Malware analysis New VPN.rar Malicious activity | ANY.RUN

Add for printing

File name:	New VPN.rar
Full analysis:	https://app.any.run/tasks/0fd8d04e-f12c-4f51-af4f-7078ee924656
Verdict:	Malicious activity
Analysis date:	September 18, 2019, 18:28:16
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v4, os: Win32
MD5:	9DE53118F3AAF1533635519197081CD9
SHA1:	67BD0E458215330793D4B2BCFAA1246E68CEF59D
SHA256:	E6518215FF44B425642106F2C7304CE351BF5E0C5869BC1EFD5C1F438A6DB669
SSDEEP:	98304:uTNBVagRWx5Q9hHipTj/QoNaWV4rIMuyMZtAlaZg4pUgHMfvxZs431P6xutTAu:uTNBRJCyoVVEadZg2UgH0Wim5u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - arubanetsvc.exe (PID: 2888)
- Application was dropped or rewritten from another process
  - arubanetsvc.exe (PID: 2888)
  - anuacui.exe (PID: 3008)
SUSPICIOUS
- Starts Microsoft Installer
  - WinRAR.exe (PID: 3072)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3072)
  - msiexec.exe (PID: 3512)
  - MsiExec.exe (PID: 3736)
  - DrvInst.exe (PID: 3568)
  - DrvInst.exe (PID: 3592)
- Executed as Windows Service
  - vssvc.exe (PID: 504)
  - arubanetsvc.exe (PID: 2888)
- Executed via COM
  - DrvInst.exe (PID: 2508)
  - DrvInst.exe (PID: 3568)
  - DrvInst.exe (PID: 3592)
  - rundll32.exe (PID: 2900)
- Creates files in the program directory
  - arubanetsvc.exe (PID: 2888)
  - anuacui.exe (PID: 3008)
- Creates files in the Windows directory
  - MsiExec.exe (PID: 3736)
  - DrvInst.exe (PID: 3568)
  - DrvInst.exe (PID: 3592)
- Removes files from Windows directory
  - DrvInst.exe (PID: 3568)
  - DrvInst.exe (PID: 3592)
- Creates files in the driver directory
  - DrvInst.exe (PID: 3568)
  - DrvInst.exe (PID: 3592)
INFO
- Searches for installed software
  - msiexec.exe (PID: 3512)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 504)
- Changes settings of System certificates
  - DrvInst.exe (PID: 2508)
- Application launched itself
  - msiexec.exe (PID: 3512)
- Creates files in the program directory
  - msiexec.exe (PID: 3512)
  - MsiExec.exe (PID: 3736)
- Adds / modifies Windows certificates
  - DrvInst.exe (PID: 2508)
- Loads dropped or rewritten executable
  - MsiExec.exe (PID: 3736)
- Creates or modifies windows services
  - MsiExec.exe (PID: 3736)
- Creates a software uninstall entry
  - msiexec.exe (PID: 3512)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v-4.x) (58.3)
.rar	\|	RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize:	3167686
UncompressedSize:	4178008
OperatingSystem:	Win32
ModifyDate:	2016:11:30 15:25:02
PackingMethod:	Normal
ArchivedFileName:	New VPN\ansetup 32bit.msi

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

504

C:\Windows\system32\vssvc.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2508

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005B8" "000002D4"

C:\Windows\system32\DrvInst.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2784

C:\Windows\system32\MsiExec.exe -Embedding D0A5DB997DB7CE86A4330E1777154763

C:\Windows\system32\MsiExec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2888

"C:\Program Files\Aruba Networks\Virtual Internet Agent\arubanetsvc.exe"

C:\Program Files\Aruba Networks\Virtual Internet Agent\arubanetsvc.exe

—

services.exe

User:

SYSTEM

Company:

Aruba Networks

Integrity Level:

SYSTEM

Description:

Aruba Networks Service

Exit code:

Version:

2.3.4.0.86416

Modules

Images
c:\program files\aruba networks\virtual internet agent\arubanetsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\aruba networks\virtual internet agent\ancrypto.dll
c:\windows\system32\advapi32.dll

2900

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

3008

C:\PROGRA~1\ARUBAN~1\VIRTUA~1\anuacui.exe -tracelog

C:\PROGRA~1\ARUBAN~1\VIRTUA~1\anuacui.exe

MsiExec.exe

User:

admin

Company:

Aruba Networks

Integrity Level:

MEDIUM

Description:

Virtual Intranet Access

Exit code:

Version:

2.3.4.0.86416

Modules

Images
c:\program files\aruba networks\virtual internet agent\anuacui.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll

3072

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\New VPN.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

3324

"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa3072.33083\New VPN\ansetup 64bit.msi"

C:\Windows\System32\msiexec.exe

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

1633

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

3512

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

3568

DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{6129cb11-7ef0-4994-f116-1a1d8c07e822}\arubavnic.inf" "0" "6845f6017" "000002D4" "WinSta0\Default" "00000554" "208" "c:\program files\aruba networks\virtual internet agent"

C:\Windows\system32\DrvInst.exe

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

2 001

Read events

1 190

Write events

748

Delete events

Modification events


(PID) Process:	(3072) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3072) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3072) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3072) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\New VPN.rar
(PID) Process:	(3072) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3072) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3072) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3072) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3072) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3072) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1

Add for printing

Executable files

Suspicious files

Text files

301

Unknown types

Dropped files

PID	Process	Filename		Type
3072	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3072.33083\New VPN\ansetup 64bit.msi		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\CabDD26.tmp		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\TarDD27.tmp		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\CabDD37.tmp		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\TarDD38.tmp		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\CabDE14.tmp		—
		MD5:—	SHA256:—
3324	msiexec.exe	C:\Users\admin\AppData\Local\Temp\TarDE15.tmp		—
		MD5:—	SHA256:—
3072	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3072.33850\New VPN\ansetup 64bit.msi		—
		MD5:—	SHA256:—
3512	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
3512	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DFE35C61F31A429F59.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3324	msiexec.exe	GET	200	205.185.216.10:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	US	compressed	57.0 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3324	msiexec.exe	205.185.216.10:80	www.download.windowsupdate.com	Highwinds Network Group, Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
www.download.windowsupdate.com	205.185.216.10 205.185.216.42	whitelisted

Threats

No threats detected

Add for printing

Process	Message
anuacui.exe	Could not create the registry key.
anuacui.exe	Query User Token failed reason
anuacui.exe	Could not create the registry key.
anuacui.exe	Query User Token failed reason
anuacui.exe	Could not create the registry key.
anuacui.exe	Query User Token failed reason

General Info

New VPN.rar

9DE53118F3AAF1533635519197081CD9

67BD0E458215330793D4B2BCFAA1246E68CEF59D

E6518215FF44B425642106F2C7304CE351BF5E0C5869BC1EFD5C1F438A6DB669

98304:uTNBVagRWx5Q9hHipTj/QoNaWV4rIMuyMZtAlaZg4pUgHMfvxZs431P6xutTAu:uTNBRJCyoVVEadZg2UgH0Wim5u

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Starts Microsoft Installer

Executable content was dropped or overwritten

Executed as Windows Service

Executed via COM

Creates files in the program directory

Creates files in the Windows directory

Removes files from Windows directory

Creates files in the driver directory

INFO

Searches for installed software

Low-level read access rights to disk partition

Changes settings of System certificates

Application launched itself

Creates files in the program directory

Adds / modifies Windows certificates

Loads dropped or rewritten executable

Creates or modifies windows services

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings