File name:

Sulfoxide.rar

Full analysis: https://app.any.run/tasks/f1d35129-94c3-4341-a99c-afdbb3b0610b
Verdict: Malicious activity
Analysis date: July 09, 2024, 16:34:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D6ED1A5C6F7B661A1A04D19195533549

SHA1:

F2E8BD5C81DE77A0CF1F0A96AE2B00DC811F1216

SHA256:

FD4C7FF96814A3520C5F53FBF83DC7008C68E78BEAF895ECE1887AF04B4B95DD

SSDEEP:

98304:NH5dIuC6BF88jUXE0GcBU7V8P54nSpZhU1dyF6Fgzw8jdbGUGOurXHg1EviejuEm:82AbyAACj4Qf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3628)
      • vcredist_x64.EXE (PID: 6160)
      • vcredist_x86.EXE (PID: 6800)
      • msiexec.exe (PID: 6744)
      • TiWorker.exe (PID: 5912)

    • Changes the autorun value in the registry

      • vcredist_x64.EXE (PID: 6160)
      • vcredist_x86.EXE (PID: 6800)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3628)
      • msiexec.exe (PID: 6744)
      • TiWorker.exe (PID: 5912)

    • Executable content was dropped or overwritten

      • vcredist_x64.EXE (PID: 6160)
      • vcredist_x86.EXE (PID: 6800)
      • TiWorker.exe (PID: 5912)

    • Starts a Microsoft application from unusual location

      • vcredist_x64.EXE (PID: 6160)
      • vcredist_x86.EXE (PID: 6800)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6852)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6744)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6744)

    • The process drops C-runtime libraries

      • TiWorker.exe (PID: 5912)
      • msiexec.exe (PID: 6744)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3628)
      • msiexec.exe (PID: 6744)

    • Checks supported languages

      • vcredist_x64.EXE (PID: 6160)
      • msiexec.exe (PID: 6744)
      • vcredist_x86.EXE (PID: 6800)
      • msiexec.exe (PID: 5564)

    • Manual execution by a user

      • Sulfoxide.exe (PID: 992)
      • vcredist_x64.EXE (PID: 6160)
      • vcredist_x86.EXE (PID: 6800)
      • Sulfoxide.exe (PID: 7152)
      • Sulfoxide.exe (PID: 2912)
      • Sulfoxide_fixes.exe (PID: 2808)
      • Sulfoxide.exe (PID: 6280)

    • Reads the computer name

      • vcredist_x64.EXE (PID: 6160)
      • vcredist_x86.EXE (PID: 6800)
      • msiexec.exe (PID: 5564)
      • msiexec.exe (PID: 6744)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6664)
      • msiexec.exe (PID: 7120)

    • Create files in a temporary directory

      • vcredist_x64.EXE (PID: 6160)
      • vcredist_x86.EXE (PID: 6800)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6664)

    • Checks proxy server information

      • msiexec.exe (PID: 6664)

    • Reads the software policy settings

      • msiexec.exe (PID: 6664)
      • msiexec.exe (PID: 7120)
      • msiexec.exe (PID: 6744)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
18
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sulfoxide.exe no specs vcredist_x64.exe msiexec.exe msiexec.exe vcredist_x86.exe vssvc.exe no specs msiexec.exe no specs sulfoxide.exe no specs srtasks.exe no specs conhost.exe no specs sulfoxide.exe no specs msiexec.exe no specs sppextcomobj.exe no specs slui.exe no specs tiworker.exe sulfoxide_fixes.exe no specs sulfoxide.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
652C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
992"C:\Users\admin\Desktop\Sulfoxide.exe" C:\Users\admin\Desktop\Sulfoxide.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3222601730
Modules
Images
c:\users\admin\desktop\sulfoxide.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2808"C:\Users\admin\Desktop\Sulfoxide_fixes.exe" C:\Users\admin\Desktop\Sulfoxide_fixes.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3222601730
2912"C:\Users\admin\Desktop\Sulfoxide.exe" C:\Users\admin\Desktop\Sulfoxide.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3222601730
3628"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Downloads\Sulfoxide.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5564C:\Windows\syswow64\MsiExec.exe -Embedding F1D24BDC0D344A21BAC1B28624B4AE3FC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5912C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
6160"C:\Users\admin\Desktop\vcredist_x64.EXE" C:\Users\admin\Desktop\vcredist_x64.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Modules
Images
c:\users\admin\desktop\vcredist_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6168C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
6280"C:\Users\admin\Desktop\Sulfoxide.exe" C:\Users\admin\Desktop\Sulfoxide.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3222601730
Modules
Images
c:\users\admin\desktop\sulfoxide.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
18 281
Read events
18 090
Write events
180
Delete events
11

Modification events

(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Sulfoxide.rar
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6160) vcredist_x64.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wextract_cleanup0
Value:
rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
(PID) Process:(6744) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000066FACFFB1DD2DA01581A0000B01A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
64
Suspicious files
24
Text files
77
Unknown types
28

Dropped files

PID
Process
Filename
Type
6744msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6744msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:D57D0626A0938898D1F1E107721D417B
SHA256:5A86ED42FC148C72A7BB663626981116F5EAEF1BB83DE7A55158DF98705F7895
3628WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3628.21310\Sulfoxide\vcredist_x64.EXEexecutable
MD5:E231FBCCE2C2CB16DCC299D36C734DF3
SHA256:4487570BD86E2E1AAC29DB2A1D0A91EB63361FCAAC570808EB327CD4E0E2240D
6664msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9binary
MD5:569D23374829C1DF6C8BD4D1ABA09F35
SHA256:ADC03CD7714E7F84D3365BADF534D2884EAE329A0587949CFD0F3AEDCCFB0CB9
3628WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3628.21310\Sulfoxide\Sulfoxide.exeexecutable
MD5:EBB8E4550DA773A639557E3BF7D1B29E
SHA256:84C052915829E69E49D0482F1C0EDDE678B3ECE6AC74CA8D1FE3F0DBE1C05EB0
6664msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9binary
MD5:A26DCBB948DA05EC8AF97885DBD149B0
SHA256:3CEB4A8069B2B9E5FDF508EF67D5AF5B9D3E6A7B417919953A89FA9773E16440
6800vcredist_x86.EXEC:\Users\admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cabcompressed
MD5:CC064D4B81619991DE8131A86AD77681
SHA256:913EE5A1CAE3E5A1872B3A5EFAAA00C58E4BEB692492B138F76967DA671B0477
6800vcredist_x86.EXEC:\Users\admin\AppData\Local\Temp\IXP001.TMP\vcredist.msiexecutable
MD5:B20BBEB818222B657DF49A9CFE4FED79
SHA256:91BDD063F6C53126737791C9ECCF0B2F4CF44927831527245BC89A0BE06C0CB4
6744msiexec.exeC:\WINDOWS\Installer\MSI8001.tmpbinary
MD5:5E5D3255BFE22B99E2B58D1DC846D485
SHA256:1E01D36426E6539F1250875EE5066C94211A2AA8A3DE5807DADBF5D800A8A200
6160vcredist_x64.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cabcompressed
MD5:77A9BFF5AF149160775741E204734D47
SHA256:20A26ED9A1EDF7763A9B515522C5E29720048A482C7FBC8B7FF6BBDD27E61038
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
73
DNS requests
26
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4452
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4452
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
3516
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
6664
msiexec.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
unknown
unknown
4052
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
3516
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4452
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1280
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1968
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
4452
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4452
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4656
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
unknown
4656
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.177
  • 104.126.37.163
  • 104.126.37.139
  • 104.126.37.170
  • 104.126.37.168
  • 104.126.37.171
  • 104.126.37.130
  • 104.126.37.128
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
r.bing.com
  • 104.126.37.184
  • 104.126.37.171
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.170
  • 104.126.37.177
  • 104.126.37.185
  • 104.126.37.186
  • 104.126.37.178
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
arc-ring.msedge.net
  • 172.202.65.254
  • 172.202.64.254
unknown
fp-afd.azurefd.net
  • 13.107.246.45
unknown
l-ring.msedge.net
  • 13.107.42.254
whitelisted

Threats

PID
Process
Class
Message
4656
SearchApp.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sulfoxide.rar