File name:

pinrulesstl.cab

Full analysis: https://app.any.run/tasks/10ae788e-70ea-4c60-a5c8-26371fffd7ed
Verdict: Malicious activity
Analysis date: March 29, 2023, 21:04:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-cab-compressed
File info: Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression
MD5:

FB60E1AFE48764E6BF78719C07813D32

SHA1:

A1DC74EF8495C9A1489DD937659B5C2875027E16

SHA256:

EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D

SSDEEP:

192:CPTIWKvNnUBBBL05O/b0evl2G6AXK+KMlYX82:CbevNUBDLlz0eN2dAXlKH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual connection from system programs

      • rundll32.exe (PID: 3228)
      • rundll32.exe (PID: 3868)
      • rundll32.exe (PID: 1700)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 2668)

    • Reads settings of System Certificates

      • rundll32.exe (PID: 3228)
      • rundll32.exe (PID: 3868)
      • rundll32.exe (PID: 1700)

    • Reads the Internet Settings

      • rundll32.exe (PID: 3228)
      • rundll32.exe (PID: 3868)
      • rundll32.exe (PID: 1700)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 3228)
      • rundll32.exe (PID: 3868)
      • rundll32.exe (PID: 1700)

  • INFO

    • The process checks LSA protection

      • rundll32.exe (PID: 3228)
      • rundll32.exe (PID: 3868)
      • rundll32.exe (PID: 1700)

    • Manual execution by a user

      • rundll32.exe (PID: 1700)

    • Create files in a temporary directory

      • rundll32.exe (PID: 1700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cab | Microsoft Cabinet Archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe rundll32.exe rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
1700"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCTL C:\Users\admin\Desktop\pinrules.stlC:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2668"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\pinrulesstl.cab"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
3228"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCTL C:\Users\admin\AppData\Local\Temp\Rar$DIa2668.36290\pinrules.stlC:\Windows\System32\rundll32.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3868"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCTL C:\Users\admin\AppData\Local\Temp\Rar$DIa2668.37410\pinrules.stlC:\Windows\System32\rundll32.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\usp10.dll
Total events
24 740
Read events
24 636
Write events
104
Delete events
0

Modification events

(PID) Process:(2668) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3228) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3868) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
6
Text files
0
Unknown types
10

Dropped files

PID
Process
Filename
Type
1700rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
SHA256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
1700rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2668.36290\pinrules.stlcat
MD5:FFA4C0DD7B7601EE3AC59CEE61E0803E
SHA256:48AC1B4059632FF4E41215DA733AF9D8E4E506FABAD0F13E9B03362687CAD9E5
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2668.37410\pinrules.stlcat
MD5:FFA4C0DD7B7601EE3AC59CEE61E0803E
SHA256:48AC1B4059632FF4E41215DA733AF9D8E4E506FABAD0F13E9B03362687CAD9E5
2668WinRAR.exeC:\Users\admin\AppData\Local\Temp\pinrules.stlcat
MD5:FFA4C0DD7B7601EE3AC59CEE61E0803E
SHA256:48AC1B4059632FF4E41215DA733AF9D8E4E506FABAD0F13E9B03362687CAD9E5
1700rundll32.exeC:\Users\admin\AppData\Local\Temp\Cab2D60.tmpcompressed
MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
SHA256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
1700rundll32.exeC:\Users\admin\AppData\Local\Temp\Tar2D61.tmpcat
MD5:BE2BEC6E8C5653136D3E72FE53C98AA3
SHA256:1919AAB2A820642490169BDC4E88BD1189E22F83E7498BF8EBDFB62EC7D843FD
2668WinRAR.exeC:\Users\admin\Desktop\pinrules.stlcat
MD5:FFA4C0DD7B7601EE3AC59CEE61E0803E
SHA256:48AC1B4059632FF4E41215DA733AF9D8E4E506FABAD0F13E9B03362687CAD9E5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3228
rundll32.exe
GET
8.253.207.120:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a6d436515f926847
US
whitelisted
1700
rundll32.exe
GET
200
8.248.131.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8794af422f241aee
US
compressed
61.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3228
rundll32.exe
8.248.131.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
3868
rundll32.exe
8.248.131.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
1700
rundll32.exe
8.248.131.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
3228
rundll32.exe
8.253.207.120:80
ctldl.windowsupdate.com
LEVEL3
US
malicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 8.248.131.254
  • 8.253.207.120
  • 8.248.119.254
  • 8.248.143.254
  • 67.27.234.126
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pinrulesstl.cab