analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

4.rar

Full analysis: https://app.any.run/tasks/d46c002c-83c0-46d6-b94c-8ec60eabcc53
Verdict: Malicious activity
Analysis date: January 18, 2019, 08:33:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

ACF56AA41259A7C0DB6E919FFA2CACCF

SHA1:

7D7DD70AA7FB45BCD8EC5B33C3F58025C2A3417D

SHA256:

BC48B395C4892E684C34534015C653FD3EB6302D6ED1F81E616CD74878BE7D34

SSDEEP:

3072:qlnKcRT/Sjn4AmLVEpBze59GepowHfmydy0MJmpsrvw0y0k9ixAZK0lCo8C8c:iZRT/aiVEnkCw/ldDMMb9ixxwl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Netflix V2.0.exe (PID: 3632)
      • Service.exe (PID: 3972)
      • UAC.exe (PID: 1860)
    • Writes to a start menu file

      • UAC.exe (PID: 1860)
    • Changes the autorun value in the registry

      • UAC.exe (PID: 1860)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Service.exe (PID: 3972)
      • Netflix V2.0.exe (PID: 3924)
    • Connects to unusual port

      • Service.exe (PID: 3972)
      • UAC.exe (PID: 1860)
    • Creates files in the user directory

      • Service.exe (PID: 3972)
      • UAC.exe (PID: 1860)
    • Starts itself from another location

      • Service.exe (PID: 3972)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs netflix v2.0.exe netflix v2.0.exe no specs service.exe uac.exe

Process information

PID
CMD
Path
Indicators
Parent process
2992"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\4.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3924"C:\Users\admin\Desktop\Netflix by burnwood 2.1\Netflix V2.0.exe" C:\Users\admin\Desktop\Netflix by burnwood 2.1\Netflix V2.0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Netflix V2.0
Exit code:
0
Version:
1.0.0.0
3632"C:\Users\admin\AppData\Local\Temp\Netflix V2.0.exe" C:\Users\admin\AppData\Local\Temp\Netflix V2.0.exeNetflix V2.0.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Netflix V2.0
Exit code:
3221225786
Version:
1.0.0.0
3972"C:\Users\admin\AppData\Local\Temp\Service.exe" C:\Users\admin\AppData\Local\Temp\Service.exe
Netflix V2.0.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Service
Exit code:
0
Version:
1.0.0.0
1860"C:\Users\admin\AppData\Roaming\UAC.exe" C:\Users\admin\AppData\Roaming\UAC.exe
Service.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Service
Version:
1.0.0.0
Total events
2 183
Read events
2 121
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2992WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2992.41811\Netflix by burnwood 2.1\Netflix V2.0.exe
MD5:
SHA256:
2992WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2992.41811\Netflix by burnwood 2.1\xNet-Ameliorated.dll
MD5:
SHA256:
2992WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2992.41811\Netflix by burnwood 2.1\Netflix V2.0.exe.config
MD5:
SHA256:
1860UAC.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logs.lnklnk
MD5:7E532EFDD49C1284964144A4E708488E
SHA256:64AFAFAC8DFB1813E1E0393A9E2A7B30BA7B9E8B7D3EDA26C19C6EAF56FC88F5
3924Netflix V2.0.exeC:\Users\admin\AppData\Local\Temp\Netflix V2.0.exeexecutable
MD5:B8314FE31F60F60FCD8259A98F6D9F75
SHA256:F4F3E8EBD084A82970D8506960A8D3D44EEBCBFBF22DC95D05180D6F82C3BB66
3972Service.exeC:\Users\admin\AppData\Roaming\UAC.exeexecutable
MD5:C95F07A0BC85B6E6771BC877EBDBF615
SHA256:594BCE8C8316D4A86E827197C0CED91C5B2F6BDF36EC468F8FFC3A1564CD3922
3924Netflix V2.0.exeC:\Users\admin\AppData\Local\Temp\Service.exeexecutable
MD5:C95F07A0BC85B6E6771BC877EBDBF615
SHA256:594BCE8C8316D4A86E827197C0CED91C5B2F6BDF36EC468F8FFC3A1564CD3922
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
44
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1860
UAC.exe
39.52.173.29:2222
uogapk7.ddns.net
Pakistan Telecom Company Limited
PK
unknown
39.52.173.29:2222
uogapk7.ddns.net
Pakistan Telecom Company Limited
PK
unknown
3972
Service.exe
39.52.173.29:2222
uogapk7.ddns.net
Pakistan Telecom Company Limited
PK
unknown

DNS requests

Domain
IP
Reputation
uogapk3.ddns.net
  • 0.0.0.0
malicious
uogapk4.ddns.net
  • 0.0.0.0
malicious
uogapk5.ddns.net
  • 0.0.0.0
malicious
uogapk6.ddns.net
  • 0.0.0.0
malicious
uogapk7.ddns.net
  • 39.52.173.29
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
uogapk8.ddns.net
  • 0.0.0.0
malicious
uogapk9.ddns.net
  • 0.0.0.0
malicious
uogapk10.ddns.net
  • 0.0.0.0
malicious
uogapk11.ddns.net
malicious

Threats

No threats detected
No debug info