File name:	241122-ke7rfstlfr_pw_infected.zip
Full analysis:	https://app.any.run/tasks/2e9c2149-bd4a-45f2-b380-8bc039b51437
Verdict:	Malicious activity
Analysis date:	November 22, 2024 at 08:35:20
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
MD5:	DE1DDA02A0793892DFB634F1608BB7A2
SHA1:	898F2144D0706A301458805A0E8CE8FB7DA2E410
SHA256:	1437A63D1FDFB4C752EA400FE2E970CAAE0B222B130B7FD50EBB38F10290539D
SSDEEP:	393216:gRHznxBTjHbvvMtfd0E5a2x5Xoo6JFRdnbZ6CHGjaXxjbUKW6iiEk3dRdGuV:+HLxBPL655a2x9HCQaXxjba+7Rp

ZipFileName:	photo_for_you.png.exe
ZipUncompressedSize:	64592632
ZipCompressedSize:	61147271
ZipCRC:	0x00000000
ZipModifyDate:	1980:00:00 00:00:00
ZipCompression:	Unknown (99)
ZipBitFlag:	0x0009
ZipRequiredVersion:	20


(PID) Process:	(1224) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(1224) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(1224) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(1224) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\241122-ke7rfstlfr_pw_infected.zip
(PID) Process:	(1224) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1224) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1224) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1224) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1224) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(1224) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000

PID	Process	Filename		Type
1224	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb1224.37489\photo_for_you.png.exe		—
		MD5:—	SHA256:—
3608	photo_for_you.png.exe	C:\winnit\wellknows.dll		—
		MD5:—	SHA256:—
3608	photo_for_you.png.exe	C:\winnit\pw\DLLs\pyc.ico		image
		MD5:B1C9980131A3F20E344AA3AA2C8DEA49	SHA256:FDA28A734788A3F175CB6AED4DAEB5F05F0E49F6A272CCD2051BA337F7B3B42F
3608	photo_for_you.png.exe	C:\winnit\vcruntime140.dll		executable
		MD5:49C96CECDA5C6C660A107D378FDFC3D4	SHA256:69320F278D90EFAAEB67E2A1B55E5B0543883125834C812C8D9C39676E0494FC
3608	photo_for_you.png.exe	C:\winnit\pw\DLLs\libcrypto-1_1.dll		executable
		MD5:4633D62F19C0B25318B1C612995F5C21	SHA256:47376D247AE6033BC30FEE4E52043D3762C1C0C177E3EC27CA46EFF4B95C69B0
3608	photo_for_you.png.exe	C:\winnit\vcruntime140_1.dll		executable
		MD5:CF0A1C4776FFE23ADA5E570FC36E39FE	SHA256:6FD366A691ED68430BCD0A3DE3D8D19A0CB2102952BFC140BBEF4354ED082C47
3608	photo_for_you.png.exe	C:\winnit\Qt5Widgets.dll		executable
		MD5:4CD1F8FDCD617932DB131C3688845EA8	SHA256:3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
3608	photo_for_you.png.exe	C:\winnit\Qt5Core.dll		executable
		MD5:817520432A42EFA345B2D97F5C24510E	SHA256:8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
3608	photo_for_you.png.exe	C:\winnit\msvcp140_2.dll		executable
		MD5:E7A91F7C9D91F0F7857632436B121781	SHA256:63F1A20CB17EC5E0CA4EBEA870B68740F24E063E28B235C3C8B58A3D8F57A9C4
3608	photo_for_you.png.exe	C:\winnit\msvcp140_atomic_wait.dll		executable
		MD5:21F3417BBD33CBB9F1886E86C7240D1A	SHA256:7E02EFE075B7DD385992F621FDE34728EF7C2D4CF090B127B093D0835345F8FE

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4932	svchost.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4932	svchost.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	204	2.16.204.142:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4932	svchost.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4932	svchost.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1288	WerFault.exe	104.208.16.94:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6088	WerFault.exe	104.208.16.94:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5876	WerFault.exe	20.189.173.21:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
google.com	142.250.185.78	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
self.events.data.microsoft.com	20.42.73.24	whitelisted
watson.events.data.microsoft.com	104.208.16.94 20.189.173.21	whitelisted
www.bing.com	2.16.204.135 2.16.204.134 2.16.204.155 2.16.204.160 2.16.204.161 2.16.204.152 2.16.204.153 2.16.204.157 2.16.204.138	whitelisted

General Info

241122-ke7rfstlfr_pw_infected.zip

DE1DDA02A0793892DFB634F1608BB7A2

898F2144D0706A301458805A0E8CE8FB7DA2E410

1437A63D1FDFB4C752EA400FE2E970CAAE0B222B130B7FD50EBB38F10290539D

393216:gRHznxBTjHbvvMtfd0E5a2x5Xoo6JFRdnbZ6CHGjaXxjbUKW6iiEk3dRdGuV:+HLxBPL655a2x9HCQaXxjba+7Rp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Executes application which crashes

Process drops python dynamic module

Executable content was dropped or overwritten

The process drops C-runtime libraries

INFO

Reads the computer name

Checks supported languages

Manual execution by a user

The process uses the downloaded file

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings