analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1C - плaтежноe пopучeнние №34729636725 - 2019.rar

Full analysis: https://app.any.run/tasks/7d109d2c-b998-44a5-b3dd-7f5445bfa3f7
Verdict: Malicious activity
Analysis date: July 18, 2019, 08:49:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

A2181138EEEC6D9AFB066F1BB325CA01

SHA1:

37D2EA8FBECA59207AFEEB751439D7195F1F0B5E

SHA256:

CE0A72B4A1A6E4F4BBB0EAFCE37932F90AC3642DD2B28E26CA4A88079DE8C0FF

SSDEEP:

24576:BsFQ5kUFvn7k5jWbMU4XrIUAlZF7UAmgUMBp3nEHqNHoAZFr:VVKjWbMxrJAlzwAmkEKNIAr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 1C - плaтежноe пopучeнние №34729636725 - 2019.scr (PID: 2684)
      • 1C - плaтежноe пopучeнние №34729636725 - 2019.scr (PID: 3596)
      • 1C - плaтежноe пopучeнние №34729636725 - 2019.scr (PID: 3808)
      • 1C - плaтежноe пopучeнние №34729636725 - 2019.scr (PID: 3424)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3300)
      • notepad++.exe (PID: 2044)
    • Creates files in the user directory

      • notepad++.exe (PID: 2044)
  • INFO

    • Manual execution by user

      • 1C - плaтежноe пopучeнние №34729636725 - 2019.scr (PID: 3596)
      • 1C - плaтежноe пopучeнние №34729636725 - 2019.scr (PID: 3808)
      • notepad++.exe (PID: 2044)
      • 1C - плaтежноe пopучeнние №34729636725 - 2019.scr (PID: 2684)
      • 1C - плaтежноe пopучeнние №34729636725 - 2019.scr (PID: 3424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe 1c - плaтежноe пopучeнние №34729636725 - 2019.scr no specs 1c - плaтежноe пopучeнние №34729636725 - 2019.scr notepad++.exe gup.exe 1c - плaтежноe пopучeнние №34729636725 - 2019.scr no specs 1c - плaтежноe пopучeнние №34729636725 - 2019.scr

Process information

PID
CMD
Path
Indicators
Parent process
3300"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1C - плaтежноe пopучeнние №34729636725 - 2019.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3596"C:\Users\admin\Desktop\1C - плaтежноe пopучeнние №34729636725 - 2019.scr" /SC:\Users\admin\Desktop\1C - плaтежноe пopучeнние №34729636725 - 2019.screxplorer.exe
User:
admin
Company:
73443316.523404.8564521
Integrity Level:
MEDIUM
Description:
128.7502.94331.2341 4643220.234259.2342341.234236 Installati
Exit code:
3221226540
Version:
4643220.234259.23423
3808"C:\Users\admin\Desktop\1C - плaтежноe пopучeнние №34729636725 - 2019.scr" /SC:\Users\admin\Desktop\1C - плaтежноe пopучeнние №34729636725 - 2019.scr
explorer.exe
User:
admin
Company:
73443316.523404.8564521
Integrity Level:
HIGH
Description:
128.7502.94331.2341 4643220.234259.2342341.234236 Installati
Exit code:
0
Version:
4643220.234259.23423
2044"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\1C - плaтежноe пopучeнние №34729636725 - 2019.scr"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
3616"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
2684"C:\Users\admin\Desktop\1C - плaтежноe пopучeнние №34729636725 - 2019.scr" /SC:\Users\admin\Desktop\1C - плaтежноe пopучeнние №34729636725 - 2019.screxplorer.exe
User:
admin
Company:
73443316.523404.8564521
Integrity Level:
MEDIUM
Description:
128.7502.94331.2341 4643220.234259.2342341.234236 Installati
Exit code:
3221226540
Version:
4643220.234259.23423
3424"C:\Users\admin\Desktop\1C - плaтежноe пopучeнние №34729636725 - 2019.scr" /SC:\Users\admin\Desktop\1C - плaтежноe пopучeнние №34729636725 - 2019.scr
explorer.exe
User:
admin
Company:
73443316.523404.8564521
Integrity Level:
HIGH
Description:
128.7502.94331.2341 4643220.234259.2342341.234236 Installati
Exit code:
0
Version:
4643220.234259.23423
Total events
485
Read events
460
Write events
25
Delete events
0

Modification events

(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3300) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\1C - плaтежноe пopучeнние №34729636725 - 2019.rar
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3300) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:@shell32,-10162
Value:
Screen saver
Executable files
3
Suspicious files
0
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
2044notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:379E9468394B48FADF836881E0C48970
SHA256:AAD5CFDF4542D34CCD50E832CD334A096672544D4D846B645C6A6CFFB1F04A13
3300WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3300.31223\1C - плaтежноe пopучeнние №34729636725 - 2019.screxecutable
MD5:ED8029C038BAD9583DDE1D113D0F1FDD
SHA256:CDDE95F4DA79994A9613B0901350A4B8C6148B437CCE9F8BD395E3CD79C05ADF
2044notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\backup\1C - плaтежноe пopучeнние №34729636725 - 2019.scr@2019-07-18_095145executable
MD5:C1AEA156E13D7DE4E3F208CD499CAEB2
SHA256:9244B1DFB30EFB4A51F6C0118A3DDA826368E62BC79D7A30029DD91F2902BC82
2044notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:411C9D3CA2805DF6B6EAD9F33C028ABB
SHA256:55659CF0494B7DD78126A5B55836604C52D890CFA2F86FD71ADC0A542A9E7914
2044notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
2044notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:44982E1D48434C0AB3E8277E322DD1E4
SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C
2044notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xmltext
MD5:AD21A64014891793DD9B21D835278F36
SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F
2044notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\langs.xmlxml
MD5:E792264BEC29005B9044A435FBA185AB
SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3616
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
2.20.189.204:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.20.189.204
  • 2.20.190.11
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093