analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BANK ORDER 103-991-2920.rar

Full analysis: https://app.any.run/tasks/ffdd051a-479d-47a7-b03e-ea806926abb5
Verdict: Malicious activity
Analysis date: March 31, 2020, 00:51:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

4088AA700B9AAB0EA9A58188542AB0A5

SHA1:

00CF014FC4087DA6E203DD9E224C6EFFB07A365F

SHA256:

E584D5ABD2319076D8FD4D7BB7AC09F52723CD0C2E58990EECA2C0A8F9CABC5B

SSDEEP:

768:AxQrSTG3LLeOgpD0lLmKLZm3ieIyLrYgXMo:4QrR+103VmyshXMo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • BANK ORDER 103-991-2920.bat (PID: 564)
      • BANK ORDER 103-991-2920.bat (PID: 3980)

    • Changes settings of System certificates

      • BANK ORDER 103-991-2920.bat (PID: 3980)

  • SUSPICIOUS

    • Suspicious files were dropped or overwritten

      • WinRAR.exe (PID: 3092)

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 3092)
      • BANK ORDER 103-991-2920.bat (PID: 564)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3092)

    • Application launched itself

      • BANK ORDER 103-991-2920.bat (PID: 564)

    • Reads Internet Cache Settings

      • BANK ORDER 103-991-2920.bat (PID: 3980)

    • Creates files in the user directory

      • BANK ORDER 103-991-2920.bat (PID: 3980)

    • Adds / modifies Windows certificates

      • BANK ORDER 103-991-2920.bat (PID: 3980)

  • INFO

    • Reads settings of System Certificates

      • BANK ORDER 103-991-2920.bat (PID: 3980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 24855
UncompressedSize: 102400
OperatingSystem: Win32
ModifyDate: 2020:03:29 22:04:04
PackingMethod: Normal
ArchivedFileName: BANK ORDER 103-991-2920.bat
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe bank order  103-991-2920.bat no specs bank order  103-991-2920.bat

Process information

PID
CMD
Path
Indicators
Parent process
3092"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\BANK ORDER 103-991-2920.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
564"C:\Users\admin\AppData\Local\Temp\Rar$DIa3092.21532\BANK ORDER 103-991-2920.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa3092.21532\BANK ORDER 103-991-2920.batWinRAR.exe
User:
admin
Company:
WONderware
Integrity Level:
MEDIUM
Description:
term
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\rar$dia3092.21532\bank order 103-991-2920.bat
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3980"C:\Users\admin\AppData\Local\Temp\Rar$DIa3092.21532\BANK ORDER 103-991-2920.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa3092.21532\BANK ORDER 103-991-2920.bat
BANK ORDER 103-991-2920.bat
User:
admin
Company:
WONderware
Integrity Level:
MEDIUM
Description:
term
Version:
1.00
Modules
Images
c:\windows\system32\mfc40.dll
c:\users\admin\appdata\local\temp\rar$dia3092.21532\bank order 103-991-2920.bat
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt40.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
4 024
Read events
454
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
4
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3980BANK ORDER 103-991-2920.batC:\Users\admin\AppData\Local\Temp\CabD6E0.tmp
MD5:
SHA256:
3980BANK ORDER 103-991-2920.batC:\Users\admin\AppData\Local\Temp\TarD6E1.tmp
MD5:
SHA256:
3980BANK ORDER 103-991-2920.batC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72binary
MD5:93AFF03253948772E427D93878202E40
SHA256:0FEC695D68633ACB5A99004BF81DA1EE83DC294C37B0D50453AA624D597708C6
3980BANK ORDER 103-991-2920.batC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:C8728FBC0E0182896A4EF17969E56773
SHA256:3271D8C449F1192D29AFBCDFFE7A9716B8517A18665773D98E585778DA448E69
3980BANK ORDER 103-991-2920.batC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\U2815OK4.txttext
MD5:7DA21B86A2C86906687A4EC39DC476DE
SHA256:A6E2173FD76392749E4F088FDC2ACC22176FC4578F86DCC1C85EBFB01EE20644
3980BANK ORDER 103-991-2920.batC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:E550DA03AEE5B546B436CD553D3233B9
SHA256:9ABFD4E29B96CCA442502B1DE6071FE0293455DF22B4EFF19FA3E6DF060947E7
3092WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3092.21532\BANK ORDER 103-991-2920.batexecutable
MD5:AD300193C6D3FE69AFF036BF28DBFDF5
SHA256:5E341F1110072646EF48DABA1E0E3040682A2B9470CC43F6BCCA0E9E3C7B2B40
3980BANK ORDER 103-991-2920.batC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72der
MD5:F26B1B29960D99AD1C44E71E3D2ABE4C
SHA256:7910B27AFDEE20EA27C4FA19221B1B63E00235E261E1A3FB9F1FB3456CBBB7AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3980
BANK ORDER 103-991-2920.bat
GET
200
172.217.16.195:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDL%2FQslYWVuogIAAAAAXGdc
US
der
472 b
whitelisted
3980
BANK ORDER 103-991-2920.bat
GET
200
172.217.16.195:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3980
BANK ORDER 103-991-2920.bat
172.217.21.206:443
drive.google.com
Google Inc.
US
whitelisted
3980
BANK ORDER 103-991-2920.bat
172.217.16.195:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
drive.google.com
  • 172.217.21.206
shared
ocsp.pki.goog
  • 172.217.16.195
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BANK ORDER 103-991-2920.rar