analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.rar

Full analysis: https://app.any.run/tasks/a134e971-b5a7-4ef9-9e53-70424d5d5ae1
Verdict: Malicious activity
Analysis date: October 14, 2019, 13:28:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

DF3138DFBB2BCBA4319D3A21B023864B

SHA1:

056EA6B2C17AEEBB3020124A267E9C6322F0F867

SHA256:

D531FE3E814CFBBC836B72B8AB7F23A0546DA9C5008E8E0CDFD1DFFE99AD4EF8

SSDEEP:

12288:sQPmSwLzwkqSJTskT+Xtgi2gjIDSiSa1GvLPeC48UBMprJ+Eo:sgmSMwkqSGi+Xtr2TDwa12PeC48UGV+t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PEiD.exe (PID: 3600)
      • dishwasher.bi.exe (PID: 2776)
      • dishwasher.bi.exe (PID: 1560)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3440)
      • PEiD.exe (PID: 3600)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • dishwasher.bi.exe (PID: 2776)
      • WinRAR.exe (PID: 3172)

    • Application launched itself

      • WinRAR.exe (PID: 1904)

    • Starts itself from another location

      • dishwasher.bi.exe (PID: 2776)

    • Executed via COM

      • DllHost.exe (PID: 1908)

  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 3172)
      • dishwasher.bi.exe (PID: 2776)
      • PEiD.exe (PID: 3600)
      • WINWORD.EXE (PID: 184)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 184)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 151405
UncompressedSize: 151361
OperatingSystem: Win32
ModifyDate: 2019:10:14 17:20:18
PackingMethod: Stored
ArchivedFileName: dishwasher.bin.zip
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
9
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winrar.exe searchprotocolhost.exe no specs winrar.exe no specs peid.exe no specs dishwasher.bi.exe dishwasher.bi.exe no specs PhotoViewer.dll no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1904"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\1.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3172"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\PEiD v0.95.rar" "C:\Users\admin\Desktop\PEiD v0.95\"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3440"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
1820"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa1904.22631\dishwasher.bin.zipC:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3600"C:\Users\admin\Desktop\PEiD v0.95\PEiD v0.95\PEiD.exe" C:\Users\admin\Desktop\dishwasher.bi.exeC:\Users\admin\Desktop\PEiD v0.95\PEiD v0.95\PEiD.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
2776"C:\Users\admin\Desktop\dishwasher.bi.exe" C:\Users\admin\Desktop\dishwasher.bi.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
1560"C:\Users\admin\AppData\Local\Temp\dishwasher.bi.exe" C:\Users\admin\AppData\Local\Temp\dishwasher.bi.exedishwasher.bi.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
1908C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
184"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\targetcompleted.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
2 709
Read events
2 316
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
61
Text files
48
Unknown types
4

Dropped files

PID
Process
Filename
Type
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1820.23279\dishwasher.bin
MD5:
SHA256:
1904WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1904.22631\dishwasher.bin.zipcompressed
MD5:02C8B43F02E73E87BCF8F87EBD1A2BB4
SHA256:BE5416BE87791F5717854A45F1FA4265850D93F3EB830D3933B12B3063962CAC
1904WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1904.21843\PEiD v0.95.rarcompressed
MD5:C6BF42D04216A90B831F5E2A7C3036B0
SHA256:8272928E05AFE5A4B771FBF877BBF08793A0D16C02745B903FF3636D7024BAFD
2776dishwasher.bi.exeC:\Users\admin\AppData\Local\Temp\dishwasher.bi.exeexecutable
MD5:1F667218368FE8CAADC8D1C469F73233
SHA256:01214479E87889F36B49EB689EAB53AD00B41B98F1EE9DD4033BBF71F2FE634C
3172WinRAR.exeC:\Users\admin\Desktop\PEiD v0.95\PEiD v0.95\plugins\kanal.htmhtml
MD5:19AABC88706C8234397936204669C79B
SHA256:948F110943513E7229290F8406CA72AA39175EB5DBEF5C3CF383A467072C041D
3172WinRAR.exeC:\Users\admin\Desktop\PEiD v0.95\PEiD v0.95\pluginsdk\PowerBASIC\PEiD_Plugin.bastext
MD5:AA7188CA1CE0F984C1372E105E4473C6
SHA256:488B9F368FC688F05ABB80A1BD6251CB203DDCDDF3AB7479E420D5BAAB7801D4
3172WinRAR.exeC:\Users\admin\Desktop\PEiD v0.95\PEiD v0.95\pluginsdk\MASM\masm_plugin.asmtext
MD5:9ACB47782D7FD5229CB5579E872CBBA5
SHA256:C7B842355506CB52D4FA676D5B4BE4FE01AF0E649EEB2B254962E4DD3F0D94B7
3172WinRAR.exeC:\Users\admin\Desktop\PEiD v0.95\PEiD v0.95\pluginsdk\C++\defs.htext
MD5:1DF434C3D5E9D94A197FA3AB0DDFB7FC
SHA256:76FCEA021FB46975E82838C68D6D76FCBB5F8ABB69652E744D4EA02DA8A1E91C
3172WinRAR.exeC:\Users\admin\Desktop\PEiD v0.95\PEiD v0.95\readme.txttext
MD5:F3E2727D0765C4D94C0A31359B5ACB8E
SHA256:5D7DED602EE45FB780FDC1E2C5BC70D16650ACB2B38F4FCFEF3E89B04F8CCECB
3172WinRAR.exeC:\Users\admin\Desktop\PEiD v0.95\PEiD v0.95\PEiD.exeexecutable
MD5:4B5289D1DBD727C5DD0E247A7D7DB03E
SHA256:E13171D50F45A79BC09B9E4B9FFA38EB02301ACA94A1867A9BF8ACCCC3759030
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1.rar