| File name: | Delta.zip |
| Full analysis: | https://app.any.run/tasks/4e8361b2-6685-4a8b-b424-8d00626ddf1f |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 28, 2024, 21:04:12 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 9C8EC43ACEB462D8BC29A82FB55D113F |
| SHA1: | 21BD31A8E85FFB7317C6FB48C8278A351EABA11F |
| SHA256: | 27817CB00DB5746496C10138655BEDDB88F5733866452BE4BBD51481DBB4A08D |
| SSDEEP: | 24576:jEM/KBdIA4XfalUoskVSSmGSJFN/qS7r78pTLDdhAgKP:jEM/KBdIA4XylUoskVSWSJFN/qS7XeTM |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3956)
- Delta.exe (PID: 312)
SUSPICIOUS
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 4040)
- cmd.exe (PID: 2136)
The process executes VB scripts
- cmd.exe (PID: 4040)
Reads the Internet Settings
- cmd.exe (PID: 4040)
- wscript.exe (PID: 2072)
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
- control.exe (PID: 3916)
Executing commands from a ".bat" file
- wscript.exe (PID: 2072)
Runs shell command (SCRIPT)
- wscript.exe (PID: 2072)
Starts CMD.EXE for commands execution
- wscript.exe (PID: 2072)
- Setup.exe (PID: 2796)
- Setup.exe (PID: 3248)
- cmd.exe (PID: 2820)
- cmd.exe (PID: 3420)
Reads security settings of Internet Explorer
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Checks for external IP
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Device Retrieving External IP Address Detected
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Potential Corporate Privacy Violation
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Executable content was dropped or overwritten
- Delta.exe (PID: 312)
Checks Windows Trust Settings
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Reads settings of System Certificates
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Connects to the server without a host name
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Executing commands from ".cmd" file
- Setup.exe (PID: 2796)
- Setup.exe (PID: 3248)
Application launched itself
- cmd.exe (PID: 2820)
- cmd.exe (PID: 3420)
Uses RUNDLL32.EXE to load library
- control.exe (PID: 3916)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3956)
Manual execution by a user
- cmd.exe (PID: 4040)
- wmpnscfg.exe (PID: 1988)
- Setup.exe (PID: 2796)
- explorer.exe (PID: 1824)
- Setup.exe (PID: 2748)
- Setup.exe (PID: 3248)
- control.exe (PID: 3916)
Checks supported languages
- Delta.exe (PID: 312)
- wmpnscfg.exe (PID: 1988)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Reads the computer name
- Delta.exe (PID: 312)
- wmpnscfg.exe (PID: 1988)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Checks proxy server information
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Reads the machine GUID from the registry
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Creates files or folders in the user directory
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Reads the software policy settings
- Delta.exe (PID: 312)
- Nzg4.exe (PID: 2860)
- Nzg4.exe (PID: 3532)
Creates files in the program directory
- Delta.exe (PID: 312)
Checks transactions between databases Windows and Oracle
- rundll32.exe (PID: 3780)
Reads security settings of Internet Explorer
- control.exe (PID: 3916)
Reads the time zone
- rundll32.exe (PID: 3780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:04:17 12:27:26 |
| ZipCRC: | 0x25797ea0 |
| ZipCompressedSize: | 72896 |
| ZipUncompressedSize: | 154550 |
| ZipFileName: | config |
Total processes
98
Monitored processes
25
Malicious processes
10
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 112 | C:\Windows\system32\DllHost.exe /Processid:{9DF523B0-A6C0-4EA9-B5F1-F4565C3AC8B8} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 312 | Delta.exe config | C:\Users\admin\Desktop\Delta.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1592 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\System32\mmc.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1628 | "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" | C:\Windows\System32\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1824 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1988 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2072 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\getadmin.vbs" | C:\Windows\System32\wscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2136 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\Desktop\DELTAI~1.BAT | C:\Windows\System32\cmd.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2336 | schtasks /create /sc daily /st 13:21 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest | C:\Windows\System32\schtasks.exe | — | Delta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2732 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
20 779
Read events
20 573
Write events
183
Delete events
23
Modification events
| (PID) Process: | (3956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3956) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Delta.zip | |||
| (PID) Process: | (3956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
4
Suspicious files
5
Text files
4
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3956 | WinRAR.exe | C:\Users\admin\Desktop\Delta.exe | executable | |
MD5:DD98A43CB27EFD5BCC29EFB23FDD6CA5 | SHA256:1CF20B8449EA84C684822A5E8AB3672213072DB8267061537D1CE4EC2C30C42A | |||
| 3956 | WinRAR.exe | C:\Users\admin\Desktop\config | binary | |
MD5:ED7447103B42FF9793A8581A4812B756 | SHA256:1B53A280C16922C293849E5C902D4F9C16F0F0B8CDD332D2DF22BD00F01657D6 | |||
| 4040 | cmd.exe | C:\Users\admin\AppData\Local\Temp\getadmin.vbs | text | |
MD5:D14A6C18536B08C2D91CC10129CEC2CA | SHA256:88F0E55BE41422957E8F4FEC8CAF0F9ED4E68D1F0290171BA8F4BD26C19FA17D | |||
| 312 | Delta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\json[1].json | binary | |
MD5:23FAAB340D7EB18A23DD6855786FBAA1 | SHA256:4C08415BBCA94C7BFE8D0692C19C026C9DDE03302BBD52FAAC7BF75D09CA48C9 | |||
| 312 | Delta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:F4FFBE48FF43F7F0FBAABF0EBFE6BBE9 | SHA256:F4BE2CA4570903E73B65E676EC67D2F92DA6377236F77113215CC3AA3F6BDAE9 | |||
| 3956 | WinRAR.exe | C:\Users\admin\Desktop\DeltaInstaller.bat | text | |
MD5:51DFCD466DC358D53AF79757929DE943 | SHA256:8E87EAA40D7E13010E91BA80605DC367F4AF43B71ADF9D9452D659828F867446 | |||
| 1592 | mmc.exe | C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd | xml | |
MD5:B883521AFEAA277C64BD360F9ACCAF39 | SHA256:D4F2FE310CC01FD55436547FB1544AFA4E0C78EA73591808934BF6AC11766492 | |||
| 3956 | WinRAR.exe | C:\Users\admin\Desktop\lua51.dll | executable | |
MD5:3DFF7448B43FCFB4DC65E0040B0FFB88 | SHA256:FF976F6E965E3793E278FA9BF5E80B9B226A0B3932B9DA764BFFC8E41E6CDB60 | |||
| 312 | Delta.exe | C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\lua51.dll | executable | |
MD5:3DFF7448B43FCFB4DC65E0040B0FFB88 | SHA256:FF976F6E965E3793E278FA9BF5E80B9B226A0B3932B9DA764BFFC8E41E6CDB60 | |||
| 312 | Delta.exe | C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\config | binary | |
MD5:ED7447103B42FF9793A8581A4812B756 | SHA256:1B53A280C16922C293849E5C902D4F9C16F0F0B8CDD332D2DF22BD00F01657D6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
23
DNS requests
10
Threats
16
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
312 | Delta.exe | GET | 304 | 178.79.238.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?76314e3a46b84321 | unknown | — | — | unknown |
312 | Delta.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/?fields=query,status,countryCode,city,timezone | unknown | — | — | unknown |
312 | Delta.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | — | — | unknown |
312 | Delta.exe | PUT | 200 | 80.66.89.165:80 | http://80.66.89.165/loader/screen/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms | unknown | — | — | unknown |
2860 | Nzg4.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/?fields=query,status,countryCode,city,timezone | unknown | — | — | unknown |
2860 | Nzg4.exe | PUT | 200 | 80.66.89.165:80 | http://80.66.89.165/loader/screen/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms | unknown | — | — | unknown |
1368 | Nzg4.exe | GET | 304 | 87.248.205.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5c719e0b3411d0a5 | unknown | — | — | unknown |
3532 | Nzg4.exe | PUT | 200 | 80.66.89.165:80 | http://80.66.89.165/loader/screen/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms | unknown | — | — | unknown |
3532 | Nzg4.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/?fields=query,status,countryCode,city,timezone | unknown | — | — | unknown |
1368 | Nzg4.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/?fields=query,status,countryCode,city,timezone | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
312 | Delta.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | unknown |
312 | Delta.exe | 2.19.45.226:443 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
312 | Delta.exe | 178.79.238.128:80 | ctldl.windowsupdate.com | LLNW | FR | unknown |
312 | Delta.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
312 | Delta.exe | 80.66.89.165:80 | — | Megacom-it LLC | RU | unknown |
2860 | Nzg4.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ip-api.com |
| shared |
www.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
312 | Delta.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
312 | Delta.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
— | — | A Network Trojan was detected | LOADER [ANY.RUN] SmartLoader Check-in |
— | — | A Network Trojan was detected | ET MALWARE SmartLoader CnC Exfil (screen.bmp) |
2860 | Nzg4.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
2860 | Nzg4.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
— | — | A Network Trojan was detected | LOADER [ANY.RUN] SmartLoader Check-in |
— | — | A Network Trojan was detected | ET MALWARE SmartLoader CnC Exfil (screen.bmp) |
3532 | Nzg4.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
3532 | Nzg4.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
Process | Message |
|---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|