analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payment Advice.ace

Full analysis: https://app.any.run/tasks/34ff4a00-c182-4866-9b9a-a2882accbefe
Verdict: Malicious activity
Analysis date: March 31, 2020, 05:43:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

0FF37D425095F2FBB669E43F91535220

SHA1:

F92DDA7045508AE9C203E51DD7493B46D8DEB411

SHA256:

E7CA1DC16DAE0E71455C318E25398FB1DC67FFF3D1082A7299E5BC2E9611F3B3

SSDEEP:

24576:/mFuoSWkQ+MCIOBcgn8PgWepuClnD4o+C6X4XwOA9272KR1VQI3:/+dSWzIIOM4WeQClMo+C6X4Ay72Klv3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Payment Advice.exe (PID: 3804)
      • Payment Advice.exe (PID: 3384)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 3708)
      • RegAsm.exe (PID: 3544)

    • Changes settings of System certificates

      • RegAsm.exe (PID: 3708)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3144)

    • Connects to SMTP port

      • RegAsm.exe (PID: 3708)

    • Adds / modifies Windows certificates

      • RegAsm.exe (PID: 3708)

  • INFO

    • Manual execution by user

      • Payment Advice.exe (PID: 3804)
      • Payment Advice.exe (PID: 3384)

    • Reads settings of System Certificates

      • RegAsm.exe (PID: 3708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe payment advice.exe payment advice.exe regasm.exe regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
3144"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Payment Advice.ace"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3804"C:\Users\admin\Desktop\Payment Advice.exe" C:\Users\admin\Desktop\Payment Advice.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
3384"C:\Users\admin\Desktop\Payment Advice.exe" C:\Users\admin\Desktop\Payment Advice.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
3544"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Payment Advice.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
3708"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Payment Advice.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Total events
1 740
Read events
546
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3144WinRAR.exeC:\Users\admin\Desktop\Payment Advice.exeexecutable
MD5:97C0A892DB84257539A3FDA4B791E6AA
SHA256:28E2FC34B4264456223EE38CC007B03DF851C4B262B8A8BE2B4DBC5AED1338B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2356
WerFault.exe
GET
51.143.111.81:80
http://watson.microsoft.com/StageOne/Payment%20Advice_exe/0_0_0_0/5e81b68e/ntdll_dll/6_1_7601_18247/521ea91c/c0000005/00052d94.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3708
RegAsm.exe
5.250.244.184:587
mail.dogulumetal.com
Erhan Mahmut trading as Aysima Bilisim Teknolojileri Erhan Mahmut
TR
malicious
2356
WerFault.exe
51.143.111.81:80
watson.microsoft.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 51.143.111.81
whitelisted
mail.dogulumetal.com
  • 5.250.244.184
malicious

Threats

PID
Process
Class
Message
3708
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Payment Advice.ace