analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Disney+ Checker.rar

Full analysis: https://app.any.run/tasks/3f6478fa-39e1-4e7d-9c12-f23b4fa7bf5c
Verdict: Malicious activity
Analysis date: October 04, 2022, 21:00:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

8EFD1FD6A9B033B4E2A3644AD37A05FA

SHA1:

5E6102591CE62AC661EDBE83B4CB040717C7958B

SHA256:

B2E872A0A96F500DB4F51DA9034C6ED8260A31490036EB5A8726DE9CCC599537

SSDEEP:

12288:ZfNGkIodGwOle5QF+QAqs1jbn4M3BLO155irZnDfI/UhWtueXSl9ubtzh8Rno:fGnognlQQFFPs1j7fxLOb5uhWt7zhf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 1284)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1024)
      • Disney+ Checker.exe (PID: 2324)
    • Application was dropped or rewritten from another process

      • Disney+ Checker.exe (PID: 2324)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 1284)
      • Disney+ Checker.exe (PID: 2324)
    • Checks supported languages

      • WinRAR.exe (PID: 1284)
      • Disney+ Checker.exe (PID: 2324)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1284)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1284)
  • INFO

    • Manual execution by user

      • Disney+ Checker.exe (PID: 2324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs disney+ checker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1284"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Disney+ Checker.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
1024"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2324"C:\Users\admin\Desktop\Disney+ Checker.exe" C:\Users\admin\Desktop\Disney+ Checker.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Checker Template
Version:
1.0.0.0
Total events
1 083
Read events
1 073
Write events
10
Delete events
0

Modification events

(PID) Process:(1284) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1284) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1284) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1284) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1284) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1284) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Disney+ Checker.rar
(PID) Process:(1284) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1284) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1284) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1284) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
9
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1284.42790\Disney+ Checker.exeexecutable
MD5:A932AF08E53D32D2E8D9BDB06F9BC008
SHA256:81C207BD9AC49769CD620E704ECE0F1F42BE691E0C6C2C5BF931ED08B395C872
1284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1284.42790\System.Threading.Tasks.Extensions.dllexecutable
MD5:E1E9D7D46E5CD9525C5927DC98D9ECC7
SHA256:4F81FFD0DC7204DB75AFC35EA4291769B07C440592F28894260EEA76626A23C6
1284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1284.42790\Newtonsoft.Json.dllexecutable
MD5:081D9558BBB7ADCE142DA153B2D5577A
SHA256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
1284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1284.42790\Leaf.xNet.dllexecutable
MD5:EA87F37E78FB9AF4BF805F6E958F68F4
SHA256:DE9AEA105F31F3541CBC5C460B0160D0689A2872D80748CA1456E6E223F0A4AA
1284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1284.42790\System.Linq.Async.dllexecutable
MD5:242679CD4B3E50804BA3F1B86067347F
SHA256:C4DEFB87BBFC27DAE51C09A89E461D56DD62588923E6F9A1FC6572CD2891E2B6
1284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1284.42790\System.Runtime.CompilerServices.Unsafe.dllexecutable
MD5:DA04A75DDC22118ED24E0B53E474805A
SHA256:66409F670315AFE8610F17A4D3A1EE52D72B6A46C544CEC97544E8385F90AD74
1284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1284.42790\System.ValueTuple.dllexecutable
MD5:23EE4302E85013A1EB4324C414D561D5
SHA256:E905D102585B22C6DF04F219AF5CBDBFA7BC165979E9788B62DF6DCC165E10F4
1284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1284.42790\Colorful.Console.dllexecutable
MD5:9F6CE7FF934FB2E786CED3516705EFAD
SHA256:59A3696950AC3525E31CDD26727DABD9FECD2E1BDC1C47C370D4B04420592436
1284WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1284.42790\Microsoft.Bcl.AsyncInterfaces.dllexecutable
MD5:3DB37C6837C8044CF56D062E9EA28639
SHA256:931163E57A151CE3252C726BB5FEBFD741999EED4D041381F14667212BEB8116
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info