File name:

LaoMaoTao.rar

Full analysis: https://app.any.run/tasks/9dc9e6bb-48c5-4bd0-8e62-d5265fe1dc4b
Verdict: Malicious activity
Analysis date: June 12, 2020, 06:17:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

70F0CD175782DE94FBBBCA551ECE252C

SHA1:

2F69D17D2936D24EFAEF566DAB8499BEC75C0F0F

SHA256:

F72F75D90F67C3269390F1B834E8F659D7749D7983E92DB646BCFECE1B522B93

SSDEEP:

393216:XJ9Bq1WZZkxcACv7fTgF9+NZUjou4rWpmC2FNFN9VfzaQlxXPqM:E19xMv77gFeZUj/46pUNFzRXlxXPqM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • bcdedit.exe (PID: 1416)
      • bcdedit.exe (PID: 704)
      • bcdedit.exe (PID: 3260)
      • bcdedit.exe (PID: 3964)
      • dismhost.exe (PID: 2780)
      • dism.exe (PID: 1912)
      • dism.exe (PID: 2708)
      • LaoMaoTao.exe (PID: 3928)
      • LaoMaoTao.exe (PID: 2784)

    • Loads dropped or rewritten executable

      • dism.exe (PID: 2708)
      • dism.exe (PID: 1912)
      • LaoMaoTao.exe (PID: 3928)
      • dismhost.exe (PID: 2780)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 988)
      • LaoMaoTao.exe (PID: 3928)
      • dism.exe (PID: 2708)

    • Low-level read access rights to disk partition

      • bcdedit.exe (PID: 1416)
      • bcdedit.exe (PID: 3260)
      • bcdedit.exe (PID: 3964)
      • bcdedit.exe (PID: 704)
      • LaoMaoTao.exe (PID: 3928)

    • Reads Internet Cache Settings

      • LaoMaoTao.exe (PID: 3928)

    • Creates a software uninstall entry

      • LaoMaoTao.exe (PID: 3928)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 121
UncompressedSize: 61
OperatingSystem: Win32
ModifyDate: 2020:06:11 05:46:20
PackingMethod: Stored
ArchivedFileName: LaoMaoTao\Backup\System\Config.ini
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
10
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start winrar.exe laomaotao.exe no specs laomaotao.exe bcdedit.exe no specs bcdedit.exe no specs bcdedit.exe no specs dism.exe bcdedit.exe no specs dism.exe dismhost.exe

Process information

PID
CMD
Path
Indicators
Parent process
704"C:\Users\admin\AppData\Local\Temp\bcdedit.exe" /enum allC:\Users\admin\AppData\Local\Temp\bcdedit.exeLaoMaoTao.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\local\temp\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
988"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\LaoMaoTao.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1416"C:\Users\admin\AppData\Local\Temp\bcdedit.exe" /enum allC:\Users\admin\AppData\Local\Temp\bcdedit.exeLaoMaoTao.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\local\temp\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1912C:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\x86\dism.exe /English /?C:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\x86\dism.exe
LaoMaoTao.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Dism Image Servicing Utility
Exit code:
0
Version:
6.3.9600.17029 (winblue_gdr.140219-1702)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa988.3645\laomaotao\data\bin\x86\dism.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\rar$exa988.3645\laomaotao\data\bin\x86\api-ms-win-downlevel-kernel32-l1-1-0.dll
c:\users\admin\appdata\local\temp\rar$exa988.3645\laomaotao\data\bin\x86\api-ms-win-downlevel-advapi32-l1-1-1.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2708C:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\x86\dism.exe /English /online /Export-Driver /?C:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\x86\dism.exe
LaoMaoTao.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Dism Image Servicing Utility
Exit code:
0
Version:
6.3.9600.17029 (winblue_gdr.140219-1702)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa988.3645\laomaotao\data\bin\x86\dism.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\rar$exa988.3645\laomaotao\data\bin\x86\api-ms-win-downlevel-kernel32-l1-1-0.dll
c:\users\admin\appdata\local\temp\rar$exa988.3645\laomaotao\data\bin\x86\api-ms-win-downlevel-advapi32-l1-1-1.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2780C:\Users\admin\AppData\Local\Temp\FA8DFE16-592B-471F-ABAE-9A99B258F58A\dismhost.exe {0ADD5648-F017-4FBD-800E-94D94497DC16}C:\Users\admin\AppData\Local\Temp\FA8DFE16-592B-471F-ABAE-9A99B258F58A\dismhost.exe
dism.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Dism Host Servicing Process
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\local\temp\fa8dfe16-592b-471f-abae-9a99b258f58a\dismhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2784"C:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\LaoMaoTao.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\LaoMaoTao.exeWinRAR.exe
User:
admin
Company:
www.laomaotao.net
Integrity Level:
MEDIUM
Description:
老毛桃U盘启动装机工具
Exit code:
3221226540
Version:
9.5.2006.2
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa988.3645\laomaotao\laomaotao.exe
c:\systemroot\system32\ntdll.dll
3260"C:\Users\admin\AppData\Local\Temp\bcdedit.exe" /enum allC:\Users\admin\AppData\Local\Temp\bcdedit.exeLaoMaoTao.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\local\temp\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3928"C:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\LaoMaoTao.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\LaoMaoTao.exe
WinRAR.exe
User:
admin
Company:
www.laomaotao.net
Integrity Level:
HIGH
Description:
老毛桃U盘启动装机工具
Exit code:
0
Version:
9.5.2006.2
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa988.3645\laomaotao\laomaotao.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
3964"C:\Users\admin\AppData\Local\Temp\bcdedit.exe" /enum all /vC:\Users\admin\AppData\Local\Temp\bcdedit.exeLaoMaoTao.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\local\temp\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
527
Read events
499
Write events
28
Delete events
0

Modification events

(PID) Process:(988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\LaoMaoTao.rar
(PID) Process:(988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
96
Suspicious files
4
Text files
9
Unknown types
1

Dropped files

PID
Process
Filename
Type
988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Backup\System\Config.initext
MD5:
SHA256:
988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\7za.dllexecutable
MD5:93AA6A76E2F245C85C76FB4C993BC9CB
SHA256:0C19B611525E2B4FB5F04581B61F4119821A10EABDF73151F22BE18DB2C805B8
988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\amd64\api-ms-win-downlevel-ole32-l1-1-1.dllexecutable
MD5:14312D63C147F5144EB58D9CE5794074
SHA256:18EE0B0360D99944EB892807E4888DEC1866C490A73C6C798A04E509601C0E97
988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\amd64\api-ms-win-downlevel-advapi32-l2-1-0.dllexecutable
MD5:BD42C3E2B0F48E81BB05FD1966A1A48C
SHA256:571D84F1CBBA9DFE11EEAB445C141B35B90562C97CFC88CEEDDA814F357EE875
988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\amd64\api-ms-win-downlevel-advapi32-l2-1-1.dllexecutable
MD5:E1804A2C45D9E6A419DA44F802E6B159
SHA256:DD8CA3E5D8EE6170C01F731BD2414F7067437B5139B826E86A514900E9A5068C
988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\amd64\api-ms-win-downlevel-user32-l1-1-1.dllexecutable
MD5:46C0B857199CA6E19279D05FF0701F3B
SHA256:E92B6D5F8CD3A08EBF2863183661309A45DF1D8211FADEF1FF5695C335EA7B1B
988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\amd64\api-ms-win-downlevel-advapi32-l3-1-0.dllexecutable
MD5:8BCF408FF53D854FBF41ADE85A5ADB72
SHA256:00C9374DF0C784AD5B9C466C8DC9A671FC0E33724AD813FEF7B862CB3B7A4839
988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\amd64\api-ms-win-downlevel-advapi32-l1-1-0.dllexecutable
MD5:22B6DC18BB1D8C40A00F4F0C48CCE8C0
SHA256:D68BF3E311EDCEBD995DEC0524A606E336D1E8D954FFADC7ADC754CC26A369AF
988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\amd64\api-ms-win-downlevel-version-l1-1-0.dllexecutable
MD5:9A0B2803B41C37F55C46059477C40865
SHA256:2BE4896DBE83B7C2D939DC8E1A24C9B5AD2EF630A4093386125D9EB75F043643
988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa988.3645\LaoMaoTao\Data\Bin\amd64\api-ms-win-downlevel-advapi32-l1-1-1.dllexecutable
MD5:4F0D0509586717852BEABB4CF6368B1A
SHA256:3ADF0208CBB7A5BE1F028510DF0BFAAFEA0C66414CF17D8E51C8DC5CA6FBE0B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3928
LaoMaoTao.exe
HEAD
200
47.106.205.80:8888
http://pe.joy189.com:8888/api/querynet
CN
unknown
3928
LaoMaoTao.exe
GET
200
103.205.6.84:90
http://down.laomaotao.net:90/soft/icon/QQLive.png
CN
image
2.79 Kb
suspicious
3928
LaoMaoTao.exe
GET
200
103.205.6.84:90
http://down.laomaotao.net:90/soft/icon/360se.png
CN
image
4.37 Kb
suspicious
3928
LaoMaoTao.exe
GET
200
103.205.6.84:90
http://down.laomaotao.net:90/lmt1/update.json
CN
text
8.43 Kb
suspicious
3928
LaoMaoTao.exe
GET
200
103.205.6.84:90
http://down.laomaotao.net:90/soft/icon/2345Explorer.png
CN
image
4.49 Kb
suspicious
3928
LaoMaoTao.exe
GET
200
2.16.186.17:80
http://www.msftncsi.com/ncsi.txt
unknown
text
14 b
whitelisted
3928
LaoMaoTao.exe
GET
200
103.205.6.84:90
http://down.laomaotao.net:90/lmt1/ncsi.txt
CN
text
14 b
suspicious
3928
LaoMaoTao.exe
GET
200
103.205.6.84:90
http://down.laomaotao.net:90/lmt1/ncsi.txt
CN
text
14 b
suspicious
3928
LaoMaoTao.exe
POST
200
47.106.175.21:80
http://tongji.laomaotao.net/api/lmt/v1/setData
CN
text
36 b
unknown
3928
LaoMaoTao.exe
GET
200
103.205.6.84:90
http://down.laomaotao.net:90/lmt1/ncsi.txt
CN
text
14 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3928
LaoMaoTao.exe
103.205.6.84:90
down.laomaotao.net
CN
suspicious
3928
LaoMaoTao.exe
47.106.205.80:8888
pe.joy189.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3928
LaoMaoTao.exe
2.16.186.17:80
www.msftncsi.com
Akamai International B.V.
whitelisted
3928
LaoMaoTao.exe
47.106.175.21:80
tongji.laomaotao.net
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown

DNS requests

Domain
IP
Reputation
down.laomaotao.net
  • 103.205.6.84
suspicious
www.msftncsi.com
  • 2.16.186.17
  • 2.16.186.26
whitelisted
pe.joy189.com
  • 47.106.205.80
unknown
tongji.laomaotao.net
  • 47.106.175.21
unknown

Threats

No threats detected
Process
Message
dism.exe
PID=1912 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
dism.exe
PID=1912 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
dism.exe
PID=1912 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
dism.exe
PID=1912 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
dism.exe
PID=1912 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
dism.exe
PID=1912 The requested provider was not found in the Provider Store. - Ē
dism.exe
PID=1912 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)
dism.exe
PID=1912 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
dism.exe
PID=1912 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005)
dism.exe
PID=1912 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LaoMaoTao.rar