File name:

Shipping_Documents.arj

Full analysis: https://app.any.run/tasks/8a91ade6-715f-4939-937e-f169bf388461
Verdict: Malicious activity
Analysis date: June 21, 2024, 08:00:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netreactor
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

198AAD44ADDE90CFDA89BC5C200BB2D4

SHA1:

30F0B3E42B5BB4FA697005A2EC0A33317EECF53B

SHA256:

EE30FD83BB38B236E9A9A2765566B58239EA0BB394DDEFF7FBC0FDDD9549C906

SSDEEP:

24576:IIwoedRTLlCv9MenNepGg/6joMrStl70WntOz+gGn+g/v93pTMNsqoDX5u:IIwjdRTLlCv9MenUpGm6joMrStl70Wng

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3392)
      • Shipping_Documents.bat (PID: 3520)

    • Uses Task Scheduler to run other applications

      • Shipping_Documents.bat (PID: 3520)

  • SUSPICIOUS

    • Suspicious files were dropped or overwritten

      • WinRAR.exe (PID: 3392)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3392)
      • Shipping_Documents.bat (PID: 3520)

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 3392)
      • Shipping_Documents.bat (PID: 3520)

    • Reads the Internet Settings

      • Shipping_Documents.bat (PID: 3520)

    • Executable content was dropped or overwritten

      • Shipping_Documents.bat (PID: 3520)

    • Application launched itself

      • Shipping_Documents.bat (PID: 3520)

  • INFO

    • Checks supported languages

      • Shipping_Documents.bat (PID: 3520)
      • Shipping_Documents.bat (PID: 2936)

    • Reads the computer name

      • Shipping_Documents.bat (PID: 3520)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3392)

    • Reads the machine GUID from the registry

      • Shipping_Documents.bat (PID: 3520)

    • Creates files or folders in the user directory

      • Shipping_Documents.bat (PID: 3520)

    • Create files in a temporary directory

      • Shipping_Documents.bat (PID: 3520)

    • .NET Reactor protector has been detected

      • Shipping_Documents.bat (PID: 3520)

    • Manual execution by a user

      • explorer.exe (PID: 3144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 685002
UncompressedSize: 782336
OperatingSystem: Win32
ModifyDate: 2024:06:20 23:06:24
PackingMethod: Normal
ArchivedFileName: Shipping_Documents.bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe THREAT shipping_documents.bat schtasks.exe no specs shipping_documents.bat no specs explorer.exe no specs relog.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2936"C:\Users\admin\AppData\Local\Temp\Rar$DIa3392.14955\Shipping_Documents.bat"C:\Users\admin\AppData\Local\Temp\Rar$DIa3392.14955\Shipping_Documents.batShipping_Documents.bat
User:
admin
Company:
KK Softwares
Integrity Level:
MEDIUM
Description:
Date Calculator v2.0
Version:
2.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$dia3392.14955\shipping_documents.bat
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
3144"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3200"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PENcyQ" /XML "C:\Users\admin\AppData\Local\Temp\tmp4108.tmp"C:\Windows\System32\schtasks.exeShipping_Documents.bat
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3392"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Shipping_Documents.arj.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3520"C:\Users\admin\AppData\Local\Temp\Rar$DIa3392.14955\Shipping_Documents.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa3392.14955\Shipping_Documents.bat
WinRAR.exe
User:
admin
Company:
KK Softwares
Integrity Level:
MEDIUM
Description:
Date Calculator v2.0
Exit code:
0
Version:
2.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$dia3392.14955\shipping_documents.bat
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3612"C:\Windows\System32\relog.exe"C:\Windows\System32\relog.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Performance Relogging Utility
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 593
Read events
4 564
Write events
29
Delete events
0

Modification events

(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3392) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Shipping_Documents.arj.rar
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3392.14955\Shipping_Documents.batexecutable
MD5:F19703B4E34A0078FE0B2AEBAA334749
SHA256:F528C774A0B76DF370246492A18C6CE0EB3F7E4CD7F19FBE1CA6FCC99F5156C9
3520Shipping_Documents.batC:\Users\admin\AppData\Roaming\PENcyQ.exeexecutable
MD5:F19703B4E34A0078FE0B2AEBAA334749
SHA256:F528C774A0B76DF370246492A18C6CE0EB3F7E4CD7F19FBE1CA6FCC99F5156C9
3520Shipping_Documents.batC:\Users\admin\AppData\Local\Temp\tmp4108.tmpxml
MD5:9984CD2BECEE670A886AC474F3184024
SHA256:89C881BFAEC32C7DA1B100197648561331155AECDD6007B5BED4FCA6293B1694
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Shipping_Documents.arj