| File name: | Malware By Daniel.zip |
| Full analysis: | https://app.any.run/tasks/6c9399bc-8e39-4c2a-8603-b5197ee221b4 |
| Verdict: | Malicious activity |
| Analysis date: | January 13, 2024, 20:45:30 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 43A58BBEB934FF20C3F44D008A599D0C |
| SHA1: | F2254D46D90878DBB5EFA6D46B4196940403C064 |
| SHA256: | 124CAE7B0F4AB24EE031D05D63D50A9D316395ACF221424862A889C01C465259 |
| SSDEEP: | 98304:Rrsqlh2AuVaqS50WVxrnLtfcTIp7zSjEeHkPOYiAbwL9YwsAeZ7VwxUc3jaQPJ4A:rXe |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2044)
- KarLocker.exe (PID: 188)
- ._cache_KarLocker.exe (PID: 1572)
- look2.exe (PID: 1556)
- HD_._cache_KarLocker.exe (PID: 2316)
Creates a writable file in the system directory
- look2.exe (PID: 1556)
Create files in the Startup directory
- HD_._cache_KarLocker.exe (PID: 2316)
Connects to the CnC server
- Synaptics.exe (PID: 2540)
SUSPICIOUS
Executable content was dropped or overwritten
- KarLocker.exe (PID: 188)
- look2.exe (PID: 1556)
- ._cache_KarLocker.exe (PID: 1572)
- HD_._cache_KarLocker.exe (PID: 2316)
Reads the Internet Settings
- KarLocker.exe (PID: 188)
- Synaptics.exe (PID: 2540)
Suspicious files were dropped or overwritten
- look2.exe (PID: 1556)
Write to the desktop.ini file (may be used to cloak folders)
- HD_._cache_KarLocker.exe (PID: 2316)
Reads security settings of Internet Explorer
- Synaptics.exe (PID: 2540)
Reads settings of System Certificates
- Synaptics.exe (PID: 2540)
Checks Windows Trust Settings
- Synaptics.exe (PID: 2540)
Changes the desktop background image
- HD_._cache_KarLocker.exe (PID: 2316)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2044)
Checks supported languages
- KarLocker.exe (PID: 188)
- ._cache_KarLocker.exe (PID: 1572)
- look2.exe (PID: 1556)
- HD_._cache_KarLocker.exe (PID: 2316)
- Synaptics.exe (PID: 2540)
Reads the computer name
- KarLocker.exe (PID: 188)
- look2.exe (PID: 1556)
- HD_._cache_KarLocker.exe (PID: 2316)
- ._cache_KarLocker.exe (PID: 1572)
- Synaptics.exe (PID: 2540)
Manual execution by a user
- KarLocker.exe (PID: 188)
- WinRAR.exe (PID: 3048)
Creates files in the program directory
- KarLocker.exe (PID: 188)
- Synaptics.exe (PID: 2540)
Create files in a temporary directory
- ._cache_KarLocker.exe (PID: 1572)
- HD_._cache_KarLocker.exe (PID: 2316)
- Synaptics.exe (PID: 2540)
Reads the machine GUID from the registry
- KarLocker.exe (PID: 188)
- HD_._cache_KarLocker.exe (PID: 2316)
- Synaptics.exe (PID: 2540)
Reads mouse settings
- HD_._cache_KarLocker.exe (PID: 2316)
Creates files or folders in the user directory
- HD_._cache_KarLocker.exe (PID: 2316)
- Synaptics.exe (PID: 2540)
Checks proxy server information
- Synaptics.exe (PID: 2540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:01:03 19:14:16 |
| ZipCRC: | 0x17dbc80c |
| ZipCompressedSize: | 1513423 |
| ZipUncompressedSize: | 2843136 |
| ZipFileName: | KarLocker.exe |
Total processes
56
Monitored processes
8
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 188 | "C:\Users\admin\Desktop\KarLocker.exe" | C:\Users\admin\Desktop\KarLocker.exe | explorer.exe | ||||||||||||
User: admin Company: Synaptics Integrity Level: MEDIUM Description: Synaptics Pointing Device Driver Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
| 1556 | C:\Users\admin\AppData\Local\Temp\\look2.exe | C:\Users\admin\AppData\Local\Temp\look2.exe | ._cache_KarLocker.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: GradualChange Microsoft 基础类应用程序 Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
| 1572 | "C:\Users\admin\Desktop\._cache_KarLocker.exe" | C:\Users\admin\Desktop\._cache_KarLocker.exe | KarLocker.exe | ||||||||||||
User: admin Company: RuntimeBroker Integrity Level: HIGH Description: 应用程序 Exit code: 0 Version: 2.9.0.9 Modules
| |||||||||||||||
| 2044 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Malware By Daniel.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2316 | C:\Users\admin\Desktop\HD_._cache_KarLocker.exe | C:\Users\admin\Desktop\HD_._cache_KarLocker.exe | ._cache_KarLocker.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 3, 3, 8, 1 Modules
| |||||||||||||||
| 2444 | "C:\Users\admin\Desktop\._cache_KarLocker.exe" | C:\Users\admin\Desktop\._cache_KarLocker.exe | — | KarLocker.exe | |||||||||||
User: admin Company: RuntimeBroker Integrity Level: MEDIUM Description: 应用程序 Exit code: 3221226540 Version: 2.9.0.9 Modules
| |||||||||||||||
| 2540 | "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate | C:\ProgramData\Synaptics\Synaptics.exe | KarLocker.exe | ||||||||||||
User: admin Company: Synaptics Integrity Level: HIGH Description: Synaptics Pointing Device Driver Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
| 3048 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Lock.Malware By Daniel.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 1 Version: 5.91.0 Modules
| |||||||||||||||
Total events
8 176
Read events
7 938
Write events
238
Delete events
0
Modification events
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
Executable files
13
Suspicious files
48
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2044.22987\SystemCrasher_ByDaniel.exe | executable | |
MD5:FE6BB808DFF8CB1A8571A1A07DBAFE89 | SHA256:B14A43816BE48E5624A82BC768011389DAF67645AE8CFE2078A9EE523D8E8AFE | |||
| 188 | KarLocker.exe | C:\ProgramData\Synaptics\RCXBBAA.tmp | executable | |
MD5:7F2B773E800695BB8AA856EFC68CB2EC | SHA256:BDE8F42F4123D0293234471436E28CCFA1767FE5E5E8347EFA01927CD96C93D2 | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2044.24771\KarLocker.exe | executable | |
MD5:1F5C8839138ECA0E7BCD09521CCF0CBF | SHA256:C9620268F0B6F80F8277CEE7C334DCA3EBDBFF37B7DF4790E6F3D75A49D8F84E | |||
| 188 | KarLocker.exe | C:\ProgramData\Synaptics\Synaptics.exe | executable | |
MD5:1F5C8839138ECA0E7BCD09521CCF0CBF | SHA256:C9620268F0B6F80F8277CEE7C334DCA3EBDBFF37B7DF4790E6F3D75A49D8F84E | |||
| 1572 | ._cache_KarLocker.exe | C:\Users\admin\Desktop\HD_._cache_KarLocker.exe | executable | |
MD5:688CBA9C88F928B0CF854B43E97BEC75 | SHA256:481509A67F836E3826FD7835CDED0619A1491ED914152D893C6D8AC950445F4F | |||
| 1572 | ._cache_KarLocker.exe | C:\Users\admin\AppData\Local\Temp\X.ico | image | |
MD5:19A4753D96C664D3FCAB30A110B16C33 | SHA256:936331AEA7A9B6773381C4C7CB50E69718D8DB0A7D9D04E77839B9C2C48CB34A | |||
| 1572 | ._cache_KarLocker.exe | C:\Users\admin\AppData\Local\Temp\HD_X.dat | executable | |
MD5:BD22300E6D8CCA290FA9290DE8F482CF | SHA256:1F23FD7C5A8EAC4FBC6B71567FB6666308FD698294352F80874DF23EA8BE4F74 | |||
| 1556 | look2.exe | C:\Windows\system32\ini.ini | text | |
MD5:F94DBFF964C8D4BACF4B824E3878EC36 | SHA256:16BC3EE6C4D945038BEDA75578E518C2C3BEDDCF394FC283C276BA4FFAD7D171 | |||
| 1572 | ._cache_KarLocker.exe | C:\Users\admin\AppData\Local\Temp\look2.exe | executable | |
MD5:2F3B6F16E33E28AD75F3FDAEF2567807 | SHA256:86492EBF2D6F471A5EE92977318D099B3EA86175B5B7AE522237AE01D07A4857 | |||
| 1556 | look2.exe | C:\Windows\system32\965562.bat | executable | |
MD5:B5F251A706F8C7F833EE76A0ADF5ED05 | SHA256:5050F2D5EBEBCA1F53F67C489D6FE72296DBA2DC67938583E4B18DC9A88D8089 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
7
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2540 | Synaptics.exe | GET | 200 | 174.128.246.100:80 | http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 | unknown | text | 31 b | unknown |
2540 | Synaptics.exe | GET | 200 | 184.25.51.121:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e924c2e889c6870d | unknown | compressed | 4.66 Kb | unknown |
2540 | Synaptics.exe | GET | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCc21SZGmxMgAqM79mihzX3 | unknown | binary | 472 b | unknown |
2540 | Synaptics.exe | GET | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | unknown | binary | 724 b | unknown |
2540 | Synaptics.exe | GET | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEEkmJh4vi%2F2BCV%2F%2FttUhx%2BQ%3D | unknown | binary | 471 b | unknown |
2540 | Synaptics.exe | GET | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | unknown | binary | 1.41 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2540 | Synaptics.exe | 174.128.246.100:80 | freedns.afraid.org | ST-BGP | US | unknown |
2540 | Synaptics.exe | 142.250.186.78:443 | docs.google.com | GOOGLE | US | whitelisted |
2540 | Synaptics.exe | 184.25.51.121:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
2540 | Synaptics.exe | 142.250.185.163:80 | ocsp.pki.goog | GOOGLE | US | whitelisted |
2540 | Synaptics.exe | 142.250.184.193:443 | drive.usercontent.google.com | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
kinh.xmcxmr.com |
| unknown |
xred.mooo.com |
| unknown |
freedns.afraid.org |
| whitelisted |
docs.google.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
drive.usercontent.google.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com |
3 ETPRO signatures available at the full report