| File name: | Quarantined Messages (17).zip |
| Full analysis: | https://app.any.run/tasks/02b37339-6aff-47f5-942e-e84c487ccab5 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | November 30, 2023, 11:59:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v4.5 to extract |
| MD5: | 938BC47F60A1DC78E2DCE9F6A1309871 |
| SHA1: | 31D792688B49F6D8736713C7CA732CB1D024EC95 |
| SHA256: | 38A92225E77EED1552F88E5B499E41E739E1592FCEBCAE7B4142BA57455DBC73 |
| SSDEEP: | 768:cEiJp4Dr0ulx8uoZnj74su0LtGnVsv8M5uz/QyjC29+vWOBJs:Kp4r0ulx8F5j74suSa8JkZCkeW8Js |
MALICIOUS
Equation Editor starts application (CVE-2017-11882)
- EQNEDT32.EXE (PID: 304)
Drops the executable file immediately after the start
- EQNEDT32.EXE (PID: 304)
- chungoilsehj576.exe (PID: 3512)
Suspicious connection from the Equation Editor
- EQNEDT32.EXE (PID: 304)
SUSPICIOUS
Application launched itself
- WINWORD.EXE (PID: 3776)
- chungoilsehj576.exe (PID: 3296)
- chungoilsehj576.exe (PID: 3600)
Reads Microsoft Outlook installation path
- WinRAR.exe (PID: 2692)
Reads the Internet Settings
- EQNEDT32.EXE (PID: 304)
- eventvwr.exe (PID: 4040)
- chungoilsehj576.exe (PID: 3312)
- chungoilsehj576.exe (PID: 3512)
Process drops legitimate windows executable
- EQNEDT32.EXE (PID: 304)
- chungoilsehj576.exe (PID: 3512)
Process requests binary or script from the Internet
- EQNEDT32.EXE (PID: 304)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 3644)
Executing commands from a ".bat" file
- chungoilsehj576.exe (PID: 3512)
Starts CMD.EXE for commands execution
- chungoilsehj576.exe (PID: 3512)
INFO
The process uses the downloaded file
- WINWORD.EXE (PID: 3776)
- OUTLOOK.EXE (PID: 2748)
Reads the computer name
- wmpnscfg.exe (PID: 3372)
- EQNEDT32.EXE (PID: 304)
- chungoilsehj576.exe (PID: 3296)
- chungoilsehj576.exe (PID: 3312)
- chungoilsehj576.exe (PID: 3600)
- Windows Sessions Pause.exe (PID: 3556)
- chungoilsehj576.exe (PID: 3512)
Checks supported languages
- wmpnscfg.exe (PID: 3372)
- EQNEDT32.EXE (PID: 304)
- chungoilsehj576.exe (PID: 3296)
- chungoilsehj576.exe (PID: 3312)
- chungoilsehj576.exe (PID: 3600)
- chungoilsehj576.exe (PID: 3512)
- Windows Sessions Pause.exe (PID: 3556)
Manual execution by a user
- wmpnscfg.exe (PID: 3372)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3372)
- EQNEDT32.EXE (PID: 304)
- chungoilsehj576.exe (PID: 3296)
- chungoilsehj576.exe (PID: 3600)
- Windows Sessions Pause.exe (PID: 3556)
Checks proxy server information
- EQNEDT32.EXE (PID: 304)
Creates files or folders in the user directory
- EQNEDT32.EXE (PID: 304)
Reads product name
- chungoilsehj576.exe (PID: 3312)
- chungoilsehj576.exe (PID: 3512)
Reads Environment values
- chungoilsehj576.exe (PID: 3312)
- chungoilsehj576.exe (PID: 3512)
Create files in a temporary directory
- chungoilsehj576.exe (PID: 3512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 45 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:10:19 05:52:44 |
| ZipCRC: | 0x8a55f047 |
| ZipCompressedSize: | 4294967295 |
| ZipUncompressedSize: | 4294967295 |
| ZipFileName: | bb373967-2908-4604-a2c9-08dbd0587beb/fc99e402-3a4f-8b69-be37-52c3ea811817.eml |
Total processes
58
Monitored processes
15
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 304 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
| 2692 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Quarantined Messages (17).zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2748 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Rar$DIb2692.6303\fc99e402-3a4f-8b69-be37-52c3ea811817.eml" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | WinRAR.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 Modules
| |||||||||||||||
| 3296 | "C:\Users\admin\AppData\Roaming\chungoilsehj576.exe" | C:\Users\admin\AppData\Roaming\chungoilsehj576.exe | — | EQNEDT32.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Accessibility Shortcut Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3312 | "C:\Users\admin\AppData\Roaming\chungoilsehj576.exe" | C:\Users\admin\AppData\Roaming\chungoilsehj576.exe | — | chungoilsehj576.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Accessibility Shortcut Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3372 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3500 | PING 127.0.0.1 -n 2 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3512 | "C:\Users\admin\AppData\Roaming\chungoilsehj576.exe" | C:\Users\admin\AppData\Roaming\chungoilsehj576.exe | — | chungoilsehj576.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Accessibility Shortcut Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3556 | "C:\Windows\Microsoft Media Session\Windows Sessions Pause.exe" | C:\Windows\Microsoft Media Session\Windows Sessions Pause.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Accessibility Shortcut Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3572 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | chungoilsehj576.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
11 411
Read events
10 409
Write events
816
Delete events
186
Modification events
| (PID) Process: | (2692) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2748) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (2748) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: On | |||
Executable files
3
Suspicious files
6
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2748 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVR146A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2748 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
| 3776 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR339A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2748 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{17AE94FC-393E-4FBD-89F9-8CC0AE597338}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.png | image | |
MD5:4C61C12EDBC453D7AE184976E95258E1 | SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F | |||
| 2692 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2692.6303\fc99e402-3a4f-8b69-be37-52c3ea811817.eml | binary | |
MD5:CA8B169E135460459D7C37B3A47A8477 | SHA256:7D42977D131FFD514DB676FA219AEAE2531B60262451E7B60D47E597653B4585 | |||
| 2748 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\XIALDWBW\UPIT.doc | text | |
MD5:D1C6F93835B8E863A87CE99294F33F06 | SHA256:84DAE1821A11E8030F97B65AB3DE20E320E260B78B575E7DA12EBB25A94C40B7 | |||
| 2748 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\XIALDWBW\UPIT (2).doc:Zone.Identifier:$DATA | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
| 2748 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | binary | |
MD5:1A90F0B1AC068DFA24E8CAC3C1A0D0E1 | SHA256:59A3B365998A67BD5AC86E47F0DBADAD32F51E70BEC4BC4C1BBA319BC293EDDD | |||
| 2748 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\XIALDWBW\UPIT.doc:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
| 3924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_8D7B4489-23C9-4033-A4FA-3314A3DD3C6E.0\~WRF{560CA460-1E57-453B-8F01-494B3780A38B}.tmp | binary | |
MD5:54AC76C18897602ADDDDD3D3C9DF0C1E | SHA256:271F8992C54F650F9EFCAB7B09DE8E7BF3EE93540933981A13ABC0A30830383E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
4
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
304 | EQNEDT32.EXE | GET | 200 | 188.114.97.3:80 | http://fresh1.ironoreprod.top/_errorpages/chungzx.exe | unknown | executable | 542 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2748 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
868 | svchost.exe | 95.101.148.135:80 | armmf.adobe.com | Akamai International B.V. | NL | unknown |
304 | EQNEDT32.EXE | 188.114.97.3:80 | fresh1.ironoreprod.top | CLOUDFLARENET | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.messenger.msn.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
fresh1.ironoreprod.top |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
304 | EQNEDT32.EXE | A Network Trojan was detected | ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
304 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
304 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
304 | EQNEDT32.EXE | Misc activity | ET HUNTING Possible EXE Download From Suspicious TLD |