| File name: | H1N1 Loader.rar |
| Full analysis: | https://app.any.run/tasks/7b2d0194-4a6d-448f-b1c9-ffd7a8d7dd6e |
| Verdict: | Malicious activity |
| Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
| Analysis date: | October 27, 2019, 17:18:53 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 1186643A33AEF9A8074C9434EBBD4BA7 |
| SHA1: | 1AE4B0285291D35A3A52A59876A659F3B32B6477 |
| SHA256: | EC4690B42E8A4035744842D10052F7FFB52568EAE0F02DF2CBC77C6F7D351FAD |
| SSDEEP: | 24576:bMU5Ljq9BNjwGC/hsAdFKE641O2wuti9+WEp:3Ljq2L/hsAdFD6WO8t8q |
MALICIOUS
Application was dropped or rewritten from another process
- builder.exe (PID: 2096)
- build.exe (PID: 3772)
- build.exe (PID: 1216)
- bthudtask.exe (PID: 1728)
Loads dropped or rewritten executable
- bthudtask.exe (PID: 1728)
Changes the autorun value in the registry
- explorer.exe (PID: 2944)
Starts NET.EXE for service management
- cmd.exe (PID: 2580)
- cmd.exe (PID: 2660)
- cmd.exe (PID: 3152)
Uses NET.EXE to stop Windows Defender service
- cmd.exe (PID: 2580)
Uses NET.EXE to stop Windows Update service
- cmd.exe (PID: 3152)
Uses NET.EXE to stop Windows Security Center service
- cmd.exe (PID: 2660)
Stops/Deletes Windows Defender service via SC.exe
- cmd.exe (PID: 3704)
H1N1 was detected
- iexplore.exe (PID: 2980)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1296)
- builder.exe (PID: 2096)
- explorer.exe (PID: 2300)
- explorer.exe (PID: 2944)
- DllHost.exe (PID: 2428)
Executed via COM
- DllHost.exe (PID: 2428)
Creates files in the Windows directory
- DllHost.exe (PID: 2428)
Starts Internet Explorer
- explorer.exe (PID: 2944)
Starts CMD.EXE for commands execution
- explorer.exe (PID: 2944)
Creates files in the user directory
- explorer.exe (PID: 2300)
- explorer.exe (PID: 2944)
Removes files from Windows directory
- explorer.exe (PID: 2944)
Starts SC.EXE for service management
- cmd.exe (PID: 3376)
- cmd.exe (PID: 1212)
INFO
Manual execution by user
- build.exe (PID: 1216)
- builder.exe (PID: 2096)
- iexplore.exe (PID: 3836)
Creates files in the user directory
- iexplore.exe (PID: 2980)
Reads Internet Cache Settings
- iexplore.exe (PID: 3836)
Reads internet explorer settings
- iexplore.exe (PID: 1400)
Changes internet zones settings
- iexplore.exe (PID: 3836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
79
Monitored processes
26
Malicious processes
8
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 956 | net stop wuauserv | C:\Windows\system32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1212 | cmd.exe /c sc config wscsvc start= disabled | C:\Windows\system32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1216 | "C:\Users\admin\Desktop\H1N1 Loader\build.exe" | C:\Users\admin\Desktop\H1N1 Loader\build.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1296 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\H1N1 Loader.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 1400 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3836 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1520 | sc config MpsSvc start= disabled | C:\Windows\system32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1728 | "C:\Windows\System32\setup\bthudtask.exe" | C:\Windows\System32\setup\bthudtask.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1896 | sc config wscsvc start= disabled | C:\Windows\system32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1904 | C:\Windows\system32\net1 stop wuauserv | C:\Windows\system32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2096 | "C:\Users\admin\Desktop\H1N1 Loader\builder.exe" | C:\Users\admin\Desktop\H1N1 Loader\builder.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
1 212
Read events
1 130
Write events
80
Delete events
2
Modification events
| (PID) Process: | (1296) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1296) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1296) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1296) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\H1N1 Loader.rar | |||
| (PID) Process: | (1296) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1296) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1296) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1296) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1296) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2B000000B3000000EB030000A8020000 | |||
| (PID) Process: | (1296) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
| Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\AppData\Local\Temp | |||
Executable files
6
Suspicious files
3
Text files
72
Unknown types
9
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1296.26406\H1N1 Loader\admin\app\controllers\Factory.php | text | |
MD5:4E1128C44E1350822363F7B0D5ECC90C | SHA256:EA6282E1E0A8AC9867A72FDB845296C055EA97FB17DE33968413E87F69A6A863 | |||
| 1296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1296.26406\H1N1 Loader\admin\app\controllers\Notfound.php | text | |
MD5:BB38A95820208FD4494BF56B44BAA010 | SHA256:719613299FE87FD81FD051644A4703CAE3486D53CD8534F551731854CA33F434 | |||
| 1296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1296.26406\H1N1 Loader\admin\app\models\Model.php | text | |
MD5:3CCC0F0D447061AFB6F937490F557CC3 | SHA256:D1D165E0A5B551E91CCD3A4BB67D711081537F422FCC10EA9550BF9C5A738124 | |||
| 1296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1296.26406\H1N1 Loader\admin\app\controllers\Stats.php | text | |
MD5:1D43F759A5890108FC554D5C5F4666BE | SHA256:011C9D6D197774F7FE3776CBD1CF700CCC4973C6AA24DAADB65E4F74C4DBF33D | |||
| 1296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1296.26406\H1N1 Loader\admin\app\controllers\ControllerSession.php | text | |
MD5:150A8E032FB71DE68EA57FD263399AA2 | SHA256:62A9A377B79F373CF24DCAE9817C5F42E383820E990558AE3D886F1176C4BC4C | |||
| 1296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1296.26406\H1N1 Loader\admin\app\models\Task.php | text | |
MD5:0C70862191B581DAB66C952991EC6C47 | SHA256:3FD8092A81E828CF35735DBDB205C64DEA9F19C480E01833228489367A3D4824 | |||
| 1296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1296.26406\H1N1 Loader\admin\app\models\Logs.php | text | |
MD5:1EF36CB61E3089D5854F582AF8CEE247 | SHA256:D98600CE5F8CB2B2AB6F1F35F26D4FBD31A4BBCF1F197081E85C911BC408D726 | |||
| 1296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1296.26406\H1N1 Loader\admin\app\views\layouts\errors.html.php | text | |
MD5:9D8C4864B526AC6038558C8366472F74 | SHA256:50319505950D7875524C3D6E61CED359166629B951502D26EE6AA62FBFD8C9B8 | |||
| 1296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1296.26406\H1N1 Loader\admin\app\views\layouts\page_reload.js.php | text | |
MD5:D6F329C0A704B20F3027886E5E780493 | SHA256:1E3FBF2A6BED8EF525CBE95993287E06A87CB70620E4EB0117672FF9B78C53C6 | |||
| 1296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1296.26406\H1N1 Loader\admin\app\controllers\Auth.php | text | |
MD5:0576535525156E527501DA4C279C9A9F | SHA256:7719BD6BFACDD23D361C7ED5CD228FA5DED13CC44D2243423DC590618223E1A5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
2
DNS requests
2
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2980 | iexplore.exe | GET | 200 | 193.104.215.66:80 | http://get.adobe.com/flashplayer/download/?dualoffer=false&installer=00007030 | unknown | — | — | whitelisted |
2980 | iexplore.exe | GET | 200 | 193.104.215.66:80 | http://get.adobe.com/flashplayer/download/?dualoffer=false&installer=000033D6 | unknown | — | — | whitelisted |
3836 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2980 | iexplore.exe | GET | 200 | 193.104.215.66:80 | http://get.adobe.com/flashplayer/download/?dualoffer=false&installer=000058E3 | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2980 | iexplore.exe | 193.104.215.66:80 | get.adobe.com | Level 3 Communications, Inc. | — | malicious |
3836 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
get.adobe.com |
| whitelisted |
www.bing.com |
| whitelisted |
Threats
3 ETPRO signatures available at the full report