analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

UnityDarkSkin (x64).rar

Full analysis: https://app.any.run/tasks/2f73551c-7f94-47fc-8688-ed59be1b54bf
Verdict: Malicious activity
Analysis date: December 06, 2018, 06:49:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

64E5295F2DCDCE033F0E4A305C08F133

SHA1:

2A944DA49285C9EE670E67DD5D402F8E8F8DBA8F

SHA256:

DD7C1CE056DDC6110BCC734A5B965A63CBCD3511EE834DE4905338939C75E9BB

SSDEEP:

3072:ofnDY+K0H7Y/z8brR4ypB9LhDCaUhhUXhlFqUD9WJ2eZ7ud6Yg+/91KSeG:r0HM/W4gLhD+hhuhlFP8G6A3eG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • UnityDarkSkin (x64).exe (PID: 2332)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3220)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: UnityDarkSkin (x64).exe
PackingMethod: Normal
ModifyDate: 2015:06:21 19:15:04
OperatingSystem: Win32
UncompressedSize: 1057280
CompressedSize: 142716
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs unitydarkskin (x64).exe presentationfontcache.exe no specs winword.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
2828"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\UnityDarkSkin (x64).rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2332"C:\Users\admin\Desktop\UnityDarkSkin (x64).exe" C:\Users\admin\Desktop\UnityDarkSkin (x64).exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
UniSkin
Exit code:
0
Version:
0.1
2268C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
PresentationFontCache.exe
Version:
3.0.6920.4902 built by: NetFXw7
3220"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\driverforward.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3104C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 238
Read events
1 140
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
2828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2828.1680\UnityDarkSkin (x64).exe
MD5:
SHA256:
3220WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3048.tmp.cvr
MD5:
SHA256:
3220WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{237EF8FC-51E2-436C-B8B9-EBD8DEAB8EA0}.tmp
MD5:
SHA256:
3220WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A410F765-1823-4D30-A36D-2A8D34FF6373}.tmp
MD5:
SHA256:
3220WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\driverforward.rtf.LNKlnk
MD5:89776F9799FF3A8AEA64CE0BE7AAB704
SHA256:AF9D6959B9B7F70E8BAAF5B6BE9DBDA7D99B26E47861AA57EF136CD99122D961
3220WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:269F4D4DF7798DFEF61FE637BC94F330
SHA256:8148E7DD2264CD6CF58FFDB24989FB494A3E8FD059A10BD1EF8F496EFF0F789C
2332UnityDarkSkin (x64).exeC:\Users\admin\Desktop\stylevery.rtftext
MD5:B6EB17553837AF4D5FFAE0233C1324F2
SHA256:04627C089D1A7D3624ACC4F1DEA18E2214F69C91836BABBB43C64737FA8EC102
3220WINWORD.EXEC:\Users\admin\Desktop\~$iverforward.rtfpgc
MD5:97F60FB5EB4D609A81638A085600F3AA
SHA256:109BB02C83BC0C855D63D89E8339FAB6447BABFB9E2DF1749225402566FFA045
3220WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:A1D41574794EF2BB07BA3BFD49C1429E
SHA256:A846387762B6AD63BEEFE5B680D43B7E91B278C1AF0C8323AA57DF5668F82887
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
UnityDarkSkin (x64).rar