File name:

Contra_Returns_2023.zip

Full analysis: https://app.any.run/tasks/cdb7fb1f-7eb5-47a3-9f15-6f4c439f78c7
Verdict: Malicious activity
Analysis date: November 25, 2023, 06:34:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FDBCEDE2EB013DF8DAD2ED0D3A8C62C6

SHA1:

0887A67768B50ED1397683794DE5525C93711490

SHA256:

DA9795BDBC5E5534B9419C7A25413437E9FC8F273FC78FDC12EDB3F7F8B01106

SSDEEP:

98304:O5CaqoKhftFKIHRrskH8303Y5MP/h05G8h+fuWtshpJN1/G83rk2XTsQ9mZKqrzt:HgjLW2rR5lhiEosG+pi4s9dlaip

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 888)

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 888)

    • Reads security settings of Internet Explorer

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Checks Windows Trust Settings

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Reads settings of System Certificates

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 1448)
      • WMIC.exe (PID: 3200)

    • Reads the Internet Settings

      • WMIC.exe (PID: 1448)
      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • WMIC.exe (PID: 3200)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Uses WMIC.EXE to obtain a list of video controllers

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

  • INFO

    • Checks supported languages

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Reads the computer name

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Manual execution by a user

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Reads the machine GUID from the registry

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 888)

    • Creates files or folders in the user directory

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:11:24 00:08:02
ZipCRC: 0xbd9cc823
ZipCompressedSize: 860182
ZipUncompressedSize: 3014656
ZipFileName: Apowersoft.CommUtilities.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs [pc-games] contra_returns_2023.exe wmic.exe no specs [pc-games] contra_returns_2023.exe wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
888"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Contra_Returns_2023.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1448"wmic" path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.exe[pc-games] Contra_Returns_2023.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2316"C:\Users\admin\Desktop\[pc-games] Contra_Returns_2023.exe" C:\Users\admin\Desktop\[pc-games] Contra_Returns_2023.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Casttingo
Exit code:
3221225477
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\[pc-games] contra_returns_2023.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3200"wmic" path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.exe[pc-games] Contra_Returns_2023.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
4028"C:\Users\admin\Desktop\[pc-games] Contra_Returns_2023.exe" C:\Users\admin\Desktop\[pc-games] Contra_Returns_2023.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Casttingo
Exit code:
3221225477
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\[pc-games] contra_returns_2023.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
8 365
Read events
8 304
Write events
61
Delete events
0

Modification events

(PID) Process:(888) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
13
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\NativeUtils
MD5:
SHA256:
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\System.Windows.Interactivity.dllexecutable
MD5:14D624783AFBA2B330320DC6BA3780AF
SHA256:ED685E3A3CDC23ACC828F0E8B6DA0CCF6CFA6765BA2555FB4AD4BB0FAB1EF8D2
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Languages\en_gb\eprf.txttext
MD5:32277A4D95679AB755906354CB56407C
SHA256:BDF1184E95DDF2FAFDD483AC9DE4797B3F3897080FB9D9C9A35478387B109E75
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Apowersoft.CommUtilities.Native.dllexecutable
MD5:EE15F0A51269E5576987FF835C8A4BC3
SHA256:0578E0F01C8FA757E0A5A02A4323342EA51BD6081F565E9EABB5DAC4A0E2123D
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Aliyun.Log.dllexecutable
MD5:DCB7D24B7C24BDC474A4DDBCE4404C97
SHA256:06D8F6F58EF29FD50FA89B5BF5E5A4F2A2C4CC39583D78FBB90E931914CB572F
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\[pc-games] Contra_Returns_2023.exeexecutable
MD5:A1A802B1CBE696E4F0C47BBC13379425
SHA256:5B0EDB2FA79D22FD6A042F053A2D0E6C36AC8DC30CD4EEFCADDBB98D27B82F4C
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Apowersoft.CommUtilities.dllexecutable
MD5:7BD00C8C880A553DBF5A651AF1F5CC72
SHA256:455C21DBA43CFCC87A655F1D588D945C98885C19A4170118BBB0C0F6252D396D
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Languages\en_gb\xprf.txttext
MD5:1FD4D8BA20ABDA09FF3EBFAEE439A3FC
SHA256:33FE157B0D91791140CE81F8A8A943DB907CB7416FF774D6345205F85AF683DF
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\NewtonBase.exeexecutable
MD5:42BADC1D2F03A8B1E4875740D3D49336
SHA256:C136B1467D669A725478A6110EBAAAB3CB88A3D389DFA688E06173C066B76FCF
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Apowersoft.Utils.Record.dllexecutable
MD5:DECA52B733FAAFCF710CE5576730A818
SHA256:7AFE858A440C2B7766C0141156B47FA12B2F61775602885C21474367E927952E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
Process
Message
[pc-games] Contra_Returns_2023.exe
log4net:ERROR Failed to find configuration section 'log4net' in the application's .config file. Check your .config file for the <log4net> and <configSections> elements. The configuration section should look like: <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler,log4net" />
[pc-games] Contra_Returns_2023.exe
log4net:ERROR Failed to find configuration section 'log4net' in the application's .config file. Check your .config file for the <log4net> and <configSections> elements. The configuration section should look like: <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler,log4net" />
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Contra_Returns_2023.zip