File name:

Contra_Returns_2023.zip

Full analysis: https://app.any.run/tasks/cdb7fb1f-7eb5-47a3-9f15-6f4c439f78c7
Verdict: Malicious activity
Analysis date: November 25, 2023, 06:34:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FDBCEDE2EB013DF8DAD2ED0D3A8C62C6

SHA1:

0887A67768B50ED1397683794DE5525C93711490

SHA256:

DA9795BDBC5E5534B9419C7A25413437E9FC8F273FC78FDC12EDB3F7F8B01106

SSDEEP:

98304:O5CaqoKhftFKIHRrskH8303Y5MP/h05G8h+fuWtshpJN1/G83rk2XTsQ9mZKqrzt:HgjLW2rR5lhiEosG+pi4s9dlaip

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 888)

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 888)

    • Checks Windows Trust Settings

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Reads the Internet Settings

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • WMIC.exe (PID: 1448)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)
      • WMIC.exe (PID: 3200)

    • Reads settings of System Certificates

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Uses WMIC.EXE to obtain a list of video controllers

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Reads security settings of Internet Explorer

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 1448)
      • WMIC.exe (PID: 3200)

  • INFO

    • Manual execution by a user

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 888)

    • Checks supported languages

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Reads the machine GUID from the registry

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Reads the computer name

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
      • [pc-games] Contra_Returns_2023.exe (PID: 2316)

    • Creates files or folders in the user directory

      • [pc-games] Contra_Returns_2023.exe (PID: 4028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:11:24 00:08:02
ZipCRC: 0xbd9cc823
ZipCompressedSize: 860182
ZipUncompressedSize: 3014656
ZipFileName: Apowersoft.CommUtilities.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs [pc-games] contra_returns_2023.exe wmic.exe no specs [pc-games] contra_returns_2023.exe wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
888"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Contra_Returns_2023.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1448"wmic" path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.exe[pc-games] Contra_Returns_2023.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2316"C:\Users\admin\Desktop\[pc-games] Contra_Returns_2023.exe" C:\Users\admin\Desktop\[pc-games] Contra_Returns_2023.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Casttingo
Exit code:
3221225477
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\[pc-games] contra_returns_2023.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3200"wmic" path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.exe[pc-games] Contra_Returns_2023.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
4028"C:\Users\admin\Desktop\[pc-games] Contra_Returns_2023.exe" C:\Users\admin\Desktop\[pc-games] Contra_Returns_2023.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Casttingo
Exit code:
3221225477
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\[pc-games] contra_returns_2023.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
8 365
Read events
8 304
Write events
61
Delete events
0

Modification events

(PID) Process:(888) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(888) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
13
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\NativeUtils
MD5:
SHA256:
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Apowersoft.CommUtilities.Native.dllexecutable
MD5:EE15F0A51269E5576987FF835C8A4BC3
SHA256:0578E0F01C8FA757E0A5A02A4323342EA51BD6081F565E9EABB5DAC4A0E2123D
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Apowersoft.CommUtilities.dllexecutable
MD5:7BD00C8C880A553DBF5A651AF1F5CC72
SHA256:455C21DBA43CFCC87A655F1D588D945C98885C19A4170118BBB0C0F6252D396D
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Newtonsoft.Json.dllexecutable
MD5:5E02DDAF3B02E43E532FC6A52B04D14B
SHA256:78BEDD9FCE877A71A8D8FF9A813662D8248361E46705C4EF7AFC61D440FF2EEB
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\NewtonBase.exeexecutable
MD5:42BADC1D2F03A8B1E4875740D3D49336
SHA256:C136B1467D669A725478A6110EBAAAB3CB88A3D389DFA688E06173C066B76FCF
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Apowersoft.UI.Prompts.dllexecutable
MD5:34CDA5AADA0B47B0277336AD2F18A1A7
SHA256:CB1346E25EB4CBD85EF5560F15ED54C7CABD6D9D0750CFC7F7052B66410B2DC1
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Languages\en_gb\xprf.txttext
MD5:1FD4D8BA20ABDA09FF3EBFAEE439A3FC
SHA256:33FE157B0D91791140CE81F8A8A943DB907CB7416FF774D6345205F85AF683DF
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\log4net.dllexecutable
MD5:6B88E52CC2D0CA0D1F1B03A4F3218D0B
SHA256:B68CD9D5A162AAF8667C6B35BB2006D42FBAF66F821C2AE0891D2290CF37157E
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\[pc-games] Contra_Returns_2023.exeexecutable
MD5:A1A802B1CBE696E4F0C47BBC13379425
SHA256:5B0EDB2FA79D22FD6A042F053A2D0E6C36AC8DC30CD4EEFCADDBB98D27B82F4C
888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa888.5714\Languages\en_gb\eprf.txttext
MD5:32277A4D95679AB755906354CB56407C
SHA256:BDF1184E95DDF2FAFDD483AC9DE4797B3F3897080FB9D9C9A35478387B109E75
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
Process
Message
[pc-games] Contra_Returns_2023.exe
log4net:ERROR Failed to find configuration section 'log4net' in the application's .config file. Check your .config file for the <log4net> and <configSections> elements. The configuration section should look like: <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler,log4net" />
[pc-games] Contra_Returns_2023.exe
log4net:ERROR Failed to find configuration section 'log4net' in the application's .config file. Check your .config file for the <log4net> and <configSections> elements. The configuration section should look like: <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler,log4net" />
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Contra_Returns_2023.zip