Malware analysis New VPN.rar Malicious activity | ANY.RUN

Add for printing

File name:	New VPN.rar
Full analysis:	https://app.any.run/tasks/0fd8d04e-f12c-4f51-af4f-7078ee924656
Verdict:	Malicious activity
Analysis date:	September 18, 2019, 18:28:16
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v4, os: Win32
MD5:	9DE53118F3AAF1533635519197081CD9
SHA1:	67BD0E458215330793D4B2BCFAA1246E68CEF59D
SHA256:	E6518215FF44B425642106F2C7304CE351BF5E0C5869BC1EFD5C1F438A6DB669
SSDEEP:	98304:uTNBVagRWx5Q9hHipTj/QoNaWV4rIMuyMZtAlaZg4pUgHMfvxZs431P6xutTAu:uTNBRJCyoVVEadZg2UgH0Wim5u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - arubanetsvc.exe (PID: 2888)
- Application was dropped or rewritten from another process
  - arubanetsvc.exe (PID: 2888)
  - anuacui.exe (PID: 3008)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3072)
  - msiexec.exe (PID: 3512)
  - MsiExec.exe (PID: 3736)
  - DrvInst.exe (PID: 3592)
  - DrvInst.exe (PID: 3568)
- Executed as Windows Service
  - vssvc.exe (PID: 504)
  - arubanetsvc.exe (PID: 2888)
- Starts Microsoft Installer
  - WinRAR.exe (PID: 3072)
- Executed via COM
  - DrvInst.exe (PID: 2508)
  - DrvInst.exe (PID: 3568)
  - DrvInst.exe (PID: 3592)
  - rundll32.exe (PID: 2900)
- Creates files in the program directory
  - arubanetsvc.exe (PID: 2888)
  - anuacui.exe (PID: 3008)
- Creates files in the Windows directory
  - DrvInst.exe (PID: 3568)
  - MsiExec.exe (PID: 3736)
  - DrvInst.exe (PID: 3592)
- Removes files from Windows directory
  - DrvInst.exe (PID: 3568)
  - DrvInst.exe (PID: 3592)
- Creates files in the driver directory
  - DrvInst.exe (PID: 3568)
  - DrvInst.exe (PID: 3592)
INFO
- Searches for installed software
  - msiexec.exe (PID: 3512)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 504)
- Changes settings of System certificates
  - DrvInst.exe (PID: 2508)
- Loads dropped or rewritten executable
  - MsiExec.exe (PID: 3736)
- Application launched itself
  - msiexec.exe (PID: 3512)
- Adds / modifies Windows certificates
  - DrvInst.exe (PID: 2508)
- Creates files in the program directory
  - msiexec.exe (PID: 3512)
  - MsiExec.exe (PID: 3736)
- Creates or modifies windows services
  - MsiExec.exe (PID: 3736)
- Creates a software uninstall entry
  - msiexec.exe (PID: 3512)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v-4.x) (58.3)
.rar	\|	RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName:	New VPN\ansetup 32bit.msi
PackingMethod:	Normal
ModifyDate:	2016:11:30 15:25:02
OperatingSystem:	Win32
UncompressedSize:	4178008
CompressedSize:	3167686

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3072	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\New VPN.rar"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
3324	"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa3072.33083\New VPN\ansetup 64bit.msi"	C:\Windows\System32\msiexec.exe		WinRAR.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1633 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
3512	C:\Windows\system32\msiexec.exe /V	C:\Windows\system32\msiexec.exe		services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255)
3992	"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa3072.33850\New VPN\ansetup 32bit.msi"	C:\Windows\System32\msiexec.exe	—	WinRAR.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255)
504	C:\Windows\system32\vssvc.exe	C:\Windows\system32\vssvc.exe	—	services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2508	DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005B8" "000002D4"	C:\Windows\system32\DrvInst.exe	—	svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2784	C:\Windows\system32\MsiExec.exe -Embedding D0A5DB997DB7CE86A4330E1777154763	C:\Windows\system32\MsiExec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
3736	C:\Windows\system32\MsiExec.exe -Embedding 00855403A75F571734E942B8299650C9 M Global\MSI0000	C:\Windows\system32\MsiExec.exe		msiexec.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2888	"C:\Program Files\Aruba Networks\Virtual Internet Agent\arubanetsvc.exe"	C:\Program Files\Aruba Networks\Virtual Internet Agent\arubanetsvc.exe	—	services.exe
User: SYSTEM Company: Aruba Networks Integrity Level: SYSTEM Description: Aruba Networks Service Version: 2.3.4.0.86416
3568	DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{6129cb11-7ef0-4994-f116-1a1d8c07e822}\arubavnic.inf" "0" "6845f6017" "000002D4" "WinSta0\Default" "00000554" "208" "c:\program files\aruba networks\virtual internet agent"	C:\Windows\system32\DrvInst.exe		svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

2 001

Read events

1 190

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

301

Unknown types

Dropped files

PID	Process	Filename		Type
3072	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3072.33083\New VPN\ansetup 64bit.msi		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\CabDD26.tmp		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\TarDD27.tmp		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\CabDD37.tmp		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\TarDD38.tmp		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\CabDE14.tmp		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\TarDE15.tmp		—
		MD5:—	SHA256:—
3072	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3072.33850\New VPN\ansetup 64bit.msi		—
		MD5:—	SHA256:—
3512	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
3072	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3072.33083\New VPN\ansetup 32bit.msi		executable
		MD5:FFA8B7BDCCF062D44226936405B50CEB	SHA256:B4126768EE14A8939EAB008FD0ACCA1673E13F7F9879BC6F847F815471093C1C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3324	msiexec.exe	GET	200	205.185.216.10:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	US	compressed	57.0 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3324	msiexec.exe	205.185.216.10:80	www.download.windowsupdate.com	Highwinds Network Group, Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
www.download.windowsupdate.com	205.185.216.10 205.185.216.42	whitelisted

Threats

No threats detected

Add for printing

Process	Message
anuacui.exe	Could not create the registry key.
anuacui.exe	Query User Token failed reason
anuacui.exe	Could not create the registry key.
anuacui.exe	Query User Token failed reason
anuacui.exe	Could not create the registry key.
anuacui.exe	Query User Token failed reason

General Info

New VPN.rar

9DE53118F3AAF1533635519197081CD9

67BD0E458215330793D4B2BCFAA1246E68CEF59D

E6518215FF44B425642106F2C7304CE351BF5E0C5869BC1EFD5C1F438A6DB669

98304:uTNBVagRWx5Q9hHipTj/QoNaWV4rIMuyMZtAlaZg4pUgHMfvxZs431P6xutTAu:uTNBRJCyoVVEadZg2UgH0Wim5u

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Executed as Windows Service

Starts Microsoft Installer

Executed via COM

Creates files in the program directory

Creates files in the Windows directory

Removes files from Windows directory

Creates files in the driver directory

INFO

Searches for installed software

Low-level read access rights to disk partition

Changes settings of System certificates

Loads dropped or rewritten executable

Application launched itself

Adds / modifies Windows certificates

Creates files in the program directory

Creates or modifies windows services

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings