File name:

Saddam.rar

Full analysis: https://app.any.run/tasks/8b50c74a-ee7f-4c58-a66c-74567b045184
Verdict: Malicious activity
Analysis date: August 05, 2021, 01:53:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

8D6A7FDD68AE8ACFA05A74B0EFDAD38B

SHA1:

94E3D0C75CD981CB635D409C66D05A2372CE996F

SHA256:

C31DBE3BFDD1F5E274FA9E9DDC975BBE4FE4B1A42C07D8F3B9EF7A9BB3D0D933

SSDEEP:

24576:xRSINxqEhlsOEBpoDCuAk31w6AqACXwu3aVFB+IdcIfeQ470yzIh0B:xRSIHqEhEPoD7JnjlXwu3W1dcIyIo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • CrypterFUD.exe (PID: 760)
      • Saddam Crypter.exe (PID: 2956)
      • CrypterFUD.exe (PID: 3084)
      • oyxojnnt5j2.exe (PID: 3324)
      • Saddam Crypter.exe (PID: 3736)
      • oyxojnnt5j2.exe (PID: 2840)
    • Drops executable file immediately after starts

      • CrypterFUD.exe (PID: 760)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2140)
      • CrypterFUD.exe (PID: 760)
      • oyxojnnt5j2.exe (PID: 2840)
      • Saddam Crypter.exe (PID: 2956)
      • CrypterFUD.exe (PID: 3084)
      • oyxojnnt5j2.exe (PID: 3324)
      • Saddam Crypter.exe (PID: 3736)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2140)
      • CrypterFUD.exe (PID: 760)
    • Checks supported languages

      • WinRAR.exe (PID: 2140)
      • CrypterFUD.exe (PID: 760)
      • oyxojnnt5j2.exe (PID: 2840)
      • Saddam Crypter.exe (PID: 2956)
      • CrypterFUD.exe (PID: 3084)
      • oyxojnnt5j2.exe (PID: 3324)
      • Saddam Crypter.exe (PID: 3736)
    • Reads mouse settings

      • CrypterFUD.exe (PID: 760)
      • CrypterFUD.exe (PID: 3084)
    • Creates files in the user directory

      • CrypterFUD.exe (PID: 760)
      • Saddam Crypter.exe (PID: 2956)
    • Reads Environment values

      • oyxojnnt5j2.exe (PID: 2840)
      • oyxojnnt5j2.exe (PID: 3324)
  • INFO

    • Manual execution by user

      • CrypterFUD.exe (PID: 760)
      • CrypterFUD.exe (PID: 3084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
760"C:\Users\admin\Desktop\Saddam\CrypterFUD.exe" C:\Users\admin\Desktop\Saddam\CrypterFUD.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\saddam\crypterfud.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
2140"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Saddam.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2840"C:\Users\admin\AppData\Roaming\Z51958723\oyxojnnt5j2.exe" C:\Users\admin\AppData\Roaming\Z51958723\oyxojnnt5j2.exeCrypterFUD.exe
User:
admin
Company:
50vx41hsbxp
Integrity Level:
MEDIUM
Description:
400ztpctax0
Exit code:
0
Version:
4.8.5.6
Modules
Images
c:\users\admin\appdata\roaming\z51958723\oyxojnnt5j2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
2956"C:\Users\admin\AppData\Roaming\Z51958723\Saddam Crypter.exe" C:\Users\admin\AppData\Roaming\Z51958723\Saddam Crypter.exeCrypterFUD.exe
User:
admin
Company:
saddams software
Integrity Level:
MEDIUM
Description:
Saddam`s
Exit code:
3489660927
Version:
2.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\z51958723\saddam crypter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
3084"C:\Users\admin\Desktop\Saddam\CrypterFUD.exe" C:\Users\admin\Desktop\Saddam\CrypterFUD.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\saddam\crypterfud.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
3324"C:\Users\admin\AppData\Roaming\Z51958723\oyxojnnt5j2.exe" C:\Users\admin\AppData\Roaming\Z51958723\oyxojnnt5j2.exeCrypterFUD.exe
User:
admin
Company:
50vx41hsbxp
Integrity Level:
MEDIUM
Description:
400ztpctax0
Exit code:
0
Version:
4.8.5.6
Modules
Images
c:\users\admin\appdata\roaming\z51958723\oyxojnnt5j2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3736"C:\Users\admin\AppData\Roaming\Z51958723\Saddam Crypter.exe" C:\Users\admin\AppData\Roaming\Z51958723\Saddam Crypter.exeCrypterFUD.exe
User:
admin
Company:
saddams software
Integrity Level:
MEDIUM
Description:
Saddam`s
Exit code:
0
Version:
2.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\z51958723\saddam crypter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
6 061
Read events
5 929
Write events
126
Delete events
6

Modification events

(PID) Process:(2140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2140) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Saddam.rar
(PID) Process:(2140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2140) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
3
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
760CrypterFUD.exeC:\Users\admin\AppData\Roaming\Z51958723\oyxojnnt5j2.exeexecutable
MD5:C98625F1C5EDC91CCCBD31A279BD1816
SHA256:62F959CFBF2AED557C83362414C8BA90E48623547035F8AEE8B1697430C02142
760CrypterFUD.exeC:\Users\admin\AppData\Local\Temp\aut8734.tmpbinary
MD5:6CBE32464A17E658D8B263475E321FCF
SHA256:09DB4C59C21C8ED02FF609F2D6CA7FC3B5123B03AF34B5DCBD9F5AB78707C6E4
3084CrypterFUD.exeC:\Users\admin\AppData\Local\Temp\autB06.tmpbinary
MD5:6CBE32464A17E658D8B263475E321FCF
SHA256:09DB4C59C21C8ED02FF609F2D6CA7FC3B5123B03AF34B5DCBD9F5AB78707C6E4
760CrypterFUD.exeC:\Users\admin\AppData\Roaming\Z51958723\Saddam Crypter.exeexecutable
MD5:7B88C4CAB5481B5127AE30BC5522735C
SHA256:650B956EFB1D5858B69574D3DDFC57529FEA271C89F871C2DC9A404CF986842B
2140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2140.7539\Saddam\CrypterFUD.exeexecutable
MD5:34FBE71DA27EA70396ADF64C06709F77
SHA256:16F7330057F484E432CBF3F375FEE3E228D102452B93248CD895EE25B7BAE32E
760CrypterFUD.exeC:\Users\admin\AppData\Local\Temp\aut87E1.tmpbinary
MD5:267C21607EC6231E494FA79F2D43E23E
SHA256:067BE7786B674921FB9EC58650921FF714E4D1BE544CD321CA721C6B8DB45C27
3084CrypterFUD.exeC:\Users\admin\AppData\Local\Temp\autBA3.tmpbinary
MD5:267C21607EC6231E494FA79F2D43E23E
SHA256:067BE7786B674921FB9EC58650921FF714E4D1BE544CD321CA721C6B8DB45C27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
frilance.online
malicious

Threats

No threats detected
No debug info