analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Nueva carpeta.7z

Full analysis: https://app.any.run/tasks/50fa4319-a2ae-4f1c-87a6-3dc18a2f800e
Verdict: Malicious activity
Analysis date: October 04, 2022, 22:43:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

4A9E7B4A11FC5DC1D977A1E0B194706F

SHA1:

995EC8F6EEE0BBB7B17EDD5ACFF717498A43FD06

SHA256:

C710223BFCA39FD10E42DB6404C6A8A2EADA5007B609E42F2E042B85E3BB2D90

SSDEEP:

1536:vB1ARw/AMEehkPX6bhufGURoUYzhBOmCf6/Hlf3YULTHAJh51CRp:viwVDpVueu/NmCyvVwhzCRp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3836)
      • Explorer.EXE (PID: 912)

    • Drops executable file immediately after starts

      • Explorer.EXE (PID: 912)
      • WinRAR.exe (PID: 1968)

    • Application was dropped or rewritten from another process

      • regasm.exe (PID: 1324)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Explorer.EXE (PID: 912)
      • WinRAR.exe (PID: 1968)

    • Reads the computer name

      • WinRAR.exe (PID: 1968)
      • WinRAR.exe (PID: 3068)
      • regasm.exe (PID: 1324)

    • Checks supported languages

      • WinRAR.exe (PID: 3068)
      • WinRAR.exe (PID: 1968)
      • regasm.exe (PID: 1324)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1968)
      • Explorer.EXE (PID: 912)

    • Uses RUNDLL32.EXE to load library

      • Explorer.EXE (PID: 912)

  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 1968)

    • Checks supported languages

      • rundll32.exe (PID: 3140)

    • Reads the computer name

      • rundll32.exe (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe searchprotocolhost.exe no specs explorer.exe regasm.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3068"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Nueva carpeta.7z"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1968"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver "-an=C:\Users\admin\Desktop\69F3ED90441B6F99D70551FF2D31D701.zip" -- "C:\Users\admin\Desktop\E0B6A2D1E460EA4AD4D48FA3FEF7E143.zip" "?\"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3836"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
912C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1324"C:\Users\admin\Desktop\Desktop\regasm.exe\regasm.exe" C:\Users\admin\Desktop\Desktop\regasm.exe\regasm.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.76.2 built by: NETFXREL2
3140"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\Desktop\regasm.exe\pluginscontract.dllC:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
12 223
Read events
11 960
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1968WinRAR.exeC:\Users\admin\Desktop\Desktop\regasm.exe\regasm.exeexecutable
MD5:15BFFAAD72804D35E27BE0248902B66A
SHA256:00271881346E8C7FCF324686631894B977CF0F43A26A2FED8554B9B604A0BD5D
912Explorer.EXEC:\Users\admin\Desktop\69F3ED90441B6F99D70551FF2D31D701.zipcompressed
MD5:612042E0364A2B1B60EFDF2DFE928900
SHA256:8B518AF1B2BFC341C426662AE211D03D094ADF0915BF234E19C34EB9C605BA22
3068WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3068.6904\Nueva carpeta\69F3ED90441B6F99D70551FF2D31D701.zipcompressed
MD5:612042E0364A2B1B60EFDF2DFE928900
SHA256:8B518AF1B2BFC341C426662AE211D03D094ADF0915BF234E19C34EB9C605BA22
1968WinRAR.exeC:\Users\admin\Desktop\Desktop\details.jsonbinary
MD5:1E73DF1B3E4BF1B01F803AAC4F20462A
SHA256:88A342BEC906696336A5A9DC795F8EFCAAEA9F4DF0BBF360368B578C0C8D2E9B
1968WinRAR.exeC:\Users\admin\Desktop\Desktop\pluginscontract.dll\pluginscontract.dllexecutable
MD5:A9EDBAC58A39839985012B603FC5237A
SHA256:0C4EFA118678953E84BE5B636376E1C7B5D0CB115CABEE5A41C9AED27FE45833
912Explorer.EXEC:\Users\admin\Desktop\Desktop\regasm.exe\pluginscontract.dllexecutable
MD5:A9EDBAC58A39839985012B603FC5237A
SHA256:0C4EFA118678953E84BE5B636376E1C7B5D0CB115CABEE5A41C9AED27FE45833
912Explorer.EXEC:\Users\admin\Desktop\E0B6A2D1E460EA4AD4D48FA3FEF7E143.zipcompressed
MD5:9CC7AC582BDC8FCF4CB8AC992E1148BF
SHA256:081D60C546B21F73D8CAF531EA4A8FB5DBE774675CE027DB8CF53475958CEA06
3068WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3068.6904\Nueva carpeta\E0B6A2D1E460EA4AD4D48FA3FEF7E143.zipcompressed
MD5:9CC7AC582BDC8FCF4CB8AC992E1148BF
SHA256:081D60C546B21F73D8CAF531EA4A8FB5DBE774675CE027DB8CF53475958CEA06
912Explorer.EXEC:\Users\admin\Desktop\pluginscontract.dllexecutable
MD5:A9EDBAC58A39839985012B603FC5237A
SHA256:0C4EFA118678953E84BE5B636376E1C7B5D0CB115CABEE5A41C9AED27FE45833
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Nueva carpeta.7z