| File name: | Downloads.zip |
| Full analysis: | https://app.any.run/tasks/ec60b581-2549-4e0e-86cc-8f50e35b17a9 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | December 05, 2022, 18:31:13 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 6A22D970C6342E7E098468BB1418711A |
| SHA1: | 0BF5AB1BF0E15E339752C15BC3B9200FF24911BF |
| SHA256: | 0EA7DBE8C6AC76D1C1F30EFC1E569B10F836FE90608AB3093154F45C6D89CD88 |
| SSDEEP: | 24576:TdDnmG6ZvlbtECViqE7yigF7lnIjCHlK/hHKcwzqc:TpnmG6jtHvUyl71qslK/9kzqc |
MALICIOUS
Application was dropped or rewritten from another process
- utorrent_installer.exe (PID: 2460)
- utorrent_installer.exe (PID: 2556)
SUSPICIOUS
No suspicious indicators.INFO
Application was dropped or rewritten from another process
- utorrent_installer.tmp (PID: 3376)
- utorrent_installer.tmp (PID: 1220)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 1580)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1580)
Loads dropped or rewritten executable
- utorrent_installer.tmp (PID: 1220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
Total processes
55
Monitored processes
14
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 860 | "C:\Windows\System32\control.exe" SYSTEM | C:\Windows\System32\control.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1220 | "C:\Users\admin\AppData\Local\Temp\is-091B3.tmp\utorrent_installer.tmp" /SL5="$801B0,874637,815104,C:\Users\admin\Desktop\utorrent_installer.exe" /SPAWNWND=$50146 /NOTIFYWND=$900F2 | C:\Users\admin\AppData\Local\Temp\is-091B3.tmp\utorrent_installer.tmp | utorrent_installer.exe | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1580 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Downloads.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2044 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\virtualbox-6_1_0-build-135406-extension-pack-repack-portable-by-dakov.torrent | C:\Windows\system32\rundll32.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2140 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\virtualbox-6_1_0-build-135406-extension-pack-repack-portable-by-dakov.torrent | C:\Windows\system32\rundll32.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2456 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2460 | "C:\Users\admin\Desktop\utorrent_installer.exe" | C:\Users\admin\Desktop\utorrent_installer.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: µTorrent® Classic Exit code: 0 Version: 3.6 Modules
| |||||||||||||||
| 2556 | "C:\Users\admin\Desktop\utorrent_installer.exe" /SPAWNWND=$50146 /NOTIFYWND=$900F2 | C:\Users\admin\Desktop\utorrent_installer.exe | utorrent_installer.tmp | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: µTorrent® Classic Exit code: 0 Version: 3.6 Modules
| |||||||||||||||
| 2792 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s | C:\Windows\system32\mmc.exe | CompMgmtLauncher.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2916 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
6 435
Read events
6 158
Write events
276
Delete events
1
Modification events
| (PID) Process: | (1580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1580) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (1580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (1580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Downloads.zip | |||
| (PID) Process: | (1580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
6
Suspicious files
0
Text files
5
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1580.7066\virtualbox-6_1_0-build-135406-extension-pack-repack-portable-by-dakov.torrent | torrent | |
MD5:— | SHA256:— | |||
| 1220 | utorrent_installer.tmp | C:\Users\admin\AppData\Local\Temp\is-V11P0.tmp\is-TGE2S.tmp | image | |
MD5:E58EF284DA2EFE6AB6211C3D8FAFEB79 | SHA256:4F2CB1BF59F233D027DA5FF5B48B485EB29A656B8EE9D607C6C3450E96AB4DB1 | |||
| 1220 | utorrent_installer.tmp | C:\Users\admin\AppData\Local\Temp\is-V11P0.tmp\uTorrent.exe | executable | |
MD5:4B4149C544EA79ACCC7CB55015FCC0FA | SHA256:761BE1C00F156CAA8D04DB5BD0E2F7B3F12FD0B4B9F29BD4E0AF13125F2E4646 | |||
| 1220 | utorrent_installer.tmp | C:\Users\admin\AppData\Local\Temp\is-V11P0.tmp\uTorrent.png | image | |
MD5:CD3F5B72F3ECC90E946A38E3822B1D99 | SHA256:F3ECA5D467E45C741E9A072AFF31BBA4DB5E91713631DBC4B735A6032FEF43E7 | |||
| 1220 | utorrent_installer.tmp | C:\Users\admin\AppData\Local\Temp\is-V11P0.tmp\is-BG4KK.tmp | executable | |
MD5:4B4149C544EA79ACCC7CB55015FCC0FA | SHA256:761BE1C00F156CAA8D04DB5BD0E2F7B3F12FD0B4B9F29BD4E0AF13125F2E4646 | |||
| 1220 | utorrent_installer.tmp | C:\Users\admin\AppData\Local\Temp\is-V11P0.tmp\Logo.png | image | |
MD5:5424804C80DB74E1304535141A5392C6 | SHA256:9B7E2EA77E518B50E5DD78E0FAEC509E791949A7C7F360A967C9EE204A8F1412 | |||
| 1580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1580.7066\utorrent_installer.exe | executable | |
MD5:— | SHA256:— | |||
| 2460 | utorrent_installer.exe | C:\Users\admin\AppData\Local\Temp\is-VT19G.tmp\utorrent_installer.tmp | executable | |
MD5:9A777CDC480689793142D6F078D8F0B5 | SHA256:C06E4C58F103D4F57495AECFA67C43380031C77C83FA4A040C72C51700376DF2 | |||
| 2556 | utorrent_installer.exe | C:\Users\admin\AppData\Local\Temp\is-091B3.tmp\utorrent_installer.tmp | executable | |
MD5:9A777CDC480689793142D6F078D8F0B5 | SHA256:C06E4C58F103D4F57495AECFA67C43380031C77C83FA4A040C72C51700376DF2 | |||
| 1220 | utorrent_installer.tmp | C:\Users\admin\AppData\Local\Temp\is-V11P0.tmp\AVAST.png | image | |
MD5:E58EF284DA2EFE6AB6211C3D8FAFEB79 | SHA256:4F2CB1BF59F233D027DA5FF5B48B485EB29A656B8EE9D607C6C3450E96AB4DB1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
9
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1220 | utorrent_installer.tmp | HEAD | 200 | 82.221.103.243:80 | http://download-new.utorrent.com/endpoint/utorrent/os/riserollout/track/stable | IS | — | — | whitelisted |
1220 | utorrent_installer.tmp | GET | 200 | 82.221.103.243:80 | http://download-new.utorrent.com/endpoint/utorrent/os/riserollout/track/stable | IS | executable | 16.0 Mb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1220 | utorrent_installer.tmp | 13.226.156.16:443 | d4w1kp01cnm54.cloudfront.net | AMAZON-02 | US | unknown |
1220 | utorrent_installer.tmp | 82.221.103.243:80 | download-new.utorrent.com | Advania Island ehf | IS | suspicious |
1220 | utorrent_installer.tmp | 13.32.23.42:443 | d4bohzj3dmv4j.cloudfront.net | AMAZON-02 | US | unknown |
1220 | utorrent_installer.tmp | 143.204.214.227:443 | d3cfdnjelz8u20.cloudfront.net | AMAZON-02 | US | unknown |
1220 | utorrent_installer.tmp | 65.9.58.107:443 | d4w1kp01cnm54.cloudfront.net | AMAZON-02 | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
d4w1kp01cnm54.cloudfront.net |
| whitelisted |
d3cfdnjelz8u20.cloudfront.net |
| whitelisted |
d4bohzj3dmv4j.cloudfront.net |
| whitelisted |
download-new.utorrent.com |
| whitelisted |
Threats
Process | Message |
|---|---|
mmc.exe | ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerExtension
|