analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INFO-163.zip

Full analysis: https://app.any.run/tasks/281f0d37-7736-40c8-8aad-7039b9523f35
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 09:32:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

4DF6E412930C71C20021C33E542E0BE6

SHA1:

6EE63ADFA02CCD51DAB106BB9CD95FAAA5CC5178

SHA256:

2F6F21CB1810D69F61D3E30AD809E9B1798425DF687A3ADAEBFF5893FE03AC45

SSDEEP:

384:I0lxx4gByauDysu3VA/3gfofcLp988ZGQCnikOd543OkFkOZePdvYB9:I0vumIysulg3KofIU8iik4bkCtPRG9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1412)

    • Registers / Runs the DLL via REGSVR32.EXE

      • EXCEL.EXE (PID: 1412)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 1412)

    • Drops executable file immediately after starts

      • EXCEL.EXE (PID: 1412)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 1912)

    • Checks supported languages

      • WinRAR.exe (PID: 1912)

    • Reads default file associations for system extensions

      • WinRAR.exe (PID: 1912)
      • EXCEL.EXE (PID: 1412)

    • Drops a file with a compile date too recent

      • EXCEL.EXE (PID: 1412)

  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 1412)
      • regsvr32.exe (PID: 2924)
      • regsvr32.exe (PID: 2600)
      • regsvr32.exe (PID: 3188)
      • regsvr32.exe (PID: 3696)

    • Manual execution by user

      • EXCEL.EXE (PID: 1412)

    • Reads the computer name

      • EXCEL.EXE (PID: 1412)

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 1412)

    • Checks Windows Trust Settings

      • EXCEL.EXE (PID: 1412)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 1412)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: INFO-163.xls
ZipUncompressedSize: 56832
ZipCompressedSize: 18584
ZipCRC: 0xd9f141dd
ZipModifyDate: 2022:06:23 06:05:01
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs excel.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1912"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\INFO-163.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
1412"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2600C:\Windows\System32\regsvr32.exe /S ..\udh1.ocxC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2924C:\Windows\System32\regsvr32.exe /S ..\udh2.ocxC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3188C:\Windows\System32\regsvr32.exe /S ..\udh3.ocxC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3696C:\Windows\System32\regsvr32.exe /S ..\udh4.ocxC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
6 889
Read events
6 790
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
7
Text files
4
Unknown types
6

Dropped files

PID
Process
Filename
Type
1412EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR2627.tmp.cvr
MD5:
SHA256:
1912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1912.49063\INFO-163.xlsdocument
MD5:CEB04B9FFFCA2E2829AD38EB2759F6AF
SHA256:7E55B39E29FA0280E14BA6408A88DBC7D7BB2F058FE99344D21AF0282D4249BD
1412EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\INFO-163.xls.LNKlnk
MD5:5E1A42B416D5081CE46EC30844A359A4
SHA256:74B781907B0E83831A49311CEEE57F27BE9B1F14CFDB4B7299B430E254F92751
1412EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:4175646A77F35DAB2E18564651D72BD2
SHA256:9A879F270A163B5C32E25CA217372D85F7C2DB7F01A92C7C250DC87B40EBD454
1412EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\RIF3M0MK.txttext
MD5:BCCC35DC03BB7705C0CE6C019D41851C
SHA256:D412258C818565361105C363A5C8BC1FDCAEFE344221F6B8BF5F6CDE56C792A5
1412EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ylFl65q3TGb4nYg54l[1].dllexecutable
MD5:4695CB531CA642AD37A992E58FF3ADB7
SHA256:085BC6DFE86BADCF40D28859BE06E430220B991520627722A24E5163F51B7195
1412EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_BE5F1D4616591A9612527397E32D55B4der
MD5:BA09605F0A5BD8E7B32B36FFDC397006
SHA256:7CF4EFD4904E10D76C7FCA5BF0989AE8CE1B5DFDBAFB8413EDCE8246ACF861FF
1412EXCEL.EXEC:\Users\admin\udh3.ocxexecutable
MD5:16B919B6695E686CF4E46043FE1C52C5
SHA256:05734435F29C9693BB8066C86938201A21555F5CB4F10D4497B8BFE26BA9FA12
1412EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:DF38F27F568F63A710B1F4AB3FE73437
SHA256:21E3C367B4BC7F81B1224761BAEDBB20D53D059E6ACBE7C3249AF4AFC9BB6C2A
1412EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDAbinary
MD5:05F25C10A18B50C5768E7CFAA5542B91
SHA256:3958763E1FBBABA3BFD1B8493A8BC0845DA2F825C00F8A56DC40D5B4004787EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
12
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1412
EXCEL.EXE
GET
200
104.18.32.68:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY
US
der
728 b
whitelisted
1412
EXCEL.EXE
GET
200
104.18.32.68:80
http://crl.comodoca.com/AAACertificateServices.crl
US
der
506 b
whitelisted
1412
EXCEL.EXE
GET
200
104.18.21.226:80
http://ocsp2.globalsign.com/rootr3/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDkjKgXn4PopC8%2FXN4rE%2F
US
der
1.40 Kb
whitelisted
1412
EXCEL.EXE
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c9a7539c60988d2e
US
compressed
4.70 Kb
whitelisted
1412
EXCEL.EXE
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D
US
der
471 b
whitelisted
1412
EXCEL.EXE
GET
200
216.219.81.50:80
http://balticcontrolbd.com/images/GG1d8an/
US
executable
667 Kb
suspicious
1412
EXCEL.EXE
GET
200
5.57.224.148:80
http://cabans.com/CeudWYRQEzZgrHPcI/yKANkXfH/
ES
executable
667 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1412
EXCEL.EXE
104.18.32.68:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
1412
EXCEL.EXE
104.18.21.226:80
ocsp2.globalsign.com
Cloudflare Inc
US
shared
1412
EXCEL.EXE
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
1412
EXCEL.EXE
34.192.42.163:443
cheffsys.com
Amazon.com, Inc.
US
unknown
1412
EXCEL.EXE
203.175.171.51:443
www.rec-escape.com
SG.GS
SG
unknown
1412
EXCEL.EXE
216.219.81.50:80
balticcontrolbd.com
NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC
US
suspicious
1412
EXCEL.EXE
172.64.155.188:80
ocsp.comodoca.com
US
suspicious
1412
EXCEL.EXE
5.57.224.148:80
cabans.com
ServiHosting Networks S.L.
ES
malicious

DNS requests

Domain
IP
Reputation
www.rec-escape.com
  • 203.175.171.51
unknown
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.comodoca.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
crl.comodoca.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
cheffsys.com
  • 34.192.42.163
unknown
ocsp2.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
balticcontrolbd.com
  • 216.219.81.50
suspicious
cabans.com
  • 5.57.224.148
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1412
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1412
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
1412
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
1412
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1412
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
1412
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
INFO-163.zip