| File name: | !@-FullVer_Pc$etUp_2024_PASSCODE$_.rar |
| Full analysis: | https://app.any.run/tasks/cd2579b7-8734-47ce-80b7-e188542c6132 |
| Verdict: | Malicious activity |
| Analysis date: | May 01, 2024, 18:20:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | C7EA39F98E09531EBE49DD4B94BE1A5E |
| SHA1: | 693D6C331151E34EED4913FFA55A84DDAD256A4B |
| SHA256: | E8093A612EB355B8D6153CD8EBECC9F8090A51AC8B7009583C6B95F1D8761D02 |
| SSDEEP: | 98304:5+FQstZVmc9GzbaQAeoB4bjzkPLSnYqgjN3oA7uYONMhVBFGf92yx0taNv+ipYy4:0btliAMftu |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads the Internet Settings
- taskmgr.exe (PID: 1116)
Process drops legitimate windows executable
- WinRAR.exe (PID: 3940)
The process creates files with name similar to system file names
- WinRAR.exe (PID: 3940)
Application launched itself
- taskmgr.exe (PID: 1116)
INFO
Manual execution by a user
- taskmgr.exe (PID: 1116)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3940)
Reads security settings of Internet Explorer
- taskmgr.exe (PID: 1116)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
44
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 304 | "C:\Windows\system32\taskmgr.exe" /1 | C:\Windows\System32\taskmgr.exe | taskmgr.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1116 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3940 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\!@-FullVer_Pc$etUp_2024_PASSCODE$_.rar | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
4 264
Read events
4 230
Write events
34
Delete events
0
Modification events
| (PID) Process: | (3940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3940) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (3940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\!@-FullVer_Pc$etUp_2024_PASSCODE$_.rar | |||
| (PID) Process: | (3940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
Executable files
135
Suspicious files
4
Text files
3
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3940.49192\Wex.Common.dll | executable | |
MD5:2A58200BC71F4819FA958A93791479A8 | SHA256:D309A0FF6BC22F534C5D26EC992DA21DCDACB93C595EF00E63CBAE4DEC315E7F | |||
| 3940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3940.49192\Wex.Communication.dll | executable | |
MD5:CE40FAE07167C331D9A73F8DE792A897 | SHA256:75AE83C152B01D1F6A44E5D067ED8256FD000FD41B5927F0034F738EBB68F11C | |||
| 3940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3940.49192\TE.Loaders.dll | executable | |
MD5:6D96B3FC5AB6968812297666C26B3468 | SHA256:CC6B45ED1F71F8F6A6F89AE1F81D182457B036C53011208B833F6C3B96E6AD90 | |||
| 3940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3940.49192\Setup.exe | executable | |
MD5:5924EC85948544CEADF7D1721FB5FCF0 | SHA256:F46C8174D101B3B16983CF872F54577790326F04390E543EA5B9CE5730E9E4AE | |||
| 3940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3940.49192\TE.Host.dll | executable | |
MD5:C49636454423A17C8BAA4C1F27F60CA9 | SHA256:50FDC6353659FD0F718BB8EEF59AFBC07D904EE0DFC0B5E7AFFA96713E37A873 | |||
| 3940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3940.49192\Wex.Logger.dll | executable | |
MD5:F2C1CC6843C2E0DFDA8B3E748E90DB80 | SHA256:0B03908CA426FE2CDDD483F86795D3D05F6767547167AEC4082E1B7D8F936272 | |||
| 3940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3940.49192\x64\api-ms-win-core-console-l1-2-0.dll | executable | |
MD5:6B33E6F1D77CEC0901EA8E91473BC18B | SHA256:449631A3F5FADEF72ACC2C2F84765208D0CA014EC1FE93FB9AD805EEC1D40EAE | |||
| 3940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3940.49192\x64\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:2B4A3A51E075AB9819C6D6BC40EFB4B5 | SHA256:D718E1B6C352112C2F8E36B4BA5ED28E6179257FD2FE944C4A0D404B5C15B5AE | |||
| 3940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3940.49192\x64\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:0909E61C8C9C717976828F65C987E5F9 | SHA256:03FFDB036329A25BEACF905D62611A13E3DFDDA6CBD2D13AF830258E8CF40EC0 | |||
| 3940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3940.49192\TE.Common.dll | executable | |
MD5:606EBF7A989EE06846C3CF3BBBADC60F | SHA256:F0207038D3209991CBE21FCF4B17141B3450BA70A02D9B38D0B787249975738B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | unknown |