Malware analysis Desktop.rar Malicious activity | ANY.RUN

Add for printing

File name:	Desktop.rar
Full analysis:	https://app.any.run/tasks/e930b43b-a06b-4a2d-bd55-f83a7bd885ae
Verdict:	Malicious activity
Analysis date:	January 17, 2019, 21:28:09
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	B343E43EDCCCDF468881138D6B3E25A4
SHA1:	87B19A345B854B7EFB8541594DC6D6840480F32F
SHA256:	F39DF8C28319F8531BAE1DB7DC4BEA6A0A78B0BD012B1756AAB08AC57C172C13
SSDEEP:	49152:bMNAMjZ2ZUXsx01fNkQrfeu0em7nhHVW0/opL:boAMMZbxsfNle0mrh1w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Ancalog Exploit Builder.exe (PID: 2276)
  - DGhkQwOw.exe (PID: 2368)
  - JrCXudMk.exe (PID: 2156)
  - JrCXudMk.exe (PID: 3796)
  - Ancalog Exploit Builder.exe (PID: 2400)
  - DGhkQwOw.exe (PID: 4052)
  - JrCXudMk.exe (PID: 3520)
  - JrCXudMk.exe (PID: 3520)
SUSPICIOUS
- Application launched itself
  - WinRAR.exe (PID: 3012)
  - WinRAR.exe (PID: 3892)
- Creates files in the user directory
  - DGhkQwOw.exe (PID: 2368)
- Executable content was dropped or overwritten
  - Ancalog Exploit Builder.exe (PID: 2276)
  - Ancalog Exploit Builder.exe (PID: 2400)
- Reads Internet Cache Settings
  - JrCXudMk.exe (PID: 2156)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3012	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Desktop.rar"	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
3916	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3012.3562\Ancalog Exploit Builder.bin.zip"	C:\Program Files\WinRAR\WinRAR.exe	—	WinRAR.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
2276	"C:\Users\admin\Desktop\Ancalog Exploit Builder.exe"	C:\Users\admin\Desktop\Ancalog Exploit Builder.exe		explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 0
3796	"C:\Users\admin\AppData\Local\Temp\JrCXudMk.exe"	C:\Users\admin\AppData\Local\Temp\JrCXudMk.exe	—	Ancalog Exploit Builder.exe
User: admin Company: ancalog.tech Integrity Level: MEDIUM Description: Ancalog Multi Exploit Builder Exit code: 3221226540 Version: 1.0.0.0
2156	"C:\Users\admin\AppData\Local\Temp\JrCXudMk.exe"	C:\Users\admin\AppData\Local\Temp\JrCXudMk.exe		Ancalog Exploit Builder.exe
User: admin Company: ancalog.tech Integrity Level: HIGH Description: Ancalog Multi Exploit Builder Exit code: 0 Version: 1.0.0.0
2368	"C:\Users\admin\AppData\Local\Temp\DGhkQwOw.exe"	C:\Users\admin\AppData\Local\Temp\DGhkQwOw.exe		Ancalog Exploit Builder.exe
User: admin Integrity Level: MEDIUM Description: Downloader Exit code: 3221225786 Version: 1.0.0.0
2376	"C:\Windows\explorer.exe"	C:\Windows\explorer.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3892	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Desktop.rar"	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
1812	"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3892.21288\radC8EB1.tmp.zip	C:\Program Files\WinRAR\WinRAR.exe	—	WinRAR.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
2400	"C:\Users\admin\Desktop\Ancalog Exploit Builder.exe"	C:\Users\admin\Desktop\Ancalog Exploit Builder.exe		explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 0

Add for printing

Total events

3 823

Read events

3 557

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3012	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3012.4097\Ancalog Exploit Builder.bin.zip		—
		MD5:—	SHA256:—
3916	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3916.4993\Ancalog Exploit Builder.bin		—
		MD5:—	SHA256:—
1812	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa3892.21288\__rzi_1812.22570		—
		MD5:—	SHA256:—
1812	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb1812.22755\rad24126.exe		—
		MD5:—	SHA256:—
3012	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa3012.3562\Ancalog Exploit Builder.bin.zip		compressed
		MD5:A848CA2D85AD477D2641E2082A130CA6	SHA256:80FAF83FD8339FF282E951EAF5A1B7A42A449AF3B51B9E3503B5D72E73EE1644
3892	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa3892.21288\radC8EB1.tmp.zip		compressed
		MD5:295DDC18A6F7DD9AE9D61CDD0FC6C2A2	SHA256:F786B73784EFEC73B25FE52CAED6CEAA1C29F1700EA8D896983F0664AEB3C053
2400	Ancalog Exploit Builder.exe	C:\Users\admin\AppData\Local\Temp\DGhkQwOw.exe		executable
		MD5:38D703441C45113B9D5DB6E49D551757	SHA256:A54908AF06C3C06CE7AE27077E095D0C7CA5F7F56AB3DD923DD56727B0E0C347
2276	Ancalog Exploit Builder.exe	C:\Users\admin\AppData\Local\Temp\JrCXudMk.exe		executable
		MD5:256915CBE2916434B82CAC76B2CD44EE	SHA256:B4A0B26BF5B2353A860C59EB48A2DFC534A81E4502D1D501586AC16ABA058B4E
2400	Ancalog Exploit Builder.exe	C:\Users\admin\AppData\Local\Temp\JrCXudMk.exe		executable
		MD5:256915CBE2916434B82CAC76B2CD44EE	SHA256:B4A0B26BF5B2353A860C59EB48A2DFC534A81E4502D1D501586AC16ABA058B4E
1812	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa3892.21288\radC8EB1.tmp.zip		compressed
		MD5:8F0888FA63D23C40E9134999CDAA709B	SHA256:3C81AB3CD5920597C0085A298DD1EEC19C0FA6D2EFE907B07666B94426CA25B6

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2368	DGhkQwOw.exe	66.55.90.17:443	a.pomf.cat	GigeNET	US	malicious
4052	DGhkQwOw.exe	66.55.90.17:443	a.pomf.cat	GigeNET	US	malicious

DNS requests

Domain	IP	Reputation
a.pomf.cat	66.55.90.17	unknown
ancalog.tech	—	unknown

Threats

Found threats are available for the paid subscriptions

4 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Desktop.rar

B343E43EDCCCDF468881138D6B3E25A4

87B19A345B854B7EFB8541594DC6D6840480F32F

F39DF8C28319F8531BAE1DB7DC4BEA6A0A78B0BD012B1756AAB08AC57C172C13

49152:bMNAMjZ2ZUXsx01fNkQrfeu0em7nhHVW0/opL:boAMMZbxsfNle0mrh1w

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

SUSPICIOUS

Application launched itself

Creates files in the user directory

Executable content was dropped or overwritten

Reads Internet Cache Settings

INFO

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings