| File name: | Neuer ZIP-komprimierter Ordner.zip |
| Full analysis: | https://app.any.run/tasks/2efb0ba2-51bb-45ce-998a-911e45b7e016 |
| Verdict: | Malicious activity |
| Analysis date: | May 16, 2020, 12:38:33 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 879730A039AC5F4095C241415B6C3436 |
| SHA1: | 8428CC15021D6E24562FD864B75A0CD0235F58DA |
| SHA256: | CF435D9036FA5BED9F48CCDCD754C32F009EB4CB76C12D68CE5FF9510F44D200 |
| SSDEEP: | 49152:+6XhFlFPYLv8vf8EIwTqtADbTnfndql4mMfRBtjXhA5wO5pI1dBs/2ywSyoM2:FRjlYzWEEIwTqtADHnfy4BlXhmarywry |
MALICIOUS
Application was dropped or rewritten from another process
- Volumeid.exe (PID: 2900)
- Volumeid.exe (PID: 1388)
- Volumeid.exe (PID: 3852)
- PBDownForce.exe (PID: 3804)
- PBDownForce.exe (PID: 2484)
- HardDiskSerialNumberChanger-1095.exe (PID: 1840)
SUSPICIOUS
Executable content was dropped or overwritten
- PBDownForce.exe (PID: 2484)
Low-level read access rights to disk partition
- PBDownForce.exe (PID: 2484)
INFO
Manual execution by user
- Volumeid.exe (PID: 2900)
- Volumeid.exe (PID: 3852)
- Volumeid.exe (PID: 1388)
- PBDownForce.exe (PID: 3804)
- WinRAR.exe (PID: 1356)
- PBDownForce.exe (PID: 2484)
- NOTEPAD.EXE (PID: 3708)
- WinRAR.exe (PID: 2780)
- HardDiskSerialNumberChanger-1095.exe (PID: 1840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2020:05:16 14:36:08 |
| ZipCRC: | 0x736e7987 |
| ZipCompressedSize: | 2210510 |
| ZipUncompressedSize: | 2210510 |
| ZipFileName: | PBDownForce0331.zip |
Total processes
76
Monitored processes
10
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1196 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Neuer ZIP-komprimierter Ordner.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 1356 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\VolumeId.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 1388 | "C:\Users\admin\Desktop\Volumeid.exe" | C:\Users\admin\Desktop\Volumeid.exe | explorer.exe | ||||||||||||
User: admin Company: Sysinternals - www.sysinternals.com Integrity Level: HIGH Description: Set disk volume id Exit code: 1 Version: 2.1 Modules
| |||||||||||||||
| 1840 | "C:\Users\admin\Desktop\HardDiskSerialNumberChanger-1095.exe" | C:\Users\admin\Desktop\HardDiskSerialNumberChanger-1095.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2484 | "C:\Users\admin\Desktop\PBDownForce.exe" | C:\Users\admin\Desktop\PBDownForce.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: PB DownForce Exit code: 1073807364 Version: 0.3.3.1 Modules
| |||||||||||||||
| 2780 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PBDownForce0331.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 2900 | "C:\Users\admin\Desktop\Volumeid.exe" | C:\Users\admin\Desktop\Volumeid.exe | — | explorer.exe | |||||||||||
User: admin Company: Sysinternals - www.sysinternals.com Integrity Level: MEDIUM Description: Set disk volume id Exit code: 1 Version: 2.1 Modules
| |||||||||||||||
| 3708 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Eula.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3804 | "C:\Users\admin\Desktop\PBDownForce.exe" | C:\Users\admin\Desktop\PBDownForce.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: PB DownForce Exit code: 4294967295 Version: 0.3.3.1 Modules
| |||||||||||||||
| 3852 | "C:\Users\admin\Desktop\Volumeid.exe" | C:\Users\admin\Desktop\Volumeid.exe | explorer.exe | ||||||||||||
User: admin Company: Sysinternals - www.sysinternals.com Integrity Level: HIGH Description: Set disk volume id Exit code: 1 Version: 2.1 Modules
| |||||||||||||||
Total events
1 164
Read events
1 092
Write events
72
Delete events
0
Modification events
| (PID) Process: | (1196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1196) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1196) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12D\52C64B7E |
| Operation: | write | Name: | @C:\Windows\system32\NetworkExplorer.dll,-1 |
Value: Network | |||
| (PID) Process: | (1196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Neuer ZIP-komprimierter Ordner.zip | |||
| (PID) Process: | (1196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
Executable files
1
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1196.6681\PBDownForce0331.zip | — | |
MD5:— | SHA256:— | |||
| 1196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1196.6681\VolumeId.zip | — | |
MD5:— | SHA256:— | |||
| 1196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1196.6681\HardDiskSerialNumberChanger-1095.exe | — | |
MD5:— | SHA256:— | |||
| 1356 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1356.7834\Volumeid.exe | — | |
MD5:— | SHA256:— | |||
| 1356 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1356.7834\Volumeid64.exe | — | |
MD5:— | SHA256:— | |||
| 1356 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1356.7834\Eula.txt | — | |
MD5:— | SHA256:— | |||
| 2780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2780.12142\PBDownForce0331\config | — | |
MD5:— | SHA256:— | |||
| 2780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2780.12142\PBDownForce0331\LICENCE | — | |
MD5:— | SHA256:— | |||
| 2780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2780.12142\PBDownForce0331\PBDownForce.exe | — | |
MD5:— | SHA256:— | |||
| 2780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2780.12142\PBDownForce0331\README | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Threats
Process | Message |
|---|---|
PBDownForce.exe | PB DownForce 0.3.3.1
Copyright © 2006-2007 by Christopher 'Trundle' Schmidt
http://trundle.gamedev.de/
WARNING:
this computer program is protected by copyright law and international treaties.
Unauthorized reproduction or distribution of this program, or any portion of it,
may result in severe civil and criminal penalties, and will be prosecuted to the
maximum extent possible under the law.
|
PBDownForce.exe | PB DownForce 0.3.3.1
Copyright © 2006-2007 by Christopher 'Trundle' Schmidt
http://trundle.gamedev.de/
WARNING:
this computer program is protected by copyright law and international treaties.
Unauthorized reproduction or distribution of this program, or any portion of it,
may result in severe civil and criminal penalties, and will be prosecuted to the
maximum extent possible under the law.
|