| File name: | 创世v1.rar |
| Full analysis: | https://app.any.run/tasks/1256a774-9e1f-44ee-a544-19f99392f59f |
| Verdict: | Malicious activity |
| Analysis date: | January 20, 2024, 14:55:04 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 881E9B20D5E1EADDB3FCFBA5DC001F9A |
| SHA1: | B29D4A1A388C34D95797B1F59D7D5DCBD8DFCE8C |
| SHA256: | BCCD5E64BB3AB2794638CD5BEF2B67156FAAA56B3EC169E0FB51E73BA9DCDF3E |
| SSDEEP: | 98304:XZMgnUl83Vf6/MQyC+ILrDPbfurQwgUo4AvRFdquyuLtdyLDQ8VQl3PDBf7JKnM8:Hi+/W+Oen |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2044)
- 创世v1.exe (PID: 316)
- server.exe (PID: 2348)
Starts CMD.EXE for self-deleting
- server.exe (PID: 2348)
SUSPICIOUS
Reads the Internet Settings
- 创世v1.exe (PID: 316)
- server.exe (PID: 2348)
Executable content was dropped or overwritten
- 创世v1.exe (PID: 316)
- server.exe (PID: 2348)
- rundll32.exe (PID: 2500)
Starts CMD.EXE for commands execution
- server.exe (PID: 2348)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 1892)
INFO
Reads the machine GUID from the registry
- 创世v1.exe (PID: 316)
Checks supported languages
- 创世v1.exe (PID: 316)
- server.exe (PID: 2348)
- 附_文件捆绑器.exe (PID: 2060)
- 附_文件捆绑器.exe (PID: 1572)
Manual execution by a user
- 创世v1.exe (PID: 316)
- server.exe (PID: 2348)
- 附_文件捆绑器.exe (PID: 1572)
- taskmgr.exe (PID: 2888)
- 附_文件捆绑器.exe (PID: 2060)
Reads the computer name
- 创世v1.exe (PID: 316)
- server.exe (PID: 2348)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2044)
Create files in a temporary directory
- server.exe (PID: 2348)
Drops the executable file immediately after the start
- rundll32.exe (PID: 2500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
56
Monitored processes
9
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 316 | "C:\Users\admin\Desktop\创世v1.exe" | C:\Users\admin\Desktop\创世v1.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Gh0st Microsoft 基础类应用程序 Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
| 1572 | "C:\Users\admin\Desktop\附_文件捆绑器\附_文件捆绑器.exe" | C:\Users\admin\Desktop\附_文件捆绑器\附_文件捆绑器.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1892 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\admin\Desktop\server.exe" | C:\Windows\System32\cmd.exe | — | server.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2044 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\创世v1.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2060 | "C:\Users\admin\Desktop\附_文件捆绑器\附_文件捆绑器.exe" | C:\Users\admin\Desktop\附_文件捆绑器\附_文件捆绑器.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2348 | "C:\Users\admin\Desktop\server.exe" | C:\Users\admin\Desktop\server.exe | explorer.exe | ||||||||||||
User: admin Company: SARL CRL Integrity Level: HIGH Description: Application MFC LoadDll Exit code: 0 Version: 1, 0, 0, 0 Modules
| |||||||||||||||
| 2440 | ping 127.0.0.1 -n 1 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2500 | Rundll32 "c:\users\admin\appdata\local\temp\947359.dll",Uninstall | C:\Windows\System32\rundll32.exe | SRDSL.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2888 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 624
Read events
2 566
Write events
54
Delete events
4
Modification events
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (316) 创世v1.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
Executable files
6
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2044.282\创世v1\Install.dat | executable | |
MD5:58BA5BFC429392E9C92C3382D88696FC | SHA256:9884F13B73B7FCA9A013A940254F6764AE5366083AC669BD9F96037CDE99646C | |||
| 316 | 创世v1.exe | C:\Users\admin\Desktop\server.exe | executable | |
MD5:9757C5EB2FF2CDEF69D27FA94D6514D5 | SHA256:CD72310E6FA0933BEB0249B40429CB30FFD2227014573E782F035332A2A8BF53 | |||
| 2500 | rundll32.exe | C:\Windows\System32\1021718.bak | executable | |
MD5:452848D5DD74D6D6A0BDD61C69CB5620 | SHA256:010F61FABCC2671FCAE82FE7895B77B634D6D27DAB6BC15524336D3803408B9B | |||
| 2348 | server.exe | C:\Users\admin\AppData\Local\Temp\947359.dll | executable | |
MD5:452848D5DD74D6D6A0BDD61C69CB5620 | SHA256:010F61FABCC2671FCAE82FE7895B77B634D6D27DAB6BC15524336D3803408B9B | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2044.282\创世v1\创世v1.exe | executable | |
MD5:FBD6E03F388C9834217B598119DD652D | SHA256:03EA0C4C9D22E8DFA135F7550BBCB8B0ED8D84E8A154100D64F211BAA6FF5594 | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2044.282\创世v1\创世v1.ini | ini | |
MD5:78CDBFE45999972A304C7C5964BC42DF | SHA256:5CCF7E78ABEA94EB1B5D828EB4552169703E280F8011EC66649BC093E01FE81A | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2044.282\创世v1\附_文件捆绑器\附_文件捆绑器.exe | executable | |
MD5:1D803902994F6B7FF7950AF00B5F421B | SHA256:C632F01C8DB75F2B86FC6AD079361B735349BA80C69C3948CFCFBAFFA54FDBB3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
创世v1.exe | --0--
|
创世v1.exe | CIOCPServer=01F6D6C0
|
创世v1.exe | LC 1652 AllocateContext
|
创世v1.exe | LC 1836 OnClientReading
|
创世v1.exe | EC 1652 AllocateContext
|
创世v1.exe | LC 1652 OnAccept
|
创世v1.exe | EC 1836 OnClientReading
|
创世v1.exe | EC 1652 OnAccept
|
创世v1.exe | EC 784 Send
|
创世v1.exe | ·¢ËÍÍê³É Çå¿ÕBuffer
|