| File name: | SoftwarePassport.rar |
| Full analysis: | https://app.any.run/tasks/e449967d-25ef-4a5c-9940-2c0414fa16cc |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | October 30, 2018, 01:07:38 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v4, os: Win32 |
| MD5: | A9AB0449B19E5E0B90F208DF0265A5DB |
| SHA1: | BB33451A3819EFF6AD04BA74DD39F1D12357BDFA |
| SHA256: | FD5BF3C4855AB7BC41704D1ADDFA485ED5A4E1B9CD7694EDC9F38F9ED21222B1 |
| SSDEEP: | 196608:rWHqTudlK3mT9dJQVoOyr3F6ZN+7JpxsBZMwC7FfVxznk:yKTudbJGoOKcZEdpxsrmfI |
MALICIOUS
Loads dropped or rewritten executable
- SearchProtocolHost.exe (PID: 2008)
Application was dropped or rewritten from another process
- Armadillo.exe (PID: 3296)
- appInstall.exe (PID: 2244)
- Armadillo.exe (PID: 3700)
- appInstall.exe (PID: 3164)
- Armadillo.exe (PID: 456)
- Armadillo.exe (PID: 2180)
Banload was detected
- Armadillo.exe (PID: 3700)
SUSPICIOUS
Application launched itself
- Armadillo.exe (PID: 3296)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3084)
Creates files in the program directory
- Armadillo.exe (PID: 3700)
- SoftwarePassport.exe (PID: 3064)
Reads internet explorer settings
- SoftwarePassport.exe (PID: 3064)
Starts Internet Explorer
- SoftwarePassport.exe (PID: 3064)
INFO
Changes internet zones settings
- iexplore.exe (PID: 544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v-4.x) (58.3) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (41.6) |
EXIF
ZIP
| CompressedSize: | 29425 |
|---|---|
| UncompressedSize: | 69632 |
| OperatingSystem: | Win32 |
| ModifyDate: | 2012:02:07 21:33:18 |
| PackingMethod: | Normal |
| ArchivedFileName: | SoftwarePassport\appInstall.exe |
Total processes
54
Monitored processes
13
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 456 | Armadillo.exe /i2=787834 | C:\Users\admin\Desktop\SoftwarePassport\Armadillo.exe | — | Armadillo.exe | |||||||||||
User: admin Company: The Silicon Realms Toolworks Integrity Level: MEDIUM Description: The Armadillo Software Protection System Exit code: 0 Version: 9.0.0.0 Modules
| |||||||||||||||
| 544 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | — | SoftwarePassport.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1388 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\SoftwarePassport\Serial.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1992 | "C:\Users\admin\Desktop\SoftwarePassport\SoftwarePassport.exe" | C:\Users\admin\Desktop\SoftwarePassport\SoftwarePassport.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2008 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2180 | Armadillo.exe /i2=787834 | C:\Users\admin\Desktop\SoftwarePassport\Armadillo.exe | — | SoftwarePassport.exe | |||||||||||
User: admin Company: The Silicon Realms Toolworks Integrity Level: MEDIUM Description: The Armadillo Software Protection System Exit code: 0 Version: 9.0.0.0 Modules
| |||||||||||||||
| 2244 | "C:\Users\admin\Desktop\SoftwarePassport\appInstall.exe" | C:\Users\admin\Desktop\SoftwarePassport\appInstall.exe | explorer.exe | ||||||||||||
User: admin Company: Digital River Integrity Level: HIGH Description: Use U3 deviceInstall action to handle Armadillo tags for USB-key programs. Exit code: 0 Version: 1, 1, 0, 8 Modules
| |||||||||||||||
| 2848 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:544 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3064 | "C:\Users\admin\Desktop\SoftwarePassport\SoftwarePassport.exe" | C:\Users\admin\Desktop\SoftwarePassport\SoftwarePassport.exe | SoftwarePassport.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3084 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SoftwarePassport.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
Total events
1 159
Read events
1 057
Write events
100
Delete events
2
Modification events
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\SoftwarePassport.rar | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
| (PID) Process: | (3084) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
| Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\AppData\Local\Temp | |||
Executable files
4
Suspicious files
18
Text files
16
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3084.37338\SoftwarePassport\au32v10.dll | — | |
MD5:— | SHA256:— | |||
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3084.37338\SoftwarePassport\CodeGen\CodeGen.dll | — | |
MD5:— | SHA256:— | |||
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3084.37338\SoftwarePassport\CodeGen\CodeGen.exp | — | |
MD5:— | SHA256:— | |||
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3084.37338\SoftwarePassport\CodeGen\CodeGen.h | — | |
MD5:— | SHA256:— | |||
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3084.37338\SoftwarePassport\CodeGen\CodeGen.lib | — | |
MD5:— | SHA256:— | |||
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3084.37338\SoftwarePassport\CodeGen\ReadMe.txt | — | |
MD5:— | SHA256:— | |||
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3084.37338\SoftwarePassport\Examples\10uses.ARM | — | |
MD5:— | SHA256:— | |||
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3084.37338\SoftwarePassport\Examples\30days.ARM | — | |
MD5:— | SHA256:— | |||
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3084.37338\SoftwarePassport\Examples\Existing.ARM | — | |
MD5:— | SHA256:— | |||
| 3084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3084.37338\SoftwarePassport\Examples\HTML\CustomerService.htm | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Threats
Process | Message |
|---|---|
SoftwarePassport.exe | %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s |