Malware analysis 9.rar Malicious activity | ANY.RUN

Add for printing

File name:	9.rar
Full analysis:	https://app.any.run/tasks/a8a23635-5fe8-483b-80c5-39315511d822
Verdict:	Malicious activity
Analysis date:	July 17, 2019, 09:20:18
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	C3AB11C1BBD6EA349EBF9346FDAED09E
SHA1:	1F305EAFE3ED8C0FF4F979EB1D038DBADCCCD048
SHA256:	E6C6D0091EE3BC8396034BB0858387050CBB38109116316463CE8A245CCFBDD2
SSDEEP:	12288:T5Fi+yV9YVzmoGUdIfDZ6NsIE0H3kmZjVILThH0Q58F/KyV2EZL:THRyV9YMoGtrZaE0F8F1KtJ/J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - PornHub Checker.exe (PID: 2420)
  - PornHub Checker.exe (PID: 3092)
  - Pornhub Cracked.exe (PID: 904)
  - Pornhub Crackeddd.exe (PID: 2388)
  - Chrome.exe (PID: 3496)
- Loads dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 2564)
- Writes to a start menu file
  - Pornhub Cracked.exe (PID: 904)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3840)
  - Pornhub Cracked.exe (PID: 904)
  - PornHub Checker.exe (PID: 3092)
- Creates files in the user directory
  - Pornhub Cracked.exe (PID: 904)
INFO
- Manual execution by user
  - PornHub Checker.exe (PID: 2420)
  - PornHub Checker.exe (PID: 3092)
- Dropped object may contain Bitcoin addresses
  - PornHub Checker.exe (PID: 3092)
  - Pornhub Cracked.exe (PID: 904)
- Application was crashed
  - Pornhub Crackeddd.exe (PID: 2388)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3840	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\9.rar"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
2564	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"	C:\Windows\System32\SearchProtocolHost.exe	—	SearchIndexer.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255)
2420	"C:\Users\admin\Desktop\PornHub Checker.exe"	C:\Users\admin\Desktop\PornHub Checker.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 3221226540
3092	"C:\Users\admin\Desktop\PornHub Checker.exe"	C:\Users\admin\Desktop\PornHub Checker.exe		explorer.exe
User: admin Integrity Level: HIGH Exit code: 0
904	"C:\Users\admin\AppData\Local\Temp\Pornhub Cracked.exe"	C:\Users\admin\AppData\Local\Temp\Pornhub Cracked.exe		PornHub Checker.exe
User: admin Integrity Level: HIGH Exit code: 0
2388	"C:\Users\admin\AppData\Local\Temp\Pornhub Crackeddd.exe"	C:\Users\admin\AppData\Local\Temp\Pornhub Crackeddd.exe		PornHub Checker.exe
User: admin Company: Azetej Company Integrity Level: HIGH Description: ViaGoGo Checker Version: 1.0.0.0
3496	"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe"	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe	—	Pornhub Cracked.exe
User: admin Integrity Level: HIGH Description: Version: 0.0.0.0

Add for printing

Total events

1 185

Read events

1 154

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3092	PornHub Checker.exe	C:\Users\admin\AppData\Local\Temp\Pornhub Cracked.exe		executable
		MD5:80366770308B514A811821B4061AD6B7	SHA256:8094F1855F81971C85D3403FCD30C9A0EA26FCF8C9C4A05349E063697AF39C2B
904	Pornhub Cracked.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe		executable
		MD5:3A9C6E1A88495E179813E07BF8682DA7	SHA256:B51733AA9A57CD6C5FC43A350F69ED8C0B92DE3E3333F55B8D92582BCB74331E
3840	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3840.24811\PornHub Checker.exe		executable
		MD5:DFE91D7319D534A25B0B62B2D45FE9ED	SHA256:EDBBF072BC044652325CF1EC47E946759B184E753D478E7BF4F0D94494CA0AB8
904	Pornhub Cracked.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd.html		text
		MD5:DC8F0123BC91D1C1257BA152C4D7369F	SHA256:348F8426059BF4FEB4E6394A1E13B30F8BFF640D36D2F3C1B4AD51D944D1E002
3092	PornHub Checker.exe	C:\Users\admin\AppData\Local\Temp\Pornhub Crackeddd.exe		executable
		MD5:FEAC0E9C86DEFC843B19B04D9801195F	SHA256:CEBF75C534D06D21C72A7E534193A20B7A83EDD9AF9F98154C9E8F8A9D8801DE
3840	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3840.24811\Colorful.Console.dll		executable
		MD5:5F3D2CFBC21591B8FEEF1EFA3E59A4D0	SHA256:F31D4FD7E729FC6CF4ECAB972B6B1EE897918A325B1CA572030966F831E768FB
3840	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3840.24811\Newtonsoft.Json.dll		executable
		MD5:5AFDA7C7D4F7085E744C2E7599279DB3	SHA256:F58C374FFCAAE4E36D740D90FBF7FE70D0ABB7328CD9AF3A0A7B70803E994BA4
3840	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3840.24811\Leaf.xNet.dll		executable
		MD5:43C82221E0B667D0A0DA9BF73E9951A8	SHA256:4D06AB17F6137362F254F389B071C235AABA37FC3F0C4D2E941B58517BC4E503

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

9.rar

C3AB11C1BBD6EA349EBF9346FDAED09E

1F305EAFE3ED8C0FF4F979EB1D038DBADCCCD048

E6C6D0091EE3BC8396034BB0858387050CBB38109116316463CE8A245CCFBDD2

12288:T5Fi+yV9YVzmoGUdIfDZ6NsIE0H3kmZjVILThH0Q58F/KyV2EZL:THRyV9YMoGtrZaE0F8F1KtJ/J

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Writes to a start menu file

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

INFO

Manual execution by user

Dropped object may contain Bitcoin addresses

Application was crashed

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings