File name:

2.rar

Full analysis: https://app.any.run/tasks/df67aa1e-b864-4e72-969e-7c0fdb90dbe2
Verdict: Malicious activity
Analysis date: May 11, 2020, 07:23:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

23B261B43D7F84E6A45850F8E09CAA2F

SHA1:

5BFF9BFBC34C628834559663A89A39D94F41FF6D

SHA256:

A39B2DEE38CBFEF91E1E934E2BD22E15B325A8918978EA7263AD878CA82460DE

SSDEEP:

196608:N3VtX6TTto/dtOOIErMxzmrNKwVkzY9g/PauN5IJD2+i9i:Nlp6do/x/rQkVkza5uJ+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 4036)
      • SpicyX AIO-cleaned_stringdec.exe (PID: 1156)
      • WerFault.exe (PID: 3352)

    • Application was dropped or rewritten from another process

      • SpicyX AIO-cleaned_stringdec.exe (PID: 1156)
      • Setup.exe (PID: 2064)
      • Setup.exe (PID: 3432)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2640)

    • Modifies the open verb of a shell class

      • SpicyX AIO-cleaned_stringdec.exe (PID: 1156)

  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 3148)
      • SpicyX AIO-cleaned_stringdec.exe (PID: 1156)
      • Setup.exe (PID: 3432)
      • Setup.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs winrar.exe no specs spicyx aio-cleaned_stringdec.exe setup.exe no specs setup.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Users\admin\Desktop\SpicyX AIO-cleaned_stringdec.exe" C:\Users\admin\Desktop\SpicyX AIO-cleaned_stringdec.exe
explorer.exe
User:
admin
Company:
SpicyX Development
Integrity Level:
MEDIUM
Description:
SpicyX AIO
Exit code:
3
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\spicyx aio-cleaned_stringdec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2064"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\setup.exe
c:\systemroot\system32\ntdll.dll
2640"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3148"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3352C:\Windows\system32\WerFault.exe -u -p 1156 -s 996C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3432"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
4036"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
866
Read events
837
Write events
29
Delete events
0

Modification events

(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2640) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2640) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\2.rar
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4036) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
13
Suspicious files
2
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\SpicyX AIO-cleaned_stringdec.exe
MD5:
SHA256:
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\System.Net.Http.Extensions.dll
MD5:
SHA256:
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\Setup.exe
MD5:
SHA256:
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\discord-rpc-w32.dllexecutable
MD5:A1C35901AD26A30C5B7836771B6BADFF
SHA256:517240600B04D454CC5AB7B03E43C4AF5A0B831FD2515F25C015A83652AD4CAC
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\System.Net.Http.Primitives.dllexecutable
MD5:B43FD28DFEC4D3B81D7FA0F10A2FB62C
SHA256:E9B535F4460C76D67DF629CE2CBB84C435A712CA948B61DDAAF31309506B8604
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\Ubiety.Dns.Core.dllexecutable
MD5:69E606497488D80336A8BF253C1732B8
SHA256:BDB96ACD9124F79B24A7B47AC50C7EF86F4A4CE9A476CFB0D3A7443737874B89
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\MetroFramework.dllexecutable
MD5:34EA7F7D66563F724318E322FF08F4DB
SHA256:C2C12D31B4844E29DE31594FC9632A372A553631DE0A0A04C8AF91668E37CF49
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\HtmlAgilityPack.dllexecutable
MD5:241DD85841D34F88923C5ABAFDD656FB
SHA256:1D4B5D5A8D51F4D67B0500C86E57815F9C4D440BE638D72CF3825B0C72E441D7
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2640.14211\MySql.Data.dllexecutable
MD5:045C875E00218CE5348A705989ACB329
SHA256:83D5F32B402BF60B6AEABDB45CFEEAE292B2A590E9D351BF8072CF43658684AB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info