| File name: | rufus-3.18.exe.7z |
| Full analysis: | https://app.any.run/tasks/dbfcfddd-d000-45e3-ac44-67e81474639a |
| Verdict: | Malicious activity |
| Analysis date: | February 29, 2024, 11:10:51 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 858CC2E11CE70C98EB55678728413751 |
| SHA1: | CC74290BD92C6EFA2F5A2B7B172E4978AEE6C99D |
| SHA256: | C1A6278C18E48A53903646B52A798D348D3E5C90742DB92C3C9D5B80838E7CF2 |
| SSDEEP: | 49152:UapNOXvsptVKE+p0/ninwbkIncHRvO/MrQq/0IvjZkOSAUX2QcHKBxhKdTfb11xX:ULvs7kE+mn/bHcxG/7qlvtSAUX28BxER |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3864)
Changes the Windows auto-update feature
- rufus-3.18.exe (PID: 3304)
SUSPICIOUS
Executes as Windows Service
- vds.exe (PID: 3500)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3864)
- rufus-3.18.exe (PID: 3304)
Reads settings of System Certificates
- rufus-3.18.exe (PID: 3304)
Reads the Internet Settings
- rufus-3.18.exe (PID: 3304)
Checks Windows Trust Settings
- rufus-3.18.exe (PID: 3304)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3864)
Checks supported languages
- rufus-3.18.exe (PID: 3304)
Create files in a temporary directory
- rufus-3.18.exe (PID: 3304)
Reads the machine GUID from the registry
- rufus-3.18.exe (PID: 3304)
Process checks whether UAC notifications are on
- rufus-3.18.exe (PID: 3304)
Reads the computer name
- rufus-3.18.exe (PID: 3304)
Creates files or folders in the user directory
- rufus-3.18.exe (PID: 3304)
Checks proxy server information
- rufus-3.18.exe (PID: 3304)
Reads the software policy settings
- rufus-3.18.exe (PID: 3304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
47
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2044 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3864.5081\rufus-3.18.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3864.5081\rufus-3.18.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Akeo Consulting Integrity Level: MEDIUM Description: Rufus Exit code: 3221226540 Version: 3.18.1877 Modules
| |||||||||||||||
| 2636 | C:\Windows\System32\vdsldr.exe -Embedding | C:\Windows\System32\vdsldr.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Virtual Disk Service Loader Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3304 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3864.5081\rufus-3.18.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3864.5081\rufus-3.18.exe | WinRAR.exe | ||||||||||||
User: admin Company: Akeo Consulting Integrity Level: HIGH Description: Rufus Exit code: 0 Version: 3.18.1877 Modules
| |||||||||||||||
| 3500 | C:\Windows\System32\vds.exe | C:\Windows\System32\vds.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Virtual Disk Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3864 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\rufus-3.18.exe.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
7 473
Read events
7 317
Write events
89
Delete events
67
Modification events
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\rufus-3.18.exe.7z | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
1
Suspicious files
0
Text files
3
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3304 | rufus-3.18.exe | C:\Users\admin\AppData\Local\Temp\Ruf1F89.tmp | text | |
MD5:59166591A1B7B9D2DFF5751C92923619 | SHA256:DB6E6B0FA49CA75437122E9E104D67D19A9BCCAF9C7784570B676FF34BBA5BA7 | |||
| 3304 | rufus-3.18.exe | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | binary | |
MD5:377AC641CF4F9667421E54D62A25BD4C | SHA256:F25A5A5ABA722FC2F09A1086A132AEEBDBCC17ADCBBDBDE1A7AE960DB97DBD37 | |||
| 3864 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3864.5081\rufus-3.18.exe | executable | |
MD5:B685F77ACE37783D5A8C3568E96C68C8 | SHA256:22820692CB7295CD13BF62AB984A8F5B37E3CB09999B6AA2AD27A704E3380C48 | |||
| 3304 | rufus-3.18.exe | C:\Windows\System32\GroupPolicy\gpt.ini | text | |
MD5:FED929AE34422010496B5B4A1827A501 | SHA256:2DDA40A266ECA9DDD736701EFA24C6FE186EDD6737DB7BF52BFFE32D614667ED | |||
| 3304 | rufus-3.18.exe | C:\Users\admin\AppData\Local\Rufus\rufus.log | text | |
MD5:08F16AC662512B8AC331FFB956197DB0 | SHA256:9DFCF20DD13E8ADAD98CD65C981DE6E54EDBEF37A0EEFAD891E8FEB2415F12A7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
3
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3304 | rufus-3.18.exe | 185.199.111.153:443 | rufus.ie | FASTLY | US | shared |
3304 | rufus-3.18.exe | 23.53.40.32:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
rufus.ie |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
Threats
Process | Message |
|---|---|
rufus-3.18.exe | *** Rufus init ***
|
rufus-3.18.exe | Binary executable is signed by 'Akeo Consulting'
|
rufus-3.18.exe | Will use settings from registry
|
rufus-3.18.exe | loc file not found in current directory - embedded one will be used
|
rufus-3.18.exe | localization: extracted data to 'C:\Users\admin\AppData\Local\Temp\Ruf1F89.tmp'
|
rufus-3.18.exe | localization: found locale 'en-US'
|
rufus-3.18.exe | localization: found locale 'ar-SA'
|
rufus-3.18.exe | embedded.loc(409): the version of this translation is older than the base one and may result in some messages not being properly translated.
If you are the translator, please update your translation with the changes that intervened between v3.5 and v3.14.
See https://github.com/pbatard/rufus/blob/master/res/loc/ChangeLog.txt
|
rufus-3.18.exe | localization: found locale 'bg-BG'
|
rufus-3.18.exe | embedded.loc(763): the version of this translation is older than the base one and may result in some messages not being properly translated.
If you are the translator, please update your translation with the changes that intervened between v3.5 and v3.14.
See https://github.com/pbatard/rufus/blob/master/res/loc/ChangeLog.txt
|