File name:

x64__x32__installer.zip

Full analysis: https://app.any.run/tasks/792c7a12-1ba1-4cec-abed-4c5e2b6754f8
Verdict: Malicious activity
Analysis date: May 01, 2024, 18:17:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

8C311968FB83ADC9052F4BE272504A26

SHA1:

01E9324892FF2F4286BB0B52B0249E950BBAF7DF

SHA256:

BCBEB2A22072A7CFD302AA31B78A556722AA7D52D7B136ADEACEC711F481821C

SSDEEP:

98304:7g7eIXMCeqCMvgdUeq7RDG1w3ECKGUah4EEdaIdQEqwJQbkYku3bj3SR38CKTdA5:G/ajAxXTGZSrnCL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 676)
  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 4000)
      • taskmgr.exe (PID: 2124)
    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 820)
    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 4000)
    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 676)
    • Reads the Internet Settings

      • taskmgr.exe (PID: 2124)
  • INFO

    • Reads security settings of Internet Explorer

      • taskmgr.exe (PID: 2124)
    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 820)
    • Checks supported languages

      • msiexec.exe (PID: 676)
      • msiexec.exe (PID: 2484)
    • Manual execution by a user

      • taskmgr.exe (PID: 2124)
      • msiexec.exe (PID: 2656)
    • Reads the computer name

      • msiexec.exe (PID: 676)
      • msiexec.exe (PID: 2484)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 820)
      • msiexec.exe (PID: 676)
    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 676)
      • msiexec.exe (PID: 2484)
    • Application launched itself

      • msiexec.exe (PID: 676)
    • Create files in a temporary directory

      • msiexec.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:05:01 17:32:46
ZipCRC: 0x682aa699
ZipCompressedSize: 4174
ZipUncompressedSize: 980346
ZipFileName: password.jpg
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs PhotoViewer.dll no specs winrar.exe taskmgr.exe no specs taskmgr.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
676C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
820"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa4000.26146\x64__x32___setup.zipC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1244"C:\Windows\system32\taskmgr.exe" /1C:\Windows\System32\taskmgr.exe
taskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2124"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2484C:\Windows\system32\MsiExec.exe -Embedding 0ED4715EB6D086AD57560329635124E9C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2656"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\setup\setup.msi" C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4000"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\x64__x32__installer.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4044C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
13 278
Read events
13 206
Write events
72
Delete events
0

Modification events

(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4000) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\x64__x32__installer.zip
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
14
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\setup.msi
MD5:
SHA256:
676msiexec.exeC:\Windows\Installer\10f86b.msi
MD5:
SHA256:
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\iasnap\mprddm.dllexecutable
MD5:AA6C7B6257F5C9175979A36A29B66BE7
SHA256:6B7AAB5FC92181204E2FA92058C3D1A321377827580164C47973930F3D8335AC
4000WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa4000.25810\password.jpgimage
MD5:338E61371ABE6DCE32235FA39A40387E
SHA256:267A7F2AE4BDDD8A5CF05E734ED92EFC1CFC0E05199060F8DFFE16349CC2665C
4000WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa4000.26146\x64__x32___setup.zipcompressed
MD5:C88020C08C062EC13B18DA5608533B40
SHA256:C83BD870B634F645A52FB92F34CC26B6EAA6204C6F59F8CDC91D4EFAF696212B
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\winmde\daxexec.dllexecutable
MD5:AA304599017322A35B85A25C05B2181C
SHA256:DB2FE02682D410DE2E4FA6E9435B9DC14B3739922FE1E6796E8B94942F711944
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\winmde\MMDevAPI.dllexecutable
MD5:8123FCED22F5424445BAA833E790ABE8
SHA256:0A5E682042A3DAD4BF67AB9A0E3542683A12B75C727EC4972820CF15E5CF59C2
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\winmde\mi.dllexecutable
MD5:0987DB6E1D0563E9A91E8C8FBF266482
SHA256:5271E8C2759227B34A2E28C5172798B1D79E86F6EEB325979141D903B8F1F7AB
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\iasnap\iasnap.dllexecutable
MD5:9159148D50715F59A725A977967898B7
SHA256:7C1DFB2B669A3346DB1C72AA240AA0C8C11AE874F295957A4AE5225AEA5CE338
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\srhelper\sppobjs.dllexecutable
MD5:BF28019CD8187341479BBB4EFECC45D6
SHA256:6B051B1D3E3E74201A97FED167AF3A10409237A275EFE514FDAD5EF4BFEA03F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info