analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

666.rar

Full analysis: https://app.any.run/tasks/7edea4ae-cb9f-45e3-bc51-8bcc0f4292d9
Verdict: Malicious activity
Analysis date: May 04, 2020, 03:12:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

B6BDA7D16BBA279B474F7A22DA313ED9

SHA1:

BDF1AA26068EAA34A92F4B5DD07280255FCD61D0

SHA256:

FA3131E269C2C1F8330015543CFFE0F3DC241DC2DB4D75DA4FE1D68ADAC79CAC

SSDEEP:

98304:s3iE8eGUVlIBLaLvRqhtE/5TtBvL6KjbSj+PAewJ64GVp2zAzK1Z9F7E5TvkO:s0eGUYLaLwqZFi64orG1tE51

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • mbr.exe (PID: 3100)
      • mbr.exe (PID: 4056)
      • supermariobros2.exe (PID: 4076)
      • supermariobros2.exe destructive.exe (PID: 1000)

    • Loads dropped or rewritten executable

      • supermariobros2.exe (PID: 4076)

    • Low-level write access rights to disk partition

      • mbr.exe (PID: 3100)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • supermariobros2.exe destructive.exe (PID: 1000)

    • Executes scripts

      • cmd.exe (PID: 2688)
      • cmd.exe (PID: 2280)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2348)
      • supermariobros2.exe (PID: 4076)

    • Application launched itself

      • mbr.exe (PID: 4056)

    • Low-level read access rights to disk partition

      • mbr.exe (PID: 3100)

  • INFO

    • Manual execution by user

      • cmd.exe (PID: 2280)
      • supermariobros2.exe destructive.exe (PID: 1000)
      • taskmgr.exe (PID: 2612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
22
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs wscript.exe no specs supermariobros2.exe destructive.exe no specs cmd.exe no specs wscript.exe no specs wscript.exe no specs mbr.exe no specs notepad.exe no specs timeout.exe no specs mbr.exe taskmgr.exe no specs supermariobros2.exe wscript.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs wscript.exe no specs timeout.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2348"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\666.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
1073807364
Version:
5.60.0
2280cmd /c ""C:\Users\admin\AppData\Local\Temp\666\666\supermariobros2.exe destructive.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1073807364
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4072"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\666\666\Malware.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1073807364
Version:
5.8.7600.16385
1000"C:\Users\admin\AppData\Local\Temp\666\666\supermariobros2.exe destructive.exe" C:\Users\admin\AppData\Local\Temp\666\666\supermariobros2.exe destructive.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2688"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\D35C.tmp\D35D.tmp\D36D.bat "C:\Users\admin\AppData\Local\Temp\666\666\supermariobros2.exe destructive.exe""C:\Windows\system32\cmd.exesupermariobros2.exe destructive.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2580"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\666\666\Malware.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2360"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\666\666\Malware2.vbs" C:\Windows\System32\WScript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4056mbr.exe C:\Users\admin\AppData\Local\Temp\666\666\mbr.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3196"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\666\666\note.txtC:\Windows\system32\NOTEPAD.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
1073807364
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
988timeout /t 10C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 684
Read events
1 635
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
0
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
2348WinRAR.exeC:\Users\admin\AppData\Local\Temp\666\666\Malware.vbstext
MD5:C0E28E01178FB0E1D621194570B06A7D
SHA256:FD84FB7CDBA3515095EF84899A504EB347908868793283383BDCC9F284CD03C3
2348WinRAR.exeC:\Users\admin\AppData\Local\Temp\666\666\TEST.exeexecutable
MD5:A4F46F0E3DF60C27DC419D6E71FC92EC
SHA256:97F6A41F274C6A6AF4A2CE2D1DF112BB32034617A7566B8E339840D23EE9AC3D
2348WinRAR.exeC:\Users\admin\AppData\Local\Temp\666\666\wat.vbstext
MD5:75DC5BB68E062B6E18260FCBFE9EC7B3
SHA256:5B7FAFEBC268227DD90A7AA5240866B1106B34631850FD54F7D05CE24E30B9E1
2348WinRAR.exeC:\Users\admin\AppData\Local\Temp\666\666\supermariobros2.exe destructive.battext
MD5:701C53891F0F14824609DBD8E12CF5FD
SHA256:5E23CA46B030FEE74E1072C64C2582BC9E09AE6CB467A0059C702A0696A12F84
1000supermariobros2.exe destructive.exeC:\Users\admin\AppData\Local\Temp\D35C.tmp\D35D.tmp\D36D.battext
MD5:289CF630D20D23806A3663D43997EFCA
SHA256:6911E5FC73758189CC3394366C980F60985AA2B16AB3626D50EAE89C37A070F5
2348WinRAR.exeC:\Users\admin\AppData\Local\Temp\666\666\Malware2.vbstext
MD5:2A87AFD6C4877CBDEE7871C291E907A2
SHA256:952A3F886EE4C30F9D75AE26E2FFC2197D51B3C09EDBB23B503A31D7892ED49D
2348WinRAR.exeC:\Users\admin\AppData\Local\Temp\666\666\fdf.vbstext
MD5:ACDE4832FC08A646F7EDD78A8AE1552F
SHA256:5CBC0F36282911519880FD6F43F9F286879AD239B222C68C89B52E8BC30F7CFA
2348WinRAR.exeC:\Users\admin\AppData\Local\Temp\666\666\mbr.exeexecutable
MD5:660397501E5DE7713708AC1318CF0E9E
SHA256:D87292D99AA1720EED7E940509F31666BE439E8FB31FF0B8513A0A0F3E56E38B
2348WinRAR.exeC:\Users\admin\AppData\Local\Temp\666\666\supermariobros2.exe destructive.exeexecutable
MD5:9AB1A9BE828449EE6AF57AFE26958DAE
SHA256:F55E051861254BEC0F4AD421F980ADFC36939F554A44964D7667ED4D9681783F
2348WinRAR.exeC:\Users\admin\AppData\Local\Temp\666\666\supermariobros2.exeexecutable
MD5:ACCD0CFB37FE718EE3227DF2DA17BA13
SHA256:4A742FEDDED58E492E1F6A87E85FA1CEF9F16BD1C39D35A3F991F62948E72948
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
666.rar