File name:

2.rar

Full analysis: https://app.any.run/tasks/df67aa1e-b864-4e72-969e-7c0fdb90dbe2
Verdict: Malicious activity
Analysis date: May 11, 2020, 07:23:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

23B261B43D7F84E6A45850F8E09CAA2F

SHA1:

5BFF9BFBC34C628834559663A89A39D94F41FF6D

SHA256:

A39B2DEE38CBFEF91E1E934E2BD22E15B325A8918978EA7263AD878CA82460DE

SSDEEP:

196608:N3VtX6TTto/dtOOIErMxzmrNKwVkzY9g/PauN5IJD2+i9i:Nlp6do/x/rQkVkza5uJ+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 4036)
      • SpicyX AIO-cleaned_stringdec.exe (PID: 1156)
      • WerFault.exe (PID: 3352)

    • Application was dropped or rewritten from another process

      • SpicyX AIO-cleaned_stringdec.exe (PID: 1156)
      • Setup.exe (PID: 2064)
      • Setup.exe (PID: 3432)

  • SUSPICIOUS

    • Modifies the open verb of a shell class

      • SpicyX AIO-cleaned_stringdec.exe (PID: 1156)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2640)

  • INFO

    • Manual execution by user

      • Setup.exe (PID: 2064)
      • SpicyX AIO-cleaned_stringdec.exe (PID: 1156)
      • Setup.exe (PID: 3432)
      • WinRAR.exe (PID: 3148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs winrar.exe no specs spicyx aio-cleaned_stringdec.exe setup.exe no specs setup.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Users\admin\Desktop\SpicyX AIO-cleaned_stringdec.exe" C:\Users\admin\Desktop\SpicyX AIO-cleaned_stringdec.exe
explorer.exe
User:
admin
Company:
SpicyX Development
Integrity Level:
MEDIUM
Description:
SpicyX AIO
Exit code:
3
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\spicyx aio-cleaned_stringdec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2064"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\setup.exe
c:\systemroot\system32\ntdll.dll
2640"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3148"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3352C:\Windows\system32\WerFault.exe -u -p 1156 -s 996C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3432"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
4036"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
866
Read events
837
Write events
29
Delete events
0

Modification events

(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2640) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2640) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\2.rar
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4036) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
13
Suspicious files
2
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\SpicyX AIO-cleaned_stringdec.exe
MD5:
SHA256:
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\System.Net.Http.Extensions.dll
MD5:
SHA256:
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\Setup.exe
MD5:
SHA256:
3148WinRAR.exeC:\Users\admin\Desktop\Setup\SC.dattext
MD5:
SHA256:
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\discord-rpc-w32.dllexecutable
MD5:A1C35901AD26A30C5B7836771B6BADFF
SHA256:517240600B04D454CC5AB7B03E43C4AF5A0B831FD2515F25C015A83652AD4CAC
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\MySql.Data.dllexecutable
MD5:045C875E00218CE5348A705989ACB329
SHA256:83D5F32B402BF60B6AEABDB45CFEEAE292B2A590E9D351BF8072CF43658684AB
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\MetroFramework.Fonts.dllexecutable
MD5:65EF4B23060128743CEF937A43B82AA3
SHA256:C843869AACA5135C2D47296985F35C71CA8AF4431288D04D481C4E46CC93EE26
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\Leaf.xNet.dllexecutable
MD5:6A4FB68D5541898C2EC86D709C26FF86
SHA256:5C099E6C5985E413CDF8D81C84BF61977B80E1E6221E332C94490F6A72373A4A
3148WinRAR.exeC:\Users\admin\Desktop\Setup\languages.dattext
MD5:A6FB0111CBF1CBF35E3AFA2392E206BC
SHA256:59C8B5AE2D98ACAE9FDD97095A908230F28B2A5C4DFB27CEEB5814ADF906727B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info