Malware analysis 22.rar Malicious activity | ANY.RUN

Add for printing

File name:	22.rar
Full analysis:	https://app.any.run/tasks/5bef95c1-98fc-4519-829b-e9f8328ed8a3
Verdict:	Malicious activity
Analysis date:	April 15, 2019, 08:47:55
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	C0C5C92E1C0D63A8ABF542C19E7C37AA
SHA1:	1BB1FAEEB2B644B29A6006050DE8DE1DA55F64C4
SHA256:	A87E0BA5E57B4E27066163BA71A2721827ED696C9BD1222BE31E9985A62517CC
SSDEEP:	98304:toXC0mmdnuO+GA5AFUvKAhxK+kL9fmAWzOYaS1N:OXCu9ieUfVkL9fmA7YJH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - PasswordsPro.exe (PID: 3204)
  - SearchProtocolHost.exe (PID: 3892)
- Application was dropped or rewritten from another process
  - PasswordsPro.exe (PID: 3204)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3284)
INFO
- Dropped object may contain Bitcoin addresses
  - WinRAR.exe (PID: 3284)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3284	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\22.rar"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
3892	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"	C:\Windows\System32\SearchProtocolHost.exe	—	SearchIndexer.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255)
3204	"C:\Users\admin\Desktop\PasswordsPro.v.3.1.0.0\PasswordsPro.exe"	C:\Users\admin\Desktop\PasswordsPro.v.3.1.0.0\PasswordsPro.exe		explorer.exe
User: admin Company: InsidePro Software Integrity Level: HIGH Description: PasswordsPro Version: 3.1.0.0

Add for printing

Total events

764

Read events

754

Write events

Delete events

Modification events


(PID) Process:	(3284) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3284) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3284) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3284) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\22.rar
(PID) Process:	(3284) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3284) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3284) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3284) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3892) SearchProtocolHost.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3892) SearchProtocolHost.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E
Operation:	write	Name:	@C:\Windows\system32\notepad.exe,-469
Value: Text Document

Add for printing

Executable files

166

Suspicious files

Text files

210

Unknown types

Dropped files

PID	Process	Filename		Type
3284	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3284.10795\PasswordsPro.v.3.1.0.0\Descript.ion		text
		MD5:E523C623E9ABAAF6589612C8DD2F4DF5	SHA256:BD52EB40638A955C16FA3EA885DD7A1D230BF920F7C1E69E247953F6D6325D71
3284	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3284.10795\PasswordsPro.v.3.1.0.0\Modules\API\ReadMe.chm		chi
		MD5:407314B124789A33F94B64320F12B011	SHA256:EE5B6619F37EEE0415D0E42053010A40685FEFBA473DDAB154B938BA4A666F81
3284	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3284.10795\PasswordsPro.v.3.1.0.0\Modules\CRC-32.dll		executable
		MD5:6E78D89B4BDE0F3A58A16A9E172F8728	SHA256:5E3647C60C8F3F6500459180625834F21EEFF0A74AFABE4B65B9DFE19B36B268
3284	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3284.10795\PasswordsPro.v.3.1.0.0\Modules\Blowfish(Eggdrop).dll		executable
		MD5:D1C3F0C0302F9436B57A2A98350F6894	SHA256:A8F54639D1B53193D4F4A8D757A79E0E3C47F1A44E532745E0F02FCCA22A584E
3284	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3284.10795\PasswordsPro.v.3.1.0.0\Modules\CRC-16.dll		executable
		MD5:F0695117BF582F50CD22FFCB426BC707	SHA256:76F35E796775428AF2DD47FA5E6C628FCA30F8DF30B46A88910F4B8919366120
3284	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3284.10795\PasswordsPro.v.3.1.0.0\mfc71.dll		executable
		MD5:659F1EF3AB991F099ABC6A6EB8E9F891	SHA256:98BE54795AB0BCEF0D7C1D199CEB1A397F357CB742C1059CDB22C64896F271ED
3284	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3284.10795\PasswordsPro.v.3.1.0.0\Modules\Blowfish(OpenBSD).dll		executable
		MD5:C2816F228355345B705F76772BB7E76B	SHA256:9616636D486EAB665FDE6A8AF3E0D5EF98B226082914A2B819531D4A71FBCD9C
3284	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3284.10795\PasswordsPro.v.3.1.0.0\InterfaceHistory.txt		text
		MD5:5A510B8EB3944DC1CBFDA53FD52BC36A	SHA256:EE56AA9BD1E6C2DDB43D0973A2CF2A28925DDFD235800C06C181984E9A2C64F2
3284	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3284.10795\PasswordsPro.v.3.1.0.0\Modules\CRC-16-CCITT.dll		executable
		MD5:24766D1092A14674DA9B4DBBCF26F918	SHA256:BB9EBDB25D69C3E9AD127450089510E74C80D5F659D41DA196A921321F3F8A9F
3284	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3284.10795\PasswordsPro.v.3.1.0.0\Modules\Adler-32.dll		executable
		MD5:D4572FD4A4992D27E88D0B882990A15D	SHA256:265EF9D9DD17B7C45A65C50A61C3BEB951E7A04FBB8A9174F6A8707D46C14B85

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

22.rar

C0C5C92E1C0D63A8ABF542C19E7C37AA

1BB1FAEEB2B644B29A6006050DE8DE1DA55F64C4

A87E0BA5E57B4E27066163BA71A2721827ED696C9BD1222BE31E9985A62517CC

98304:toXC0mmdnuO+GA5AFUvKAhxK+kL9fmAWzOYaS1N:OXCu9ieUfVkL9fmA7YJH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings