File name:

_SolidSQUAD_.7z

Full analysis: https://app.any.run/tasks/cc51dc08-126c-453a-9943-d6191ef3f118
Verdict: Malicious activity
Analysis date: March 28, 2024, 16:41:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

5428A7F12A6D76AB40784FDAE7EA73A4

SHA1:

F06E9CE324C54389DC333D7BB896A274DBA5E9A0

SHA256:

B8B9B5B8083F7B913D39829D0A1B4729D66212C35E6B549373968F682F49C1AA

SSDEEP:

49152:kaDOtGtkLnpgmrrrUhRXjreWGBRDEJeAqL4MaXL1mVqtY//Lm0AZV+SbVXca7LwN:kwTtcVr0h9GWGBIdq9IL1mgq//e6SbVQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2120)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2232)
      • net.exe (PID: 2692)
      • net.exe (PID: 984)
      • cmd.exe (PID: 2568)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2120)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 2120)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 2120)

    • Uses REG/REGEDIT.EXE to modify registry

      • WinRAR.exe (PID: 2120)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 2908)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2908)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2908)
      • sw_d.exe (PID: 2576)
      • installs.exe (PID: 3528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
15
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs wmpnscfg.exe no specs regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe sw_d.exe no specs installs.exe no specs installs.exe cmd.exe no specs net.exe no specs net1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
984net start "SolidWorks Flexnet Server"C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
1348"regedit.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2120.12833\SolidSQUADLoaderEnabler.reg"C:\Windows\regedit.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
1860"regedit.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2120.13725\sw2021_network_serials_licensing.reg"C:\Windows\regedit.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
2120"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\_SolidSQUAD_.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2156"regedit.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2120.12833\SolidSQUADLoaderEnabler.reg"C:\Windows\regedit.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2232C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2120.10621\server_install.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2260"regedit.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2120.13725\sw2021_network_serials_licensing.reg"C:\Windows\regedit.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2376C:\Windows\system32\net1 start "SolidWorks Flexnet Server"C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
2568C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2120.22011\server_install.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2576"C:\Users\admin\AppData\Local\Temp\Rar$EXa2120.17008\SolidWorks_Flexnet_Server\sw_d.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2120.17008\SolidWorks_Flexnet_Server\sw_d.exeWinRAR.exe
User:
admin
Company:
Dassault Systèmes SolidWorks Corporation
Integrity Level:
MEDIUM
Description:
sw_dn
Exit code:
39
Version:
29.0.0.3
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2120.17008\solidworks_flexnet_server\sw_d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\netapi32.dll
Total events
4 509
Read events
4 459
Write events
50
Delete events
0

Modification events

(PID) Process:(2120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2120) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\_SolidSQUAD_.7z
(PID) Process:(2120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
80
Suspicious files
0
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2120.10621\server_install.battext
MD5:
SHA256:
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2120.12833\SolidSQUADLoaderEnabler.regtext
MD5:
SHA256:
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2120.13725\sw2021_network_serials_licensing.regtext
MD5:
SHA256:
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2120.17008\readme.txttext
MD5:
SHA256:
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2120.17008\SolidSQUADLoaderEnabler.regtext
MD5:
SHA256:
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2120.17008\SolidWorks_Flexnet_Server\server_install.battext
MD5:
SHA256:
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2120.17008\SolidWorks_Flexnet_Server\server_remove.battext
MD5:
SHA256:
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2120.17008\SolidWorks_Flexnet_Server\sw_d_SSQ.lictext
MD5:
SHA256:
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2120.17008\sw2021_network_serials_licensing.regtext
MD5:
SHA256:
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2120.17008\Program Files (x86)\SOLIDWORKS PDM\netapi32.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_SolidSQUAD_.7z