2k.sysexecutable
MD5:121AF3148CDDA212CFFBC4F6240699C2
SHA256:866D8CA649144502DCF2975905100ABC8BA068C6A1AAF503421B2FA97FFD2514
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\amd64\ftd2xx.libobj
MD5:96A2C1BF6B37246255E112265DA84602
SHA256:76439BF5EFF1A3C372799C9DF924D64E84E31D9C272CCFE48C0BEC453801F6DA
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\amd64\ftlang.dllexecutable
MD5:3EBB56D3A9601B778586E9F696A821E2
SHA256:D530434F0AD2B7CE43CB1C38700C38942E25A7816375729FCD339C2175BC61E5
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\i386\ftbusui.dllexecutable
MD5:FBFA147B4BB3974E66C85004EE471390
SHA256:D6458C666262F75AD30F58862A3FFE5195873CF13F4FEB0EA196D79E244DBA9A
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\ftd2xx.htext
MD5:3B584F7365B32F928C1A8924D0E1B402
SHA256:C1E81B4B9BE73BB1AAF7BBF2D086377C45EA590024417BA0EE60D0F6BB8D46C0
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\amd64\ftserui2.dllexecutable
MD5:BADB676621EE28E1C87EA39D7E7BE179
SHA256:32E3F24C267137549EE23C0BF4DA1DA28E07CFE04C56F6D2E6D309214B06B101
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\CDM 2 06 00 Release Info.rtftext
MD5:65430128D59CBD56C181F462E264201E
SHA256:558DC38A7C7E76678B60688575A97EF1289993B66E9EB48CC42BCEA6738DF19D
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\ftdiport.catcat
MD5:3A52D058A5203C5EFD4E0027017E3E58
SHA256:661CE147A903A951E217B177A9BA793E50EC1073E0660412B671E81D652E8131
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\ftdibus.catcat
MD5:719C0C5A7CB6312F13A9BAE4B3110152
SHA256:B2508E8AB1ABC297DF0881F60C40AB495749E7F6C4C76D0DA4AA72CB071453C3
2988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2988.684\drivers_Win7\amd64\ftbusui.dllexecutable
MD5:49424524EC55EDCB9F448239DCAC04F5
SHA256:B4C5A11AC96F61F04A1AF46BBC7507FA9E356EE928D5662E5303B23A0EDDA834
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
vag-tacho.zip