analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

oalinst.zip

Full analysis: https://app.any.run/tasks/0cc28cfb-1977-41dd-9771-2b6346e67358
Verdict: Malicious activity
Analysis date: December 09, 2021, 14:43:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

47F53B4B655A9F8124687141B0F94D92

SHA1:

45E08368C6755C58902B7746FF3E51AD2DF8A8B8

SHA256:

D165BCB7628FD950D14847585468CC11943B2A1DA92A59A839D397C68F9D4B06

SSDEEP:

12288:F5dCT73wdMvAnwcXpj9338SChgvPfG1jiqNB12p3Ev9l3H:F5rOvkwcXb8SChg3fY+2B1Hv33

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • oalinst.exe (PID: 344)
      • oalinst.exe (PID: 3064)

  • SUSPICIOUS

    • Checks supported languages

      • oalinst.exe (PID: 344)
      • WinRAR.exe (PID: 4040)

    • Reads the computer name

      • WinRAR.exe (PID: 4040)

    • Creates files in the Windows directory

      • oalinst.exe (PID: 344)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 4040)
      • oalinst.exe (PID: 344)

    • Removes files from Windows directory

      • oalinst.exe (PID: 344)

    • Creates a directory in Program Files

      • oalinst.exe (PID: 344)

    • Creates files in the program directory

      • oalinst.exe (PID: 344)

    • Executable content was dropped or overwritten

      • oalinst.exe (PID: 344)
      • WinRAR.exe (PID: 4040)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 4040)
      • oalinst.exe (PID: 344)

    • Creates a software uninstall entry

      • oalinst.exe (PID: 344)

  • INFO

    • Manual execution by user

      • oalinst.exe (PID: 3064)
      • oalinst.exe (PID: 344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: oalinst.exe
ZipUncompressedSize: 809496
ZipCompressedSize: 590314
ZipCRC: 0x154bebc3
ZipModifyDate: 2009:06:03 11:25:07
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe oalinst.exe no specs oalinst.exe

Process information

PID
CMD
Path
Indicators
Parent process
4040"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\oalinst.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3064"C:\Users\admin\Desktop\oalinst.exe" C:\Users\admin\Desktop\oalinst.exeExplorer.EXE
User:
admin
Company:
Creative Labs Inc.
Integrity Level:
MEDIUM
Description:
OpenAL Installer
Exit code:
3221226540
Version:
2, 0, 7, 0
344"C:\Users\admin\Desktop\oalinst.exe" C:\Users\admin\Desktop\oalinst.exe
Explorer.EXE
User:
admin
Company:
Creative Labs Inc.
Integrity Level:
HIGH
Description:
OpenAL Installer
Exit code:
0
Version:
2, 0, 7, 0
Total events
991
Read events
976
Write events
15
Delete events
0

Modification events

(PID) Process:(4040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4040) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(4040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\oalinst.zip
(PID) Process:(4040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
6
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
344oalinst.exeC:\Windows\system32\tmp47C5.tmpexecutable
MD5:694F54BD227916B89FC3EB1DB53F0685
SHA256:B8F39714D41E009F75EFB183C37100F2CBABB71784BBD243BE881AC5B42D86FD
344oalinst.exeC:\Windows\system32\tmp47D6.tmpexecutable
MD5:694F54BD227916B89FC3EB1DB53F0685
SHA256:B8F39714D41E009F75EFB183C37100F2CBABB71784BBD243BE881AC5B42D86FD
344oalinst.exeC:\Program Files\OpenAL\oalinst.exeexecutable
MD5:694F54BD227916B89FC3EB1DB53F0685
SHA256:B8F39714D41E009F75EFB183C37100F2CBABB71784BBD243BE881AC5B42D86FD
4040WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4040.20335\oalinst.exeexecutable
MD5:694F54BD227916B89FC3EB1DB53F0685
SHA256:B8F39714D41E009F75EFB183C37100F2CBABB71784BBD243BE881AC5B42D86FD
344oalinst.exeC:\Windows\system32\OpenAL32.newexecutable
MD5:235355A8DD26903E75D5E812ECF50E53
SHA256:1797D150A2E23AF4F390F5C33EB598C6F58D0454011D74941F5316ADD900BBDD
344oalinst.exeC:\Windows\system32\wrap_oal.newexecutable
MD5:D494267BC169604FAC5E3679B9A97FED
SHA256:A4E46E6D09C4B0966824A2F6628EBF738E813672692A52A0D63D982E1030EF4F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
oalinst.zip