| File name: | sample.7z |
| Full analysis: | https://app.any.run/tasks/567bfd13-a9a2-41ad-87f1-b226d9c91d36 |
| Verdict: | Malicious activity |
| Analysis date: | May 11, 2024, 01:55:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | C9C2F3805F0012628E9D62E8F75AF4DD |
| SHA1: | B6269B1FC8813B93C11EC6066DC33D9F99F2E431 |
| SHA256: | B2C3BEDA4B000A3D9AF0A457D6D942EC81696F3ED485F7CF723B18008A5F3D10 |
| SSDEEP: | 3072:pYWJsCuSlRODbWhyyZZsZ77n4s31uZzd2ppyMPOLOcrgCz:pbuSlicZyx4W1uLYpyMPOLjhz |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 1680)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 1680)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 1680)
INFO
Dropped object may contain TOR URL's
- WinRAR.exe (PID: 1680)
Manual execution by a user
- explorer.exe (PID: 4012)
- WinRAR.exe (PID: 1680)
- WinRAR.exe (PID: 2260)
- builder.exe (PID: 2452)
- builder.exe (PID: 1960)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 1680)
- WinRAR.exe (PID: 2260)
Checks supported languages
- builder.exe (PID: 1488)
- builder.exe (PID: 1960)
- builder.exe (PID: 2452)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1680)
- WinRAR.exe (PID: 2260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
47
Monitored processes
8
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1488 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1680.36435\LBLeak\builder.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1680.36435\LBLeak\builder.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1604 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIb1680.39898\Build.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 9009 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1680 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\sample.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1960 | "C:\Users\admin\Desktop\sample\builder.exe" | C:\Users\admin\Desktop\sample\builder.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2260 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\sample.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 2452 | "C:\Users\admin\Desktop\sample\builder.exe" | C:\Users\admin\Desktop\sample\builder.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3964 | "C:\Windows\System32\runas.exe" /user:administrator %sample.7z% | C:\Windows\System32\runas.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Run As Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4012 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
6 558
Read events
6 510
Write events
48
Delete events
0
Modification events
| (PID) Process: | (1680) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1680) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1680) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1680) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (1680) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (1680) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (1680) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (1680) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Downloads\sample.7z | |||
| (PID) Process: | (1680) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1680) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
Executable files
3
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1680 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1680.36435\LBLeak\builder.exe | executable | |
MD5:8C689DC9E82C9356B990D2B67B4943E1 | SHA256:E8E2DEB0A83AEBB1E2CC14846BC71715343372103F279D2D1622E383FB26D6EF | |||
| 2260 | WinRAR.exe | C:\Users\admin\Desktop\sample\builder.exe | executable | |
MD5:8C689DC9E82C9356B990D2B67B4943E1 | SHA256:E8E2DEB0A83AEBB1E2CC14846BC71715343372103F279D2D1622E383FB26D6EF | |||
| 1680 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb1680.39898\Build.bat | text | |
MD5:4E46E28B2E61643F6AF70A8B19E5CB1F | SHA256:8E83A1727696CED618289F79674B97305D88BEEEABF46BD25FC77AC53C1AE339 | |||
| 1680 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1680.36435\LBLeak\Build.bat | text | |
MD5:4E46E28B2E61643F6AF70A8B19E5CB1F | SHA256:8E83A1727696CED618289F79674B97305D88BEEEABF46BD25FC77AC53C1AE339 | |||
| 1680 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1680.36435\LBLeak\config.json | binary | |
MD5:A6BA7B662DE10B45EBE5B6B7EDAA62A9 | SHA256:3F7518D88AEFD4B1E0A1D6F9748F9A9960C1271D679600E34F5065D8DF8C9DC8 | |||
| 1680 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1680.36435\LBLeak\keygen.exe | executable | |
MD5:5E28C7C900E4DCE08366051C22F07F84 | SHA256:BB76F4D10EC2C1D24BE904D2EE078F34A6B5BD11F3B40F295E116FEA44824B89 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |