| File name: | RAR Password Unlocker.rar |
| Full analysis: | https://app.any.run/tasks/b2a83827-6dc4-47de-9fb0-1f629f298f2e |
| Verdict: | Malicious activity |
| Analysis date: | July 09, 2024, 22:56:34 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | B5DB42D8A36B257091FB21AEBE2DFD48 |
| SHA1: | 24E31AC99F876A675DDB7BA613849F971C174CEA |
| SHA256: | BD21E68E2E72D7E821F75C72F94C3769DD0F4E37E82BB63FA827C6DC2751D4A6 |
| SSDEEP: | 98304:TxTYkE4sZdQBAYt6ii4Jlx8bERnH5oP6z8fVCv6Z38f5Y59IbfegdBrRS0EahRli:li9yESttRol6rrqjSMNu3OMCHd |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3532)
- rar_password_unlocker_trial.exe (PID: 680)
- rar_password_unlocker_trial.exe (PID: 2840)
- rar_password_unlocker_trial.tmp (PID: 2580)
- vcredist_x86_sp1.exe (PID: 3364)
- msiexec.exe (PID: 3336)
SUSPICIOUS
Executable content was dropped or overwritten
- rar_password_unlocker_trial.exe (PID: 680)
- rar_password_unlocker_trial.exe (PID: 2840)
- rar_password_unlocker_trial.tmp (PID: 2580)
- vcredist_x86_sp1.exe (PID: 3364)
Reads the Windows owner or organization settings
- rar_password_unlocker_trial.tmp (PID: 2580)
- msiexec.exe (PID: 3336)
Process drops legitimate windows executable
- rar_password_unlocker_trial.tmp (PID: 2580)
- vcredist_x86_sp1.exe (PID: 3364)
- msiexec.exe (PID: 3336)
Starts a Microsoft application from unusual location
- vcredist_x86_sp1.exe (PID: 3364)
Checks Windows Trust Settings
- msiexec.exe (PID: 3336)
Drops 7-zip archiver for unpacking
- rar_password_unlocker_trial.tmp (PID: 2580)
The process drops C-runtime libraries
- msiexec.exe (PID: 3336)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3532)
- msiexec.exe (PID: 3336)
Manual execution by a user
- rar_password_unlocker_trial.exe (PID: 680)
- PasswordUnlocker.exe (PID: 2164)
- PasswordUnlocker.exe (PID: 3940)
Create files in a temporary directory
- rar_password_unlocker_trial.exe (PID: 680)
- rar_password_unlocker_trial.exe (PID: 2840)
- rar_password_unlocker_trial.tmp (PID: 2580)
- install.exe (PID: 3572)
- msiexec.exe (PID: 3336)
Checks supported languages
- rar_password_unlocker_trial.tmp (PID: 2748)
- rar_password_unlocker_trial.exe (PID: 680)
- rar_password_unlocker_trial.exe (PID: 2840)
- rar_password_unlocker_trial.tmp (PID: 2580)
- vcredist_x86_sp1.exe (PID: 3364)
- install.exe (PID: 3572)
- msiexec.exe (PID: 3336)
- PasswordUnlocker.exe (PID: 3940)
Reads the computer name
- rar_password_unlocker_trial.tmp (PID: 2748)
- rar_password_unlocker_trial.tmp (PID: 2580)
- vcredist_x86_sp1.exe (PID: 3364)
- install.exe (PID: 3572)
- msiexec.exe (PID: 3336)
- PasswordUnlocker.exe (PID: 3940)
Creates files in the program directory
- rar_password_unlocker_trial.tmp (PID: 2580)
Reads Environment values
- vcredist_x86_sp1.exe (PID: 3364)
Reads the machine GUID from the registry
- vcredist_x86_sp1.exe (PID: 3364)
- msiexec.exe (PID: 3336)
- install.exe (PID: 3572)
- PasswordUnlocker.exe (PID: 3940)
Creates a software uninstall entry
- msiexec.exe (PID: 3336)
- rar_password_unlocker_trial.tmp (PID: 2580)
VMProtect protector has been detected
- PasswordUnlocker.exe (PID: 3940)
Reads the software policy settings
- msiexec.exe (PID: 3336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
60
Monitored processes
11
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 680 | "C:\Users\admin\Desktop\rar_password_unlocker_trial.exe" | C:\Users\admin\Desktop\rar_password_unlocker_trial.exe | explorer.exe | ||||||||||||
User: admin Company: RAR Password Unlocker, Inc. Integrity Level: MEDIUM Description: RAR Password Unlocker Setup Exit code: 0 Version: 5.0.0.0 Modules
| |||||||||||||||
| 2164 | "C:\Program Files\RAR Password Unlocker\PasswordUnlocker.exe" | C:\Program Files\RAR Password Unlocker\PasswordUnlocker.exe | — | explorer.exe | |||||||||||
User: admin Company: Password Unlocker, Inc. Integrity Level: MEDIUM Description: Password Unlocker Exit code: 3221226540 Version: 4, 0, 0, 0 Modules
| |||||||||||||||
| 2580 | "C:\Users\admin\AppData\Local\Temp\is-62QQH.tmp\rar_password_unlocker_trial.tmp" /SL5="$70208,13075595,67072,C:\Users\admin\Desktop\rar_password_unlocker_trial.exe" /SPAWNWND=$60188 /NOTIFYWND=$6019E | C:\Users\admin\AppData\Local\Temp\is-62QQH.tmp\rar_password_unlocker_trial.tmp | rar_password_unlocker_trial.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2748 | "C:\Users\admin\AppData\Local\Temp\is-0UA15.tmp\rar_password_unlocker_trial.tmp" /SL5="$6019E,13075595,67072,C:\Users\admin\Desktop\rar_password_unlocker_trial.exe" | C:\Users\admin\AppData\Local\Temp\is-0UA15.tmp\rar_password_unlocker_trial.tmp | — | rar_password_unlocker_trial.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2840 | "C:\Users\admin\Desktop\rar_password_unlocker_trial.exe" /SPAWNWND=$60188 /NOTIFYWND=$6019E | C:\Users\admin\Desktop\rar_password_unlocker_trial.exe | rar_password_unlocker_trial.tmp | ||||||||||||
User: admin Company: RAR Password Unlocker, Inc. Integrity Level: HIGH Description: RAR Password Unlocker Setup Exit code: 0 Version: 5.0.0.0 Modules
| |||||||||||||||
| 3336 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3364 | "C:\Users\admin\AppData\Local\Temp\is-3JF1U.tmp\vcredist_x86_sp1.exe" /q | C:\Users\admin\AppData\Local\Temp\is-3JF1U.tmp\vcredist_x86_sp1.exe | rar_password_unlocker_trial.tmp | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2008 Redistributable Setup Exit code: 0 Version: 9.0.30729.17 Modules
| |||||||||||||||
| 3512 | "C:\Program Files\RAR Password Unlocker\PasswordUnlocker.exe" | C:\Program Files\RAR Password Unlocker\PasswordUnlocker.exe | — | rar_password_unlocker_trial.tmp | |||||||||||
User: admin Company: Password Unlocker, Inc. Integrity Level: MEDIUM Description: Password Unlocker Exit code: 3221226540 Version: 4, 0, 0, 0 Modules
| |||||||||||||||
| 3532 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RAR Password Unlocker.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3572 | c:\fe182a3b40714c79fba1c68508de68\.\install.exe /q | C:\fe182a3b40714c79fba1c68508de68\install.exe | — | vcredist_x86_sp1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: External Installer Exit code: 0 Version: 9.0.30729.1 built by: SP Modules
| |||||||||||||||
Total events
14 658
Read events
14 372
Write events
267
Delete events
19
Modification events
| (PID) Process: | (3532) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3532) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3532) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3532) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3532) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3532) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3532) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\RAR Password Unlocker.rar | |||
| (PID) Process: | (3532) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3532) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3532) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
49
Suspicious files
33
Text files
32
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2580 | rar_password_unlocker_trial.tmp | C:\Program Files\RAR Password Unlocker\is-HV55M.tmp | executable | |
MD5:1C47B1A97D8631A1B4A4F33CA607D68C | SHA256:C9934722ADA043EE0DD23D7BB2DAE5246950BC959EA3E053303BC8B4BF050B7A | |||
| 3532 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3532.12231\rar_password_unlocker_trial.exe | executable | |
MD5:48789C5E277FD44D46532ED4028F0604 | SHA256:F0F61F7FFE72AF8C9913938A71488C35E9AE9D68FA37750FE84818663BF9D706 | |||
| 2580 | rar_password_unlocker_trial.tmp | C:\Users\admin\AppData\Local\Temp\is-3JF1U.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 2580 | rar_password_unlocker_trial.tmp | C:\Program Files\RAR Password Unlocker\PasswordUnlocker.exe | executable | |
MD5:B4AC574F9C7DDFCCEC3B0F48E21C5376 | SHA256:20AA8C822DB899B82ADA9A6F726E228A68F8BCD170F94E76061E8E8971B6027F | |||
| 2580 | rar_password_unlocker_trial.tmp | C:\Users\admin\AppData\Local\Temp\is-3JF1U.tmp\vcredist_x86_sp1.exe | executable | |
MD5:5689D43C3B201DD3810FA3BBA4A6476A | SHA256:41F45A46EE56626FF2699D525BB56A3BB4718C5CA5F4FB5B3B38ADD64584026B | |||
| 2580 | rar_password_unlocker_trial.tmp | C:\Program Files\RAR Password Unlocker\is-ET296.tmp | executable | |
MD5:32E2377E834060EE0F563BF0C82F5DD0 | SHA256:2913397EB9D7655D3DDC6BD727F90E83631FE80ED3ED18C7292BC8982610628F | |||
| 2580 | rar_password_unlocker_trial.tmp | C:\Program Files\RAR Password Unlocker\unins000.exe | executable | |
MD5:1C47B1A97D8631A1B4A4F33CA607D68C | SHA256:C9934722ADA043EE0DD23D7BB2DAE5246950BC959EA3E053303BC8B4BF050B7A | |||
| 2580 | rar_password_unlocker_trial.tmp | C:\Users\admin\AppData\Local\Temp\is-3JF1U.tmp\is-1J60F.tmp | executable | |
MD5:5689D43C3B201DD3810FA3BBA4A6476A | SHA256:41F45A46EE56626FF2699D525BB56A3BB4718C5CA5F4FB5B3B38ADD64584026B | |||
| 2580 | rar_password_unlocker_trial.tmp | C:\Program Files\RAR Password Unlocker\OpenCL.dll | executable | |
MD5:3DC1D1987581415AD215C2991EDDE05D | SHA256:980A7D83A274A10C6A1522699312C15A985CE9D3600F115E3F89A83188DAF4B8 | |||
| 680 | rar_password_unlocker_trial.exe | C:\Users\admin\AppData\Local\Temp\is-0UA15.tmp\rar_password_unlocker_trial.tmp | executable | |
MD5:CF09D784FD2D5EB3E573F595B9F5E378 | SHA256:7D4F81351E5E368F27F8A372EF7CA5E13CC4BD58B9D31754B29B6968F52B754F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1372 | svchost.exe | GET | 304 | 46.228.146.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33 | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1060 | svchost.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1372 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
1372 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1372 | svchost.exe | 46.228.146.0:80 | ctldl.windowsupdate.com | LLNW | US | unknown |
1372 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1372 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1060 | svchost.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |