File name:

Saddam Crypter.rar

Full analysis: https://app.any.run/tasks/2049f747-23c7-4b87-b3a1-7b7c3d9e6829
Verdict: Malicious activity
Analysis date: June 26, 2023, 17:29:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

77C8D42B06E963D97724391EC30335E4

SHA1:

7DDBDAACB6DCC4C44EF307812CC05C8052463FAE

SHA256:

C05488C3CE62F4E2E55CCB9E4C0E75A5FB54ADB00827DD230489F990EC764F9E

SSDEEP:

49152:EX5di++CGcWunZTdgKigEtexC0kwKhnE2zQwyivk9MY3YxIeypuvHpdkNhaM9x+B:Oji+/yuZTdwggeovdh6wyJM7Ie1dY4Mq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Saddam Crypter.exe (PID: 240)
      • Launcher.exe (PID: 2980)
      • sc.exe (PID: 2532)
      • Windows Services.exe (PID: 908)
      • Secure System Shell.exe (PID: 3080)
      • Runtime Explorer.exe (PID: 3572)

    • Loads dropped or rewritten executable

      • Launcher.exe (PID: 2980)

    • Adds path to the Windows Defender exclusion list

      • Launcher.exe (PID: 2980)

    • Create files in the Startup directory

      • Launcher.exe (PID: 2980)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Saddam Crypter.exe (PID: 240)
      • Launcher.exe (PID: 2980)
      • powershell.exe (PID: 3408)
      • Windows Services.exe (PID: 908)

    • Script adds exclusion path to Windows Defender

      • Launcher.exe (PID: 2980)

    • Starts POWERSHELL.EXE for commands execution

      • Launcher.exe (PID: 2980)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 3408)

    • The process creates files with name similar to system file names

      • Launcher.exe (PID: 2980)

    • Executable content was dropped or overwritten

      • Launcher.exe (PID: 2980)

  • INFO

    • Manual execution by a user

      • Saddam Crypter.exe (PID: 240)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3524)

    • Checks supported languages

      • Saddam Crypter.exe (PID: 240)
      • Launcher.exe (PID: 2980)
      • sc.exe (PID: 2532)
      • Windows Services.exe (PID: 908)
      • Secure System Shell.exe (PID: 3080)
      • Runtime Explorer.exe (PID: 3572)

    • The process checks LSA protection

      • Saddam Crypter.exe (PID: 240)
      • Launcher.exe (PID: 2980)
      • Windows Services.exe (PID: 908)
      • Runtime Explorer.exe (PID: 3572)

    • Reads the computer name

      • Launcher.exe (PID: 2980)
      • Saddam Crypter.exe (PID: 240)
      • sc.exe (PID: 2532)
      • Secure System Shell.exe (PID: 3080)
      • Windows Services.exe (PID: 908)

    • Reads the machine GUID from the registry

      • Launcher.exe (PID: 2980)
      • Runtime Explorer.exe (PID: 3572)
      • Saddam Crypter.exe (PID: 240)

    • Creates files or folders in the user directory

      • Launcher.exe (PID: 2980)

    • Create files in a temporary directory

      • Runtime Explorer.exe (PID: 3572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs saddam crypter.exe no specs launcher.exe powershell.exe no specs sc.exe windows services.exe no specs secure system shell.exe no specs runtime explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Users\admin\Desktop\Saddam Crypter\Saddam Crypter\Saddam Crypter.exe" C:\Users\admin\Desktop\Saddam Crypter\Saddam Crypter\Saddam Crypter.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Launcher
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\saddam crypter\saddam crypter\saddam crypter.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
908"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}C:\Windows\IMF\Windows Services.exeLauncher.exe
User:
admin
Integrity Level:
HIGH
Description:
Windows Services
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\imf\windows services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2532"C:\Users\admin\Desktop\Saddam Crypter\Saddam Crypter\dbgcore\sc.exe" C:\Users\admin\Desktop\Saddam Crypter\Saddam Crypter\dbgcore\sc.exe
Saddam Crypter.exe
User:
admin
Company:
saddams software
Integrity Level:
HIGH
Description:
Saddam`s
Exit code:
0
Version:
2.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\saddam crypter\saddam crypter\dbgcore\sc.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2600"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2980"C:\Users\admin\Desktop\Saddam Crypter\Saddam Crypter\dbgcore\Launcher.exe" C:\Users\admin\Desktop\Saddam Crypter\Saddam Crypter\dbgcore\Launcher.exe
Saddam Crypter.exe
User:
admin
Integrity Level:
HIGH
Description:
Launcher
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\saddam crypter\saddam crypter\dbgcore\launcher.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\rpcrt4.dll
3080"C:\Windows\IMF\Secure System Shell.exe" C:\Windows\IMF\Secure System Shell.exeWindows Services.exe
User:
admin
Integrity Level:
HIGH
Description:
Secure System Shell
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\imf\secure system shell.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
3408"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3524"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Saddam Crypter.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3572"C:\Windows\IMF\Runtime Explorer.exe" C:\Windows\IMF\Runtime Explorer.exeWindows Services.exe
User:
admin
Company:
Microsoft Windows
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\imf\runtime explorer.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
6 269
Read events
6 204
Write events
65
Delete events
0

Modification events

(PID) Process:(3524) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3524) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
14
Suspicious files
7
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3524.9053\Saddam Crypter\Saddam Crypter\dbgcore\sc.exeexecutable
MD5:7B88C4CAB5481B5127AE30BC5522735C
SHA256:650B956EFB1D5858B69574D3DDFC57529FEA271C89F871C2DC9A404CF986842B
3524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3524.9053\Saddam Crypter\Saddam Crypter\dbgcore\Ionic.Zip.dllexecutable
MD5:F6933BF7CEE0FD6C80CDF207FF15A523
SHA256:17BB0C9BE45289A2BE56A5F5A68EC9891D7792B886E0054BC86D57FE84D01C89
3524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3524.9053\Saddam Crypter\Saddam Crypter\dbgcore\schannel.dllexecutable
MD5:2A1DCF56F99134334E602DA1873271ED
SHA256:F6A0D5BAF10746620B69439A34B3245D6375026CD811FD21CC4EBA2FDC7AB3CE
3524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3524.9053\Saddam Crypter\Saddam Crypter\dbgcore\d3d9.dllexecutable
MD5:00A77DC70009944164236C684EF2F5A2
SHA256:E155998AF14B356811AD66DEF369C44A10C63125DF140ED45489117A8F111246
3524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3524.9053\Saddam Crypter\Saddam Crypter\dbgcore\LICENCE.datcompressed
MD5:F7D55578B3709F1519805272E3E64C33
SHA256:3147A9C9015F7E54C8ACDB8D413DA93EF3E4B04FB27EC578DCD188A70BB53301
3524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3524.9053\Saddam Crypter\Saddam Crypter\dbgcore\Launcher.exeexecutable
MD5:C6D4C881112022EB30725978ECD7C6EC
SHA256:0D87B9B141A592711C52E7409EC64DE3AB296CDDC890BE761D9AF57CEA381B32
3408powershell.exeC:\Users\admin\AppData\Local\Temp\fjtqxd5b.z3e.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3524.9053\Saddam Crypter\Saddam Crypter\d3d9.dllexecutable
MD5:00A77DC70009944164236C684EF2F5A2
SHA256:E155998AF14B356811AD66DEF369C44A10C63125DF140ED45489117A8F111246
3408powershell.exeC:\Users\admin\AppData\Local\Temp\t3xqaxbe.ivb.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2980Launcher.exeC:\Windows\IMF\Runtime Explorer.exe.tmpexecutable
MD5:EC70C6F4DC443C5AB2B91D64AE04FA8E
SHA256:276F1BFC6256F4C1DDD544D5A556D299EBDDCF200A64EE7C9C3EDEF686DF727D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
2748
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Saddam Crypter.rar