File name:

Cain-master.zip

Full analysis: https://app.any.run/tasks/de0bd9f6-fb13-45f8-8adc-2e863808d974
Verdict: Malicious activity
Analysis date: November 22, 2024, 03:48:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
mimikatz
tools
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

7C5F70C97E1C8CB4CC0C8542604DDB70

SHA1:

92839216E7788F42F03DC3EC04F3B4AD6F522C0D

SHA256:

C9F07641920AEE056010E1522C386CC6227B62265297584F133F9D7E43703DF5

SSDEEP:

98304:WiJd7L6/T7RngHqbEcY5ZquVhQKNERcsWxkb995mkTHftvMRxaZfybPbbrWGu9N3:d5E+BGeSdlXK/aV9RA0hhFySRvl5LN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4444)
      • powershell.exe (PID: 6252)
      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 968)
      • powershell.exe (PID: 6324)
      • powershell.exe (PID: 5564)

    • MIMIKATZ has been detected (YARA)

      • Cain.exe (PID: 5936)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • WinRAR.exe (PID: 3912)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 3912)
      • npcap-1.79.exe (PID: 5100)
      • drvinst.exe (PID: 7132)
      • NPFInstall.exe (PID: 6956)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3912)

    • The process hide an interactive prompt from the user

      • npcap-1.79.exe (PID: 5100)

    • The process bypasses the loading of PowerShell profile settings

      • npcap-1.79.exe (PID: 5100)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • npcap-1.79.exe (PID: 5100)

    • Executable content was dropped or overwritten

      • npcap-1.79.exe (PID: 5100)
      • drvinst.exe (PID: 7132)
      • NPFInstall.exe (PID: 6956)

    • Starts POWERSHELL.EXE for commands execution

      • npcap-1.79.exe (PID: 5100)

    • Removes files via Powershell

      • powershell.exe (PID: 6476)
      • powershell.exe (PID: 6252)

  • INFO

    • The process uses the downloaded file

      • WinRAR.exe (PID: 3912)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3912)

    • Manual execution by a user

      • Cain.exe (PID: 6612)
      • Cain_original.exe (PID: 6692)
      • Abel.exe (PID: 6424)
      • Abel.exe (PID: 6276)
      • Abel64.exe (PID: 6516)
      • Abel64.exe (PID: 6468)
      • notepad.exe (PID: 6652)
      • Cain_original.exe (PID: 6740)
      • Abel64.exe (PID: 6856)
      • Cain.exe (PID: 6896)
      • Abel64.exe (PID: 6808)
      • Cain.exe (PID: 6564)
      • Abel.exe (PID: 6772)
      • Cain.exe (PID: 6944)
      • Cain_original.exe (PID: 7028)
      • Cain.exe (PID: 7108)
      • Cain_original.exe (PID: 7076)
      • npcap-1.79.exe (PID: 5100)
      • npcap-1.79.exe (PID: 6156)
      • Winrtgen.exe (PID: 3524)
      • Winrtgen.exe (PID: 3700)
      • Cain.exe (PID: 5936)
      • Cain.exe (PID: 6276)
      • Cain.exe (PID: 7156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:02:22 07:55:42
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Cain-master/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
63
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe textinputhost.exe no specs rundll32.exe no specs abel.exe no specs abel.exe no specs abel.exe no specs abel64.exe no specs abel64.exe cain.exe no specs cain.exe notepad.exe no specs cain_original.exe no specs cain_original.exe abel.exe no specs abel64.exe no specs abel64.exe cain.exe no specs cain.exe cain_original.exe no specs cain_original.exe cain.exe no specs cain.exe npcap-1.79.exe no specs npcap-1.79.exe npfinstall.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs pnputil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs npfinstall.exe conhost.exe no specs drvinst.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs winrtgen.exe no specs winrtgen.exe cain.exe no specs #MIMIKATZ cain.exe

Process information

PID
CMD
Path
Indicators
Parent process
128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
968powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exenpcap-1.79.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1472\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3524"C:\WINDOWS\system32\certutil.exe" -verifystore Root 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43C:\Windows\SysWOW64\certutil.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
2148073489
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3524"C:\Users\admin\Downloads\Cain-master\Winrtgen\Winrtgen.exe" C:\Users\admin\Downloads\Cain-master\Winrtgen\Winrtgen.exe
explorer.exe
User:
admin
Company:
oxid.it
Integrity Level:
HIGH
Description:
Rainbow Tables Generator
Exit code:
0
Version:
2, 9, 0, 4
3700"C:\Users\admin\Downloads\Cain-master\Winrtgen\Winrtgen.exe" C:\Users\admin\Downloads\Cain-master\Winrtgen\Winrtgen.exeexplorer.exe
User:
admin
Company:
oxid.it
Integrity Level:
MEDIUM
Description:
Rainbow Tables Generator
Exit code:
3221226540
Version:
2, 9, 0, 4
3912"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Cain-master.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4340\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNPFInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4444powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq '0563b8630d62d75abbc8ab1e4bdfb5a899b24d43'} | Sort-Object -Descending -Property FriendlyName | Select-Object -Skip 1 | Remove-Item"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exenpcap-1.79.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
49 647
Read events
49 544
Write events
69
Delete events
34

Modification events

(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Cain-master.zip
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(3912) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
103
Suspicious files
39
Text files
73
Unknown types
11

Dropped files

PID
Process
Filename
Type
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Cain-master\Cain-master\Abel.dll.sigfli
MD5:7033D9ACA753B4AF1C7FA0DFF7A3816C
SHA256:5402ED68026667B614C9AA5CC90DEAF5E6EDF60DA5A829E001B4C0A3F6C1CAB2
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Cain-master\Cain-master\Abel.exe.sigfli
MD5:3B2EB1958FEC411998134D2D629C5749
SHA256:A91D1E77BFE8796EFE4AF9F0FC12885913B969AC7C9A9DC603CC794ED9EB6894
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Cain-master\Cain-master\Abel64.exe.sigfli
MD5:0DF87ED399A9CC3FB169025B957362E0
SHA256:8338A27A9B1F7D4EF40C4213DDC75641BCF7B00B3C1E2415C7E5409BC7C6B214
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Cain-master\Cain-master\.gitattributestext
MD5:01C2BA45B8CE4CB9D870B39204AAE551
SHA256:BDBD68B106767972511720C3034130C2FFC1862C5ABC29BFE110BF82C5137383
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Cain-master\Cain-master\Cain.exe.sigfli
MD5:559FBE2DF522745619FA9AB9A7BA1A95
SHA256:553EB386A04BB234E6331A14C8FF9355CFD414D6B8C52F28AF7B85A03D8373AD
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Cain-master\Cain-master\Abel64.exeexecutable
MD5:57FDE9C8F2122CED014F83D942F19AF8
SHA256:C7F63AD0EE0E121F11D1F0C68CFC805F7D764646A6399CCBCD0F4C37AF114FA2
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Cain-master\Cain-master\Abel64.dllexecutable
MD5:DC0670DC01C6C8FDCD9AD95194FA723E
SHA256:6139689FC078EBCE7BEA5143BAE4F6D89344AE2FA3B6266A7C783F3A2FD2FD16
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Cain-master\Cain-master\CA_UserManual.chmbinary
MD5:C904361FBFD53714F8FF3B0ACF4EE476
SHA256:9B71D0ED2A74B105AE3C8017FB5FE03124FC65539C867719A7062B964CD030B7
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Cain-master\Cain-master\Abel64.dll.sigfli
MD5:6B0329CBE94C33A16469ACF1F7D4C89D
SHA256:B1FDD6EC32CE9DA18554102A04F1FEDF6C4947F0B8351390C14D617BE644CB67
3912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Cain-master\Cain-master\Driver\Airpcap API Wrapper\Driver\airpcap64.dllexecutable
MD5:66DD34ED3E310640363FCB2A4A3DBACF
SHA256:3930B3537B906B9DF9D80B551BB323243016DED36FC460463D0AB9F94EE4022B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
34
DNS requests
11
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4932
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
204.79.197.222:443
fp.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.185
  • 104.126.37.178
  • 104.126.37.144
  • 104.126.37.145
  • 104.126.37.139
  • 104.126.37.154
  • 104.126.37.131
whitelisted
google.com
  • 142.250.186.110
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
self.events.data.microsoft.com
  • 13.70.79.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Cain-master.zip