File name:

Nueva carpeta.7z

Full analysis: https://app.any.run/tasks/50fa4319-a2ae-4f1c-87a6-3dc18a2f800e
Verdict: Malicious activity
Analysis date: October 04, 2022, 22:43:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

4A9E7B4A11FC5DC1D977A1E0B194706F

SHA1:

995EC8F6EEE0BBB7B17EDD5ACFF717498A43FD06

SHA256:

C710223BFCA39FD10E42DB6404C6A8A2EADA5007B609E42F2E042B85E3BB2D90

SSDEEP:

1536:vB1ARw/AMEehkPX6bhufGURoUYzhBOmCf6/Hlf3YULTHAJh51CRp:viwVDpVueu/NmCyvVwhzCRp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 1968)
      • Explorer.EXE (PID: 912)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3836)
      • Explorer.EXE (PID: 912)

    • Application was dropped or rewritten from another process

      • regasm.exe (PID: 1324)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3068)
      • WinRAR.exe (PID: 1968)
      • regasm.exe (PID: 1324)

    • Reads the computer name

      • WinRAR.exe (PID: 3068)
      • WinRAR.exe (PID: 1968)
      • regasm.exe (PID: 1324)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1968)
      • Explorer.EXE (PID: 912)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1968)
      • Explorer.EXE (PID: 912)

    • Uses RUNDLL32.EXE to load library

      • Explorer.EXE (PID: 912)

  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 1968)

    • Checks supported languages

      • rundll32.exe (PID: 3140)

    • Reads the computer name

      • rundll32.exe (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe searchprotocolhost.exe no specs explorer.exe regasm.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
912C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1324"C:\Users\admin\Desktop\Desktop\regasm.exe\regasm.exe" C:\Users\admin\Desktop\Desktop\regasm.exe\regasm.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.76.2 built by: NETFXREL2
Modules
Images
c:\users\admin\desktop\desktop\regasm.exe\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1968"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver "-an=C:\Users\admin\Desktop\69F3ED90441B6F99D70551FF2D31D701.zip" -- "C:\Users\admin\Desktop\E0B6A2D1E460EA4AD4D48FA3FEF7E143.zip" "?\"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
3068"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Nueva carpeta.7z"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3140"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\Desktop\regasm.exe\pluginscontract.dllC:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3836"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
12 223
Read events
11 960
Write events
263
Delete events
0

Modification events

(PID) Process:(3068) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3068) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3068) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3068) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3068) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3068) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Nueva carpeta.7z
(PID) Process:(3068) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3068) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3068) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3068) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
4
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
912Explorer.EXEC:\Users\admin\Desktop\E0B6A2D1E460EA4AD4D48FA3FEF7E143.zipcompressed
MD5:
SHA256:
3068WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3068.6904\Nueva carpeta\69F3ED90441B6F99D70551FF2D31D701.zipcompressed
MD5:
SHA256:
1968WinRAR.exeC:\Users\admin\Desktop\Desktop\regasm.exe\regasm.exeexecutable
MD5:
SHA256:
1968WinRAR.exeC:\Users\admin\Desktop\Desktop\pluginscontract.dll\pluginscontract.dllexecutable
MD5:
SHA256:
912Explorer.EXEC:\Users\admin\Desktop\pluginscontract.dllexecutable
MD5:
SHA256:
912Explorer.EXEC:\Users\admin\Desktop\Desktop\regasm.exe\pluginscontract.dllexecutable
MD5:
SHA256:
3068WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3068.6904\Nueva carpeta\E0B6A2D1E460EA4AD4D48FA3FEF7E143.zipcompressed
MD5:
SHA256:
912Explorer.EXEC:\Users\admin\Desktop\69F3ED90441B6F99D70551FF2D31D701.zipcompressed
MD5:
SHA256:
1968WinRAR.exeC:\Users\admin\Desktop\Desktop\details.jsonbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Nueva carpeta.7z