File name:

pay express.rar

Full analysis: https://app.any.run/tasks/4613e37d-6354-4bb8-bb41-ae2b57c792a2
Verdict: Malicious activity
Analysis date: December 12, 2023, 08:51:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

0FDC7FA7E78178CB5DE0422D89AB8158

SHA1:

9101EFBF2EBDC4D6F6BFCC3D8124CE96FD6A01F8

SHA256:

EFF51F22FE7D96D1869115D671E0E487D52DFF83D26C78702F6ED960355F43EC

SSDEEP:

98304:RjjAl8j3ajG6XOOUVIbE9S2i+v5/1Pd+Lt+YnFXVnhRXJeIRVbYFg9yFsaR8Ee4e:wy2aTls8S7QZbShTt32jRGsR2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)

    • Create files in the Startup directory

      • setup.exe (PID: 3680)

    • Creates a writable file in the system directory

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 1344)
      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)

    • The process drops C-runtime libraries

      • setup.exe (PID: 3680)

    • Searches for installed software

      • Setup1.exe (PID: 1276)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1344)

    • Manual execution by a user

      • WinRAR.exe (PID: 1344)
      • setup.exe (PID: 3892)
      • setup.exe (PID: 3680)
      • WinRAR.exe (PID: 3564)
      • payeXpress.exe (PID: 3600)

    • Checks supported languages

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)
      • payeXpress.exe (PID: 3600)

    • Create files in a temporary directory

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)
      • payeXpress.exe (PID: 3600)

    • Reads the computer name

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)

    • Creates files or folders in the user directory

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)

    • Reads the machine GUID from the registry

      • Setup1.exe (PID: 1276)
      • payeXpress.exe (PID: 3600)

    • Reads mouse settings

      • Setup1.exe (PID: 1276)
      • payeXpress.exe (PID: 3600)

    • Creates files in the program directory

      • Setup1.exe (PID: 1276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 2849555
UncompressedSize: 3325952
OperatingSystem: Win32
ModifyDate: 2009:10:12 11:31:38
PackingMethod: Normal
ArchivedFileName: pay express\ADC launching presentation - 11102009.ppt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs setup.exe no specs setup.exe setup1.exe no specs winrar.exe no specs payexpress.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1276Setup1.exe "C:\Users\admin\Desktop\pay express\" "C:\WINDOWS\ST6UNST.000" "C:\WINDOWS\st6unst.exe"C:\Windows\Setup1.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual Basic 6.0 Setup Toolkit
Exit code:
0
Version:
6.00.8171
Modules
Images
c:\windows\setup1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1344"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\pay express.rar" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1556"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\pay express.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3564"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\pay express\payeXpress.CAB"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3600"C:\Users\admin\Desktop\pay express\Support\payeXpress.exe" C:\Users\admin\Desktop\pay express\Support\payeXpress.exeexplorer.exe
User:
admin
Company:
NSGB
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\pay express\support\payexpress.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\pay express\support\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3680"C:\Users\admin\Desktop\pay express\setup.exe" C:\Users\admin\Desktop\pay express\setup.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Bootstrap for Visual Basic Setup Toolkit
Exit code:
0
Version:
6.00.8169
Modules
Images
c:\users\admin\desktop\pay express\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3892"C:\Users\admin\Desktop\pay express\setup.exe" C:\Users\admin\Desktop\pay express\setup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Setup Bootstrap for Visual Basic Setup Toolkit
Exit code:
3221226540
Version:
6.00.8169
Modules
Images
c:\users\admin\desktop\pay express\setup.exe
c:\windows\system32\ntdll.dll
Total events
3 275
Read events
3 226
Write events
34
Delete events
15

Modification events

(PID) Process:(1556) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
81
Suspicious files
16
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
1344WinRAR.exeC:\Users\admin\Desktop\pay express\payeXpress.CABcompressed
MD5:C4939A75F45C8F09DDD6C711C5D4CCE7
SHA256:EBAD21E4C2467AE2FFE77B27AC6BF9A8E9F0D855EEE8FADB7A5D6340F716382D
1344WinRAR.exeC:\Users\admin\Desktop\pay express\KIT KAT\AGTD.NSGtext
MD5:AFA181E170A8D9D4E610027E33D71FF1
SHA256:7C0AD9B85791AE56E6A5E8C5C32983D0427D84298B1B597134946E0CF16AC112
1344WinRAR.exeC:\Users\admin\Desktop\pay express\NSGB - Payroll Project - Test Kick Off presentation - V9.pptdocument
MD5:CE9F1A3C3DAEF57D5565943FD29D409C
SHA256:E89665983605F46778A979C126A7A0B6D981C003E14444FD7280C6685D7B8BE2
1344WinRAR.exeC:\Users\admin\Desktop\pay express\NSGB - Payroll Commercial Center.pptdocument
MD5:E2D216632D26B83F84C3CA5E80D1D85E
SHA256:313BD2F3180531D726F35422EB3290B292CA6882161181AF7F887E60BBAB0BD8
1344WinRAR.exeC:\Users\admin\Desktop\pay express\ADC launching presentation - 11102009.pptdocument
MD5:B972D9B12282339BA067090BA4C0D32C
SHA256:282FFED1D7FA319122221C048DD12D18B33142AD6CDF77DA0DD4D2A5993060D2
1344WinRAR.exeC:\Users\admin\Desktop\pay express\Support\MSJTER35.DLLexecutable
MD5:72F160302EE06A2CB12FA2FFA10BA3F0
SHA256:3430B3680415B494BA7EB41F7BC83933DA68D364A94287B9C07384B2FE3DCB54
1344WinRAR.exeC:\Users\admin\Desktop\pay express\Support\MSRD2X35.DLLexecutable
MD5:954CEB4D7C7DC5E94EA237CF96D387A3
SHA256:66C74E4C9DBD1D33B22F63CD0318B72DEA88F9DBB4D36A3383D3DA20B037D42E
1344WinRAR.exeC:\Users\admin\Desktop\pay express\Support\MSCOMCT2.OCXexecutable
MD5:C1B4AF41A0370E4081D59AC99BCC929D
SHA256:2B7A1F905486736EDA8B51ADD1BC2590C2A6D9D5A9AB7565335D989F39C0EB8E
1344WinRAR.exeC:\Users\admin\Desktop\pay express\Support\DAO350.DLLexecutable
MD5:8888BDBD4E118D915D40A11748282BCA
SHA256:A4B20735BE317A924D2E36707BAAF911FBAE890CA53C5044FB506F15D33BCB6D
1344WinRAR.exeC:\Users\admin\Desktop\pay express\Support\MSVCRT40.DLLexecutable
MD5:146263312871D16BA8E06B3CF68B88DF
SHA256:1DED954D583F8BC620073F750A14987D370581763F742E564C8371C59651FABD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
setup.exe
Close
setup.exe
Ending BRC
setup.exe
Close
setup.exe
Ending BRC
setup.exe
Close
setup.exe
Ending BRC
setup.exe
Close
setup.exe
Ending BRC
setup.exe
About to check for ProcAddress Call
setup.exe
Close
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
pay express.rar