File name:

woofer.rar

Full analysis: https://app.any.run/tasks/565f5a43-5c64-453e-b20b-ad64699b756a
Verdict: Malicious activity
Analysis date: December 05, 2022, 17:39:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

891CEBBE3FF7554F58B5B6A755C72453

SHA1:

87FAF0F50EAD0FEAD397B7FFE0B3A40602AE371F

SHA256:

AB38E2C05D155BB97DC6018957333C30EE8EC0A77E8941C3CDBF997D7AA049F0

SSDEEP:

98304:5asrZTru7gSzCPuKunRVgjeka+5UuGSEiaL8qI7aEXqaLCj3O7iSFW4:w64735nn+5HGViaL8iaa+FW4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • nProjectV4.exe (PID: 2556)
      • nProjectV4.exe (PID: 3720)
      • nProjectV4.exe (PID: 3372)
      • nProjectV4.exe (PID: 2708)
    • Drops the executable file immediately after the start

      • nProjectV4.exe (PID: 2708)
  • SUSPICIOUS

    • Reads the BIOS version

      • nProjectV4.exe (PID: 2556)
      • nProjectV4.exe (PID: 2708)
    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 2120)
    • Uses WMIC.EXE to obtain BIOS management information

      • cmd.exe (PID: 2420)
    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 3068)
    • Uses WMIC.EXE to obtain memory chip information

      • cmd.exe (PID: 3584)
    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 3760)
    • Uses WMIC.EXE to obtain desktop monitor information

      • cmd.exe (PID: 4032)
    • Reads the Internet Settings

      • nProjectV4.exe (PID: 2708)
    • Reads settings of System Certificates

      • nProjectV4.exe (PID: 2708)
    • Reads security settings of Internet Explorer

      • nProjectV4.exe (PID: 2708)
    • Executable content was dropped or overwritten

      • nProjectV4.exe (PID: 2708)
    • Checks Windows Trust Settings

      • nProjectV4.exe (PID: 2708)
  • INFO

    • Manual execution by a user

      • NOTEPAD.EXE (PID: 1404)
      • nProjectV4.exe (PID: 2556)
      • nProjectV4.exe (PID: 3720)
      • nProjectV4.exe (PID: 2708)
      • nProjectV4.exe (PID: 3372)
      • NOTEPAD.EXE (PID: 3232)
    • Checks supported languages

      • nProjectV4.exe (PID: 2556)
      • nProjectV4.exe (PID: 2708)
      • mode.com (PID: 3056)
      • mode.com (PID: 4088)
    • Process checks are UAC notifies on

      • nProjectV4.exe (PID: 2556)
      • nProjectV4.exe (PID: 2708)
    • Reads the computer name

      • nProjectV4.exe (PID: 2556)
      • nProjectV4.exe (PID: 2708)
    • Checks proxy server information

      • nProjectV4.exe (PID: 2708)
    • Drops a file that was compiled in debug mode

      • nProjectV4.exe (PID: 2708)
    • Creates files in the program directory

      • nProjectV4.exe (PID: 2708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
86
Monitored processes
41
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad.exe no specs nprojectv4.exe no specs nprojectv4.exe cmd.exe no specs nprojectv4.exe no specs nprojectv4.exe cmd.exe no specs cmd.exe no specs notepad.exe no specs cmd.exe no specs cmd.exe no specs mode.com no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs mode.com no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1772"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\woofer.rar"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1404"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\key.txtC:\Windows\system32\NOTEPAD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3720"C:\Users\admin\Desktop\nProjectV4.exe" C:\Users\admin\Desktop\nProjectV4.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\nprojectv4.exe
c:\windows\system32\ntdll.dll
2556"C:\Users\admin\Desktop\nProjectV4.exe" C:\Users\admin\Desktop\nProjectV4.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\nprojectv4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
2428C:\Windows\system32\cmd.exe /c clsC:\Windows\system32\cmd.exenProjectV4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
3372"C:\Users\admin\Desktop\nProjectV4.exe" C:\Users\admin\Desktop\nProjectV4.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\nprojectv4.exe
2708"C:\Users\admin\Desktop\nProjectV4.exe" C:\Users\admin\Desktop\nProjectV4.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\nprojectv4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\nsi.dll
1820C:\Windows\system32\cmd.exe /c clsC:\Windows\system32\cmd.exenProjectV4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
376C:\Windows\system32\cmd.exe /c clsC:\Windows\system32\cmd.exenProjectV4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3232"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\key.txtC:\Windows\system32\NOTEPAD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\notepad.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
6 698
Read events
6 641
Write events
57
Delete events
0

Modification events

(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1772) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\woofer.rar
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1772) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
4
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
1772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1772.44806\woofer\nProjectV4.exeexecutable
MD5:A453E063EC259B6429FD73ED70308D8E
SHA256:3632C73738F73C6623543B6F97FE1C80B929D3C63FB15FB8CB3EABB0BC7D4736
2708nProjectV4.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:D5D82C08E6FD869FBAAAAF1765526E41
SHA256:FEB7A9E2A2E668C38CA21A509C6F235AFB74F9576B24F69942F6EFD3261DB142
2708nProjectV4.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:ABA7C931F54D53DC4A7E5DCFDBC88880
SHA256:00DCD003865F28520042A6B7221E8EF4271EBE4A20A6EECBE922B6F7389E0BF5
1772WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1772.44806\woofer\key.txttext
MD5:D526826C222454F3FC92FE09E0EBA47F
SHA256:F6DCFB531ADD2373EF1D57637B738847A9A2684DCFCCD0B52C88174F5862B173
2708nProjectV4.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\5GO1C4RX.txttext
MD5:94451B23CD19B218C50E40E0706544FF
SHA256:910F2DF4ABE9D4768B6D1FB852BC44A12941504FC0565BD3CAC69C9099A9EA3A
2708nProjectV4.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_5524823BD00A413DFC52CF245D9BF052binary
MD5:269CB67B3C232ADB11B331969D0610AA
SHA256:775AB6566DF12FF58CD20D8A52C870D5463AB181A6E928E35F51B416757FDE1B
2708nProjectV4.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_5524823BD00A413DFC52CF245D9BF052der
MD5:CB7C08553C7FEDB3FB14EE3E3805AC17
SHA256:3B3709FB7A122F12BB6C370DF6F25A2FA30C35C8575737D71F8C49E16806A30C
2708nProjectV4.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:9ED56BFDE89B68552DA62418057356D0
SHA256:057C83E9FF583DF00CB88A9CDAEE771A3C1BAABA36DECE3CE74BB8C41ADD867D
2708nProjectV4.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\FiveM_Cleaner[1].exeexecutable
MD5:C4C27642B041BC79E25FE5E644036FBA
SHA256:7286678F12AEB16D2EFA0D2131012C0395425C997DEBCB4528C67A1AEC3FD9CD
2708nProjectV4.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
7
DNS requests
6
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2708
nProjectV4.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2f2fc9ba67342b59
US
compressed
4.70 Kb
whitelisted
2708
nProjectV4.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEA4ZFS%2FPJgg7ME3dUpREkGs%3D
US
der
279 b
whitelisted
2708
nProjectV4.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2556
nProjectV4.exe
188.114.96.3:443
keyauth.win
CLOUDFLARENET
NL
malicious
2708
nProjectV4.exe
188.114.96.3:443
keyauth.win
CLOUDFLARENET
NL
malicious
2708
nProjectV4.exe
162.159.129.233:443
cdn.discordapp.com
CLOUDFLARENET
shared
2708
nProjectV4.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
suspicious
188.114.97.3:443
keyauth.win
CLOUDFLARENET
NL
malicious
2708
nProjectV4.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
keyauth.win
  • 188.114.96.3
  • 188.114.97.3
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
cdn.discordapp.com
  • 162.159.129.233
  • 162.159.133.233
  • 162.159.130.233
  • 162.159.134.233
  • 162.159.135.233
shared
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
2708
nProjectV4.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
No debug info