| File name: | Patch-Ali.Dbg_v18.2.rar |
| Full analysis: | https://app.any.run/tasks/5b7974c7-9c1e-40fd-9268-4d6563b80f55 |
| Verdict: | Malicious activity |
| Analysis date: | February 08, 2024, 22:25:57 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | CA36EFC404210742D81FA6ECA2D4AB04 |
| SHA1: | 9F8F7F695754C460E6E2F2EB1CDB9FA3A10EB759 |
| SHA256: | BE1621B0986D046FDB06E79A6F225FBE9514E59F506E1C23870ADFB2FDAEFCEB |
| SSDEEP: | 768:WYHVPFYTwF8PJ4GrwfBKtpohqltfW/0yuxT/7SRNBraB6Af2SjOzZzZL:JVPFYW6xrwVkfFTjKBrLAfBwJ |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3864)
- IDMan.exe (PID: 880)
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- wscript.exe (PID: 3500)
- UnSigner.exe (PID: 3940)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
Creates a writable file in the system directory
- rundll32.exe (PID: 3224)
Changes the autorun value in the registry
- rundll32.exe (PID: 3224)
- IDMan.exe (PID: 880)
Starts NET.EXE for service management
- Uninstall.exe (PID: 3980)
- net.exe (PID: 3556)
Gets a file object corresponding to the file in a specified path (SCRIPT)
- wscript.exe (PID: 3500)
- wscript.exe (PID: 3940)
Deletes a file (SCRIPT)
- wscript.exe (PID: 3500)
- wscript.exe (PID: 3940)
Accesses environment variables (SCRIPT)
- wscript.exe (PID: 3500)
- wscript.exe (PID: 3940)
Copies file to a new location (SCRIPT)
- wscript.exe (PID: 3500)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3864)
- IDM1.tmp (PID: 1352)
- IDMan.exe (PID: 880)
- Uninstall.exe (PID: 3980)
- IDMan.exe (PID: 2984)
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
Creates a software uninstall entry
- IDM1.tmp (PID: 1352)
The process creates files with name similar to system file names
- IDM1.tmp (PID: 1352)
Creates/Modifies COM task schedule object
- IDM1.tmp (PID: 1352)
- IDMan.exe (PID: 880)
- Uninstall.exe (PID: 3980)
Starts application with an unusual extension
- idman642build1.exe (PID: 1576)
Reads the Internet Settings
- IDM1.tmp (PID: 1352)
- IDMan.exe (PID: 880)
- runonce.exe (PID: 1784)
- IDMan.exe (PID: 2984)
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- Uninstall.exe (PID: 3980)
Reads settings of System Certificates
- IDMan.exe (PID: 880)
- IDMan.exe (PID: 2984)
Checks Windows Trust Settings
- IDMan.exe (PID: 880)
- IDMan.exe (PID: 2984)
Executable content was dropped or overwritten
- IDMan.exe (PID: 880)
- rundll32.exe (PID: 3224)
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- wscript.exe (PID: 3500)
- UnSigner.exe (PID: 3940)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
Uses RUNDLL32.EXE to load library
- Uninstall.exe (PID: 3980)
Drops a system driver (possible attempt to evade defenses)
- rundll32.exe (PID: 3224)
Creates or modifies Windows services
- Uninstall.exe (PID: 3980)
Searches for installed software
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 3500)
- wscript.exe (PID: 3940)
Checks whether a specific file exists (SCRIPT)
- wscript.exe (PID: 3500)
- wscript.exe (PID: 3940)
The process executes VB scripts
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
Gets full path of the running script (SCRIPT)
- wscript.exe (PID: 3500)
- wscript.exe (PID: 3940)
Uses REG/REGEDIT.EXE to modify registry
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- cmd.exe (PID: 4020)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
- cmd.exe (PID: 3684)
Executing commands from a ".bat" file
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
Starts CMD.EXE for commands execution
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- cmd.exe (PID: 4020)
- cmd.exe (PID: 3684)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
Uses TASKKILL.EXE to kill process
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
Application launched itself
- cmd.exe (PID: 4020)
- cmd.exe (PID: 3684)
Identifying current user with WHOAMI command
- cmd.exe (PID: 2896)
- cmd.exe (PID: 2372)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 4020)
- cmd.exe (PID: 3684)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3864)
Checks supported languages
- idman642build1.exe (PID: 1576)
- IDM v.6.4x crack v.18.2.exe (PID: 1876)
- IDM1.tmp (PID: 1352)
- idmBroker.exe (PID: 2504)
- IDMan.exe (PID: 880)
- Uninstall.exe (PID: 3980)
- MediumILStart.exe (PID: 3036)
- IDMan.exe (PID: 2984)
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- IEMonitor.exe (PID: 2548)
- UnSigner.exe (PID: 3940)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
Manual execution by a user
- idman642build1.exe (PID: 2152)
- explorer.exe (PID: 3428)
- idman642build1.exe (PID: 1576)
- firefox.exe (PID: 3976)
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
- IDM v.6.4x crack v.18.2.exe (PID: 3192)
Reads the machine GUID from the registry
- IDM1.tmp (PID: 1352)
- IDMan.exe (PID: 880)
- IDMan.exe (PID: 2984)
- MediumILStart.exe (PID: 3036)
Create files in a temporary directory
- idman642build1.exe (PID: 1576)
- IDM1.tmp (PID: 1352)
- IDMan.exe (PID: 880)
- IDMan.exe (PID: 2984)
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- IDM v.6.4x crack v.18.2.exe (PID: 2948)
Creates files in the program directory
- IDM1.tmp (PID: 1352)
- IDMan.exe (PID: 880)
- wscript.exe (PID: 3500)
Reads the computer name
- IDM1.tmp (PID: 1352)
- IDMan.exe (PID: 880)
- MediumILStart.exe (PID: 3036)
- IDMan.exe (PID: 2984)
- IEMonitor.exe (PID: 2548)
- IDM v.6.4x crack v.18.2.exe (PID: 1092)
- Uninstall.exe (PID: 3980)
Creates files or folders in the user directory
- IDM1.tmp (PID: 1352)
- IDMan.exe (PID: 880)
Reads the software policy settings
- IDMan.exe (PID: 880)
- IDMan.exe (PID: 2984)
Checks proxy server information
- IDMan.exe (PID: 880)
Creates files in the driver directory
- rundll32.exe (PID: 3224)
Application launched itself
- firefox.exe (PID: 3976)
- firefox.exe (PID: 2040)
Drops the executable file immediately after the start
- rundll32.exe (PID: 3224)
Reads the time zone
- runonce.exe (PID: 1784)
Reads security settings of Internet Explorer
- runonce.exe (PID: 1784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
650
Monitored processes
591
Malicious processes
12
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | REG DELETE "HKLM\Software\Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 124 | reg query "HKU\.DEFAULT\Software\Wow6432Node\Download Manager" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 128 | reg query "HKU\.DEFAULT\Software\Classes\Wow6432Node\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 240 | REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 268 | reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 268 | reg query "HKCU\Software\Wow6432Node\Download Manager" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 296 | reg query "HKCU\Software\Classes\CLSID\{84797876-C678-1780-A556-0CD06786780F}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 296 | REG DELETE "HKU\.DEFAULT\Software\Classes\CLSID\{E8CF4E59-B7A3-41F2-86C7-82B03334F22A}" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 316 | reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 316 | reg query "HKCU\Software\Classes\CLSID\{9C9D53D4-A978-43FC-93E2-1C21B529E6D7}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
46 131
Read events
45 374
Write events
604
Delete events
153
Modification events
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Patch-Ali.Dbg_v18.2.rar | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
19
Suspicious files
87
Text files
25
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3864 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3864.15313\IDM v.6.4x crack v.18.2.exe | executable | |
MD5:2AB7A4477F4C4B6D7E6371D1EB141B1E | SHA256:3205DBB244DE8D75BE0AFB501C4711D126CC877223F81428BF2FC761FAADB682 | |||
| 3864 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3864.22606\IDM v.6.4x crack v.18.2.exe | executable | |
MD5:2AB7A4477F4C4B6D7E6371D1EB141B1E | SHA256:3205DBB244DE8D75BE0AFB501C4711D126CC877223F81428BF2FC761FAADB682 | |||
| 1352 | IDM1.tmp | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnk | binary | |
MD5:EAC3C99730A807F12EA10F92E3FC33E0 | SHA256:2F7F021F7A0020593FA389BA83414D0398D4125D7B657311728FC16EAAC71E68 | |||
| 1352 | IDM1.tmp | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnk | binary | |
MD5:0FEB86BE5CDB58A30CA42D555D882747 | SHA256:05FD13C69B5562729D689953FCDB5EEAD886EE29D458365D3558958CAA33E986 | |||
| 1352 | IDM1.tmp | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Internet Download Manager.lnk | binary | |
MD5:CC1CAD3A30200B58220D839E70969F3F | SHA256:4625561F5E49A67FAA79FB8E766CBB9D03C16AE7342D8C007737BD2D9095BEB5 | |||
| 1352 | IDM1.tmp | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\IDM Help.lnk | binary | |
MD5:07BCFDCF4BDA4D6373F10F73521B0314 | SHA256:0F59F9B958E0EEE561F903C3BF1D033F1F25FF841A74D22264B9BA5A52D80C78 | |||
| 1352 | IDM1.tmp | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\Uninstall IDM.lnk | binary | |
MD5:7A1F96BE5B75A57175B5DF1573065907 | SHA256:D51FFD965C94BB34DD73D62CCAAF9DACADF43C45ACB3C2489D320D4D003E97BD | |||
| 1352 | IDM1.tmp | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\IDM Help.lnk | binary | |
MD5:37038CBEF494ED5B6682D0F600FEC6E1 | SHA256:51C368AE70837EDDBA0CC1468BEE9C4F226D4AD2FE0E822079B2279D30CB04FB | |||
| 3864 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3864.15313\Changelog.txt | text | |
MD5:A1DA6E306727A61E54906A3AED55FD33 | SHA256:2472446831CC4D627678698969BE5A005C47C4E768C02E0522A75E7075BA47AC | |||
| 1352 | IDM1.tmp | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Download Manager\license.lnk | binary | |
MD5:70F4B43B0CF4EC944040BC12489B927A | SHA256:66358A36FA462142FC0D39BD3F4D8673ECA87A63FCC044B998DB3D50EA6CB57C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
15
DNS requests
34
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2040 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | unknown | text | 8 b | unknown |
2040 | firefox.exe | POST | 200 | 95.101.54.217:80 | http://r3.o.lencr.org/ | unknown | binary | 503 b | unknown |
880 | IDMan.exe | GET | 200 | 72.247.153.162:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cf99a4f054be1c61 | unknown | compressed | 65.2 Kb | unknown |
2040 | firefox.exe | POST | 200 | 95.101.54.217:80 | http://r3.o.lencr.org/ | unknown | binary | 503 b | unknown |
2040 | firefox.exe | POST | 200 | 95.101.54.217:80 | http://r3.o.lencr.org/ | unknown | binary | 503 b | unknown |
2040 | firefox.exe | POST | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/ | unknown | binary | 471 b | unknown |
2040 | firefox.exe | POST | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/ | unknown | binary | 471 b | unknown |
2040 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | text | 90 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
880 | IDMan.exe | 72.247.153.162:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
2040 | firefox.exe | 169.61.27.133:443 | secure.internetdownloadmanager.com | SOFTLAYER | US | unknown |
2040 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | GOOGLE | US | whitelisted |
2040 | firefox.exe | 34.117.188.166:443 | spocs.getpocket.com | — | — | unknown |
2040 | firefox.exe | 34.117.237.239:443 | contile.services.mozilla.com | GOOGLE-CLOUD-PLATFORM | US | unknown |
2040 | firefox.exe | 95.101.54.217:80 | r3.o.lencr.org | Akamai International B.V. | DE | unknown |
2040 | firefox.exe | 34.149.100.209:443 | firefox.settings.services.mozilla.com | GOOGLE | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
test.internetdownloadmanager.com |
| whitelisted |
secure.internetdownloadmanager.com |
| whitelisted |
www.internetdownloadmanager.com |
| whitelisted |
mirror3.internetdownloadmanager.com |
| whitelisted |
mirror5.internetdownloadmanager.com |
| whitelisted |
registeridm.com |
| unknown |
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
example.org |
| whitelisted |