File name:

PrimoCache.Srv.Setup.zip

Full analysis: https://app.any.run/tasks/bb051210-e318-4532-8aeb-7d139a3debec
Verdict: Malicious activity
Analysis date: December 04, 2020, 17:41:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

31188B65A13897257B18C2BAB3AFD009

SHA1:

BEFB5AE3CA5A04922D68F692FB365AE2D5F486C6

SHA256:

C69959AD95FDD950251DFCB8040AD26C601A0DF9DA2528738C90E640A7B5C206

SSDEEP:

196608:t7cYzKKQABYT2SE7jH3NumLgmXNb69DJ398frv:dvSC3NzkuR61XQL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PrimoCache.Srv.Setup.3.2.0.exe (PID: 564)
      • fcsetup.exe (PID: 2744)

    • Drops executable file immediately after starts

      • PrimoCache.Srv.Setup.3.2.0.exe (PID: 564)
      • fcsetup.exe (PID: 2744)

  • SUSPICIOUS

    • Creates files in the driver directory

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)
      • fcsetup.exe (PID: 2744)

    • Drops a file that was compiled in debug mode

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)
      • fcsetup.exe (PID: 2744)

    • Reads Windows owner or organization settings

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)

    • Creates a directory in Program Files

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)

    • Creates files in the Windows directory

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)
      • fcsetup.exe (PID: 2744)

    • Reads the Windows organization settings

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)

    • Executable content was dropped or overwritten

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)
      • PrimoCache.Srv.Setup.3.2.0.exe (PID: 564)
      • fcsetup.exe (PID: 2744)

    • Starts SC.EXE for service management

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)

    • Removes files from Windows directory

      • fcsetup.exe (PID: 2744)

  • INFO

    • Application was dropped or rewritten from another process

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)

    • Creates files in the program directory

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)

    • Creates a software uninstall entry

      • PrimoCache.Srv.Setup.3.2.0.tmp (PID: 3272)

    • Manual execution by user

      • PrimoCache.Srv.Setup.3.2.0.exe (PID: 564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:12:31 23:04:04
ZipCRC: 0x9b434e0e
ZipCompressedSize: 6864575
ZipUncompressedSize: 7149400
ZipFileName: PrimoCache.Srv.Setup.3.2.0.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs primocache.srv.setup.3.2.0.exe primocache.srv.setup.3.2.0.tmp sc.exe no specs fcsetup.exe

Process information

PID
CMD
Path
Indicators
Parent process
564"C:\Users\admin\Desktop\PrimoCache.Srv.Setup.3.2.0.exe" C:\Users\admin\Desktop\PrimoCache.Srv.Setup.3.2.0.exe
explorer.exe
User:
admin
Company:
Romex Software
Integrity Level:
HIGH
Description:
PrimoCache Setup
Exit code:
0
Version:
3.2.0
Modules
Images
c:\users\admin\desktop\primocache.srv.setup.3.2.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2736"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PrimoCache.Srv.Setup.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
2744"C:\Program Files\PrimoCache\fcsetup.exe" -i "C:\Program Files\PrimoCache\drv\rxfcv.inf" 1C:\Program Files\PrimoCache\fcsetup.exe
PrimoCache.Srv.Setup.3.2.0.tmp
User:
admin
Company:
Romex Software
Integrity Level:
HIGH
Description:
fcsetup
Exit code:
0
Version:
1.2.0.1 built by: WinDDK
Modules
Images
c:\program files\primocache\fcsetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
2892"sc" delete PrimoCacheSvcC:\Windows\system32\sc.exePrimoCache.Srv.Setup.3.2.0.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3272"C:\Users\admin\AppData\Local\Temp\is-CJPEU.tmp\PrimoCache.Srv.Setup.3.2.0.tmp" /SL5="$5017C,6598152,417280,C:\Users\admin\Desktop\PrimoCache.Srv.Setup.3.2.0.exe" C:\Users\admin\AppData\Local\Temp\is-CJPEU.tmp\PrimoCache.Srv.Setup.3.2.0.tmp
PrimoCache.Srv.Setup.3.2.0.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-cjpeu.tmp\primocache.srv.setup.3.2.0.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
687
Read events
625
Write events
56
Delete events
6

Modification events

(PID) Process:(2736) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2736) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2736) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2736) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PrimoCache.Srv.Setup.zip
(PID) Process:(2736) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2736) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2736) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2736) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3272) PrimoCache.Srv.Setup.3.2.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
C80C000068F48AD464CAD601
(PID) Process:(3272) PrimoCache.Srv.Setup.3.2.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
6ECB35422350946A4D509C5945FAB8CCF6203B113399E05B271C2AE4815EA18D
Executable files
8
Suspicious files
1
Text files
12
Unknown types
3

Dropped files

PID
Process
Filename
Type
2736WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2736.6962\PrimoCache.Srv.Setup.3.2.0.exe
MD5:
SHA256:
3272PrimoCache.Srv.Setup.3.2.0.tmpC:\Program Files\PrimoCache\is-14JDB.tmp
MD5:
SHA256:
3272PrimoCache.Srv.Setup.3.2.0.tmpC:\Program Files\PrimoCache\is-JQ1OM.tmp
MD5:
SHA256:
3272PrimoCache.Srv.Setup.3.2.0.tmpC:\Program Files\PrimoCache\is-17GHK.tmp
MD5:
SHA256:
3272PrimoCache.Srv.Setup.3.2.0.tmpC:\Program Files\PrimoCache\is-VU5FH.tmp
MD5:
SHA256:
3272PrimoCache.Srv.Setup.3.2.0.tmpC:\Program Files\PrimoCache\drv\is-3PDB9.tmp
MD5:
SHA256:
3272PrimoCache.Srv.Setup.3.2.0.tmpC:\Program Files\PrimoCache\drv\is-K1OLD.tmp
MD5:
SHA256:
3272PrimoCache.Srv.Setup.3.2.0.tmpC:\Program Files\PrimoCache\drv\is-DJD47.tmp
MD5:
SHA256:
3272PrimoCache.Srv.Setup.3.2.0.tmpC:\Windows\system32\drivers\is-IN6RI.tmp
MD5:
SHA256:
2744fcsetup.exeC:\Windows\system32\DRIVERS\SETAA05.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PrimoCache.Srv.Setup.zip