File name:

analyze.zip

Full analysis: https://app.any.run/tasks/61de7681-2dcb-441b-b763-f3f771ea63c5
Verdict: Malicious activity
Analysis date: October 20, 2020, 02:40:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

653BC28B0A9A3AD56DCCDDAAE143CCE7

SHA1:

DE93859A6A3A6850CAB1EF11E3AA5491F3A18262

SHA256:

F8DBD4F75EB3BF74F091F0AC2F7312FD15A15DF193B749FD8E73D3482AC62CCC

SSDEEP:

98304:9meZpw3w9E/1YYz2HcXKQpovegI7A0EIcoFZunq9:9mew3w9EdYl8aQpNsvoFZuq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • mbbServiceSetup.exe (PID: 3380)
      • preinstall.exe (PID: 3708)
      • CompareVersion.exe (PID: 3396)
      • mbbServiceSetup.exe (PID: 316)
      • mbbservice.exe (PID: 1968)
      • mbbService.exe (PID: 3976)
      • mbbServiceSetup.exe (PID: 2416)
      • mbbService.exe (PID: 888)
      • CompareVersion.exe (PID: 2116)
      • AutoRun.exe (PID: 888)
      • preinstall.exe (PID: 2836)
      • mbbService.exe (PID: 576)
      • AutoRun.exe (PID: 2400)
      • Uninstall.exe (PID: 2244)
      • mbbservice.exe (PID: 3832)
      • Uninstall.exe (PID: 2264)
      • preinstall.exe (PID: 3652)
      • DeleteFile.exe (PID: 1748)
      • mbbServiceSetup.exe (PID: 3960)
      • CompareVersion.exe (PID: 1944)
      • mbbService.exe (PID: 2556)
      • preinstall.exe (PID: 3576)
      • mbbServiceSetup.exe (PID: 2416)
      • mbbServiceSetup.exe (PID: 3332)
      • mbbservice.exe (PID: 3716)

    • Loads dropped or rewritten executable

      • mbbServiceSetup.exe (PID: 3380)
      • mbbServiceSetup.exe (PID: 3332)
      • Uninstall.exe (PID: 2264)
      • mbbServiceSetup.exe (PID: 2416)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2792)
      • mbbServiceSetup.exe (PID: 3380)
      • WinRAR.exe (PID: 2740)
      • mbbServiceSetup.exe (PID: 3332)
      • Uninstall.exe (PID: 2264)
      • mbbServiceSetup.exe (PID: 2416)

    • Executed as Windows Service

      • mbbservice.exe (PID: 1968)
      • mbbservice.exe (PID: 3716)

    • Creates a software uninstall entry

      • mbbServiceSetup.exe (PID: 3380)
      • mbbServiceSetup.exe (PID: 2416)

    • Creates files in the program directory

      • mbbservice.exe (PID: 1968)
      • mbbService.exe (PID: 3976)
      • mbbServiceSetup.exe (PID: 3380)
      • AutoRun.exe (PID: 888)
      • Uninstall.exe (PID: 2264)
      • mbbservice.exe (PID: 3716)
      • mbbServiceSetup.exe (PID: 2416)
      • mbbService.exe (PID: 2556)

    • Starts CMD.EXE for commands execution

      • DeleteFile.exe (PID: 1748)

  • INFO

    • Manual execution by user

      • Unzip.exe (PID: 3660)
      • WinRAR.exe (PID: 2792)
      • mbbServiceSetup.exe (PID: 3332)
      • AutoRun.exe (PID: 888)
      • AutoRun.exe (PID: 2400)
      • mbbServiceSetup.exe (PID: 2416)
      • Uninstall.exe (PID: 2244)
      • mbbService.exe (PID: 576)
      • Uninstall.exe (PID: 2264)
      • WinRAR.exe (PID: 4068)
      • WinRAR.exe (PID: 2364)
      • mbbServiceSetup.exe (PID: 3960)
      • mbbServiceSetup.exe (PID: 2416)
      • WINWORD.EXE (PID: 4048)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4048)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2016:03:24 17:57:07
ZipCRC: 0x9217c55e
ZipCompressedSize: 722
ZipUncompressedSize: 1594
ZipFileName: analyze/ArConfig.dat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
96
Monitored processes
32
Malicious processes
6
Suspicious processes
5

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe unzip.exe no specs winrar.exe mbbservicesetup.exe no specs mbbservicesetup.exe preinstall.exe no specs compareversion.exe no specs mbbservice.exe no specs mbbservice.exe no specs winword.exe no specs mbbservicesetup.exe no specs mbbservicesetup.exe preinstall.exe no specs compareversion.exe no specs mbbservice.exe no specs autorun.exe no specs autorun.exe mbbservice.exe no specs uninstall.exe no specs uninstall.exe preinstall.exe no specs mbbservice.exe no specs deletefile.exe no specs cmd.exe no specs winrar.exe no specs winrar.exe no specs mbbservicesetup.exe no specs mbbservicesetup.exe preinstall.exe no specs compareversion.exe no specs mbbservice.exe no specs mbbservice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Users\admin\AppData\Local\Temp\Rar$EXa2792.49640\mbbServiceSetup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2792.49640\mbbServiceSetup.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2792.49640\mbbservicesetup.exe
c:\systemroot\system32\ntdll.dll
576"C:\Program Files\MobileBrServ\mbbService.exe" C:\Program Files\MobileBrServ\mbbService.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
22.001.29.01.03
Modules
Images
c:\program files\mobilebrserv\mbbservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
888"C:\Program Files\MobileBrServ\mbbService.exe" -installC:\Program Files\MobileBrServ\mbbService.exembbServiceSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
22.001.29.01.03
Modules
Images
c:\program files\mobilebrserv\mbbservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
888"C:\Users\admin\Desktop\analyze\AutoRun.exe" C:\Users\admin\Desktop\analyze\AutoRun.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
AutoRun
Exit code:
0
Version:
22.001.29.01.03
Modules
Images
c:\windows\system32\msctf.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\lpk.dll
1748"C:\Program Files\DeleteFile.exe"C:\Program Files\DeleteFile.exeUninstall.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\deletefile.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1944"C:\Users\admin\AppData\Local\Temp\MobileBrServ\CompareVersion.exe " -22.001.29.01.03,C:\Users\admin\AppData\Local\Temp\MobileBrServ\CompareVersion.exembbServiceSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3
Modules
Images
c:\users\admin\appdata\local\temp\mobilebrserv\compareversion.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1968"C:\Program Files\MobileBrServ\mbbservice.exe" -serviceC:\Program Files\MobileBrServ\mbbservice.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
22.001.29.01.03
Modules
Images
c:\program files\mobilebrserv\mbbservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2116"C:\Users\admin\AppData\Local\Temp\MobileBrServ\CompareVersion.exe " -22.001.29.01.03,22.001.29.01.03C:\Users\admin\AppData\Local\Temp\MobileBrServ\CompareVersion.exembbServiceSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mobilebrserv\compareversion.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2244"C:\Program Files\MobileBrServ\Uninstall.exe" C:\Program Files\MobileBrServ\Uninstall.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\program files\mobilebrserv\uninstall.exe
c:\systemroot\system32\ntdll.dll
2264"C:\Program Files\MobileBrServ\Uninstall.exe" C:\Program Files\MobileBrServ\Uninstall.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\program files\mobilebrserv\uninstall.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
2 799
Read events
2 443
Write events
212
Delete events
144

Modification events

(PID) Process:(2740) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2740) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2740) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2740) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\analyze.zip
(PID) Process:(2740) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2740) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2740) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2740) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
Executable files
64
Suspicious files
12
Text files
511
Unknown types
109

Dropped files

PID
Process
Filename
Type
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\_CodeSignature\CodeResourcesxml
MD5:
SHA256:
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\MacOS\HiLinkbinary
MD5:
SHA256:
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\English.lproj\InfoPlist.stringstext
MD5:
SHA256:
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\English.lproj\Logo.icnsimage
MD5:
SHA256:
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app.zipcompressed
MD5:
SHA256:
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\mbbserviceopen.app\Contents\MacOS\mbbserviceopenbinary
MD5:
SHA256:
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Info.plistxml
MD5:15D2DED113F2F849808C4400C7698A1F
SHA256:51FF58328F0FBD7F10BCB057FA931684619EE473CAFB67BC62AC6EAC817C1339
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\English.lproj\main.nib\objects.xibxml
MD5:32311A779B180920778D1C82FB8E6803
SHA256:8AA8251E9F40C0AEC5C1F2E6F44EE4B276F18746942D95D403DF2988E729E412
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\Installer.pngimage
MD5:0E9E279C003E7B59192C4096808A80F6
SHA256:F6ABB05685BD9C61FABF63905E37471262D0729A78FCE52CFFACC6F38DC57958
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.46858\analyze\HiLink.app\Contents\Resources\English.lproj\custom.stringstext
MD5:64FC9B3091DC6AC8070EE183583E0C54
SHA256:51880423A36197B329673D2D9BABD05A0E359D920BB557DDE8DCCFD2CB96C69D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
analyze.zip