analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

any run.zip

Full analysis: https://app.any.run/tasks/f0da527c-cd83-40af-8405-4df6a64ce607
Verdict: Malicious activity
Analysis date: May 20, 2022, 21:54:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D5580C9560F5FF87A09FC6100654D4E4

SHA1:

5F42337E5F30A7D73546BFBB399453D2328E5A8D

SHA256:

C33C4CC5639886BFF516F52872C773EC9D7D15B6CAAE3530753A0458B334C60B

SSDEEP:

196608:XH/djrRJhxwSAGm7eGfp4mFWjsa0e1y8ky+q:XVvfH2lpbafT+q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3148)
      • Sclerosis.exe (PID: 2696)
    • Application was dropped or rewritten from another process

      • aramaware.exe (PID: 2908)
      • Phsyletric.exe (PID: 1828)
      • Phsyletric.exe (PID: 2408)
      • Sclerosis.exe (PID: 2696)
      • Sclerosis.exe (PID: 644)
      • mbr.exe (PID: 588)
      • first.exe (PID: 2000)
      • glit.exe (PID: 948)
      • paint2.exe (PID: 3484)
      • unic2.exe (PID: 2216)
      • invpaint.exe (PID: 2132)
      • m3.exe (PID: 3064)
      • r3.exe (PID: 3656)
      • sqmove.exe (PID: 2892)
      • scl.exe (PID: 2096)
      • r3.exe (PID: 3392)
      • m3.exe (PID: 3524)
      • paint2.exe (PID: 3368)
      • unic2.exe (PID: 2112)
    • Task Manager has been disabled (taskmgr)

      • reg.exe (PID: 3708)
    • Loads dropped or rewritten executable

      • glit.exe (PID: 948)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3148)
      • Phsyletric.exe (PID: 2408)
      • Sclerosis.exe (PID: 2696)
      • WScript.exe (PID: 2812)
      • glit.exe (PID: 948)
    • Checks supported languages

      • WinRAR.exe (PID: 3148)
      • aramaware.exe (PID: 2908)
      • Phsyletric.exe (PID: 2408)
      • cmd.exe (PID: 3880)
      • cmd.exe (PID: 1012)
      • cmd.exe (PID: 3500)
      • cmd.exe (PID: 3476)
      • cmd.exe (PID: 2320)
      • cmd.exe (PID: 2556)
      • cmd.exe (PID: 3724)
      • cmd.exe (PID: 2512)
      • cmd.exe (PID: 3084)
      • cmd.exe (PID: 1420)
      • cmd.exe (PID: 3080)
      • Sclerosis.exe (PID: 2696)
      • WScript.exe (PID: 2812)
      • mbr.exe (PID: 588)
      • cmd.exe (PID: 1996)
      • glit.exe (PID: 948)
      • first.exe (PID: 2000)
      • invpaint.exe (PID: 2132)
      • unic2.exe (PID: 2216)
      • paint2.exe (PID: 3484)
      • scl.exe (PID: 2096)
      • m3.exe (PID: 3064)
      • r3.exe (PID: 3656)
      • paint2.exe (PID: 3368)
      • sqmove.exe (PID: 2892)
      • r3.exe (PID: 3392)
      • unic2.exe (PID: 2112)
      • m3.exe (PID: 3524)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3148)
      • Sclerosis.exe (PID: 2696)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3148)
      • Sclerosis.exe (PID: 2696)
    • Starts CMD.EXE for commands execution

      • aramaware.exe (PID: 2908)
      • WScript.exe (PID: 2812)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1012)
      • cmd.exe (PID: 3476)
      • cmd.exe (PID: 1996)
    • Uses ICACLS.EXE to modify access control list

      • cmd.exe (PID: 2320)
      • cmd.exe (PID: 2556)
    • Removes files from Windows directory

      • Sclerosis.exe (PID: 2696)
    • Creates files in the Windows directory

      • Sclerosis.exe (PID: 2696)
    • Executes scripts

      • Sclerosis.exe (PID: 2696)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1996)
  • INFO

    • Checks supported languages

      • reg.exe (PID: 312)
      • reg.exe (PID: 2872)
      • takeown.exe (PID: 556)
      • takeown.exe (PID: 580)
      • icacls.exe (PID: 1896)
      • icacls.exe (PID: 2432)
      • reg.exe (PID: 3708)
      • timeout.exe (PID: 1276)
      • timeout.exe (PID: 3816)
      • taskkill.exe (PID: 3856)
      • taskkill.exe (PID: 268)
      • taskkill.exe (PID: 2896)
      • timeout.exe (PID: 880)
      • taskkill.exe (PID: 2488)
      • timeout.exe (PID: 2732)
      • taskkill.exe (PID: 1012)
      • timeout.exe (PID: 2292)
      • taskkill.exe (PID: 1784)
      • timeout.exe (PID: 3472)
      • timeout.exe (PID: 2540)
      • timeout.exe (PID: 2280)
    • Reads the computer name

      • takeown.exe (PID: 556)
      • takeown.exe (PID: 580)
      • taskkill.exe (PID: 3856)
      • taskkill.exe (PID: 268)
      • taskkill.exe (PID: 2896)
      • taskkill.exe (PID: 1784)
      • taskkill.exe (PID: 1012)
      • taskkill.exe (PID: 2488)
    • Manual execution by user

      • Sclerosis.exe (PID: 644)
      • Sclerosis.exe (PID: 2696)
    • Checks Windows Trust Settings

      • WScript.exe (PID: 2812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: aramaware.exe
ZipUncompressedSize: 616717
ZipCompressedSize: 186036
ZipCRC: 0x75455c4d
ZipModifyDate: 2022:05:12 13:09:21
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
109
Monitored processes
54
Malicious processes
8
Suspicious processes
5

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start winrar.exe aramaware.exe no specs phsyletric.exe no specs phsyletric.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs takeown.exe no specs takeown.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sclerosis.exe no specs sclerosis.exe wscript.exe no specs cmd.exe no specs reg.exe no specs mbr.exe no specs glit.exe no specs timeout.exe no specs first.exe no specs timeout.exe no specs taskkill.exe no specs invpaint.exe no specs timeout.exe no specs taskkill.exe no specs paint2.exe no specs unic2.exe no specs timeout.exe no specs taskkill.exe no specs taskkill.exe no specs m3.exe no specs r3.exe no specs timeout.exe no specs taskkill.exe no specs taskkill.exe no specs scl.exe no specs timeout.exe no specs sqmove.exe no specs timeout.exe no specs paint2.exe no specs unic2.exe no specs m3.exe no specs r3.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3148"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\any run.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2908"C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.34176\aramaware.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.34176\aramaware.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
1828"C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.35157\Phsyletric.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.35157\Phsyletric.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2408"C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.35157\Phsyletric.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3148.35157\Phsyletric.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
1012C:\Windows\system32\cmd.exe /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fC:\Windows\system32\cmd.exearamaware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3880C:\Windows\system32\cmd.exe /c takeown /F %WINDIR%\system32\logonui.exe C:\Windows\system32\cmd.exearamaware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3500C:\Windows\system32\cmd.exe /c takeown /F %WINDIR%\system32\dllcache\logonui.exe C:\Windows\system32\cmd.exearamaware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3476C:\Windows\system32\cmd.exe /c reg delete HKLM /fC:\Windows\system32\cmd.exearamaware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
312REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
556takeown /F C:\Windows\system32\dllcache\logonui.exe C:\Windows\system32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Takes ownership of a file
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 920
Read events
2 868
Write events
52
Delete events
0

Modification events

(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3148) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\any run.zip
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3148) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
30
Suspicious files
0
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3148.37624\Sclerosis.exeexecutable
MD5:1AD7F52A5B59C3D3F7FBA2F72ECE6FF1
SHA256:D76F8F1C1B52D353712AD0A74808EBB8B13F513E89C5A58803211CDCB3EDCFD0
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3148.34176\quantizer.exeexecutable
MD5:1458480CF8803569195F934D47AC7481
SHA256:68D528F9AC891E920449188198A233B71B2860838AF4FB970B9966F941CE82CA
2696Sclerosis.exeC:\Windows\Sclerosis\sqmove.exeexecutable
MD5:8AD1DA4C2B678FFBC0F5D95ADFEB5C9B
SHA256:6CAAD2810E0D398EF80F5AA63F8F9ED09DBC5B6BB169E43B7319FE9A1EEA85F2
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3148.34176\Sclerosis.exeexecutable
MD5:1AD7F52A5B59C3D3F7FBA2F72ECE6FF1
SHA256:D76F8F1C1B52D353712AD0A74808EBB8B13F513E89C5A58803211CDCB3EDCFD0
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3148.35157\quantizer.exeexecutable
MD5:1458480CF8803569195F934D47AC7481
SHA256:68D528F9AC891E920449188198A233B71B2860838AF4FB970B9966F941CE82CA
2696Sclerosis.exeC:\Windows\Sclerosis\run.vbstext
MD5:2B087BB9DEE64442247BB69DA8FBCAF0
SHA256:A2F3B7C3E0BF6690A243E9088F925396F063549B42568B92D00EBADDC618C3AD
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3148.35157\Sclerosis.exeexecutable
MD5:1AD7F52A5B59C3D3F7FBA2F72ECE6FF1
SHA256:D76F8F1C1B52D353712AD0A74808EBB8B13F513E89C5A58803211CDCB3EDCFD0
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3148.34176\Phsyletric.exeexecutable
MD5:4DB23CF50F64A83759DB9DF6AD222D65
SHA256:465F8BF12FE8FC53C9EF45E498B5F9D95B783C61096147BBC09182F6D19DD129
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3148.34176\Mythlas.exeexecutable
MD5:1BCCDB1CBBDB299F4053DBAB4236DADC
SHA256:E65C793A31137AE75A6F30AE2933BD7CAE74FCD4330B6C8770C14466BC3A878F
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3148.34176\Losinium.exeexecutable
MD5:3FAD30EF9BBB47488E86DEFA0F81ACAB
SHA256:69D2AD4DDD61C4B2E6FF350FD87B61DB5DE36218626812E69C4289DE5782CD0C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info