| File name: | Frija-v1.4.4.zip |
| Full analysis: | https://app.any.run/tasks/f3c3cb67-f583-4aac-8c30-864c05bc0467 |
| Verdict: | Malicious activity |
| Analysis date: | June 19, 2023, 22:09:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | FBBC4955286F499607DC25205B872537 |
| SHA1: | FE956FEC7FDEAEF4510C60E839AF60B61DDEC5D1 |
| SHA256: | 1067F48DE201E26596F473613CB2CEAC31F1A10550CE6AE352827CCE9FA23161 |
| SSDEEP: | 196608:T4QmyYs+FO+RoZRaKinZL/sYCksh8JopN:T4IcFOVRQW3ksRpN |
MALICIOUS
Application was dropped or rewritten from another process
- Frija.exe (PID: 3264)
- Frija.exe (PID: 3724)
SUSPICIOUS
Reads the Internet Settings
- Frija.exe (PID: 3264)
- Frija.exe (PID: 3724)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1116)
Reads the computer name
- Frija.exe (PID: 3264)
- Frija.exe (PID: 3724)
Checks supported languages
- Frija.exe (PID: 3264)
- Frija.exe (PID: 3724)
Reads the machine GUID from the registry
- Frija.exe (PID: 3264)
- Frija.exe (PID: 3724)
Manual execution by a user
- Frija.exe (PID: 3264)
- Frija.exe (PID: 3724)
The process checks LSA protection
- Frija.exe (PID: 3264)
- Frija.exe (PID: 3724)
- wisptis.exe (PID: 372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipFileName: | AgentModule.dll |
|---|---|
| ZipUncompressedSize: | 2142384 |
| ZipCompressedSize: | 2085244 |
| ZipCRC: | 0xfac42f87 |
| ZipModifyDate: | 2021:09:04 19:40:54 |
| ZipCompression: | Deflated |
| ZipBitFlag: | - |
| ZipRequiredVersion: | 20 |
Total processes
45
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 372 | "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch; | C:\Windows\System32\wisptis.exe | Frija.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Pen and Touch Input Component Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1116 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Frija-v1.4.4.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2120 | "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch; | C:\Windows\System32\wisptis.exe | — | Frija.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Pen and Touch Input Component Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3264 | "C:\Users\admin\Desktop\Frija.exe" | C:\Users\admin\Desktop\Frija.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Frija Exit code: 3762504530 Version: 1.4.4 Modules
| |||||||||||||||
| 3724 | "C:\Users\admin\Desktop\Frija.exe" | C:\Users\admin\Desktop\Frija.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Frija Exit code: 0 Version: 1.4.4 Modules
| |||||||||||||||
Total events
2 316
Read events
2 279
Write events
37
Delete events
0
Modification events
| (PID) Process: | (1116) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (1116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (1116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (1116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
| (PID) Process: | (1116) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
| Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\Desktop | |||
Executable files
4
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1116 | WinRAR.exe | C:\Users\admin\Desktop\Frija.exe | executable | |
MD5:7AD6414302660661B16A7753B5E3C409 | SHA256:76C6E277C9E2D167FCFCF4077D13481111C1750909CDAEFB195480609BC16516 | |||
| 1116 | WinRAR.exe | C:\Users\admin\Desktop\AgentModule.dll | executable | |
MD5:73CFC7A409101D5635E8042BCDF5C6C7 | SHA256:D46F87B767DC82BF9A180BB2A981058909FF65CF0DE6EDFBC917CBAC0F719F67 | |||
| 1116 | WinRAR.exe | C:\Users\admin\Desktop\GlobalUtil.dll | executable | |
MD5:E067119015B8C3B03BBB2D0E747FF4D7 | SHA256:B485839FB3FF94A9E47C385C01B0D463EF17228DEDF9AEE7B3DD06E5510B00F8 | |||
| 1116 | WinRAR.exe | C:\Users\admin\Desktop\CommonModule.dll | executable | |
MD5:EDA386546817F68607FC7F3361C89EAC | SHA256:44D33F4DACFC4BAC2D56A49194CA4D40BC3E3F72478CD20ED696B1D3F110CC96 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1076 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1476 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2476 | WerFault.exe | 52.182.143.212:443 | watson.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
watson.microsoft.com |
| whitelisted |