| File name: | Software.zip |
| Full analysis: | https://app.any.run/tasks/55617b07-faab-4fba-a161-8b0ef0e54fb1 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | March 24, 2025, 09:07:25 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 67DFB679FF9FE2B314AF86844F5EA1C8 |
| SHA1: | 7367EF2B7836682F248BBC97539E9E9E67D92A20 |
| SHA256: | 3A2F83A62307345BBF273A4292F190636E09110162C7F12A51CB98018C17F27A |
| SSDEEP: | 12288:g1wmmLko5+EYccO+2p8tAnULwa8RoaZuvlZv/vDuWnJ:MwmmLkQfYc9+2pLnU0a8LZuvlZ/vDuKJ |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 6728)
SMARTLOADER has been found (auto)
- WinRAR.exe (PID: 6728)
SMARTLOADER has been detected
- cmd.exe (PID: 6644)
Connects to the CnC server
- luajit.exe (PID: 5776)
SMARTLOADER has been detected (SURICATA)
- luajit.exe (PID: 5776)
SUSPICIOUS
Reads security settings of Internet Explorer
- luajit.exe (PID: 5776)
- ShellExperienceHost.exe (PID: 2692)
Checks for external IP
- svchost.exe (PID: 2196)
- luajit.exe (PID: 5776)
Connects to the server without a host name
- luajit.exe (PID: 5776)
INFO
Manual execution by a user
- cmd.exe (PID: 6644)
- WinRAR.exe (PID: 6944)
Reads the computer name
- luajit.exe (PID: 5776)
- ShellExperienceHost.exe (PID: 2692)
Checks supported languages
- luajit.exe (PID: 5776)
- ShellExperienceHost.exe (PID: 2692)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 6944)
Checks proxy server information
- luajit.exe (PID: 5776)
- BackgroundTransferHost.exe (PID: 5064)
- slui.exe (PID: 6676)
Creates files or folders in the user directory
- luajit.exe (PID: 5776)
- BackgroundTransferHost.exe (PID: 5064)
Reads security settings of Internet Explorer
- BackgroundTransferHost.exe (PID: 632)
- BackgroundTransferHost.exe (PID: 2084)
- BackgroundTransferHost.exe (PID: 5064)
- BackgroundTransferHost.exe (PID: 6468)
- BackgroundTransferHost.exe (PID: 6272)
Reads the software policy settings
- BackgroundTransferHost.exe (PID: 5064)
- luajit.exe (PID: 5776)
- slui.exe (PID: 6676)
- slui.exe (PID: 1616)
Reads the machine GUID from the registry
- luajit.exe (PID: 5776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2025:02:13 06:11:22 |
| ZipCRC: | 0x3ad061fb |
| ZipCompressedSize: | 34 |
| ZipUncompressedSize: | 65 |
| ZipFileName: | Launcher.bat |
Total processes
172
Monitored processes
21
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 632 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1616 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1912 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2084 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2656 | "C:\WINDOWS\system32\UCPDMgr.exe" | C:\Windows\System32\UCPDMgr.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: User Choice Protection Manager Exit code: 0 Version: 1.0.0.414301 Modules
| |||||||||||||||
| 2692 | "C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Shell Experience Host Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3768 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | luajit.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4784 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5064 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
17 559
Read events
17 517
Write events
42
Delete events
0
Modification events
| (PID) Process: | (6728) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (6728) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (6728) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (6728) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Software.zip | |||
| (PID) Process: | (6728) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (6728) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (6728) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (6728) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (6728) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000 | |||
| (PID) Process: | (6728) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | name |
Value: 256 | |||
Executable files
2
Suspicious files
4
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5064 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\c8d18636-e04a-48b0-9cdd-dafea8408c74.down_data | — | |
MD5:— | SHA256:— | |||
| 6944 | WinRAR.exe | C:\Users\admin\Desktop\Software\userdata.txt | text | |
MD5:A75D96A806A5F8585CCD282AFBD09830 | SHA256:8E8173F0411F8C052959503DB6D2CDAB651EF122847E2FE61758B50F9FB8A649 | |||
| 6944 | WinRAR.exe | C:\Users\admin\Desktop\Software\Launcher.bat | text | |
MD5:A12038BE937DDD18F92BAA5FA72854D0 | SHA256:29F7536EEA3B10415EB7AC17544F026D131211F4763BA1D79860113F1CEF6FC1 | |||
| 5064 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\c8d18636-e04a-48b0-9cdd-dafea8408c74.6001c431-abf8-4100-b688-ede734b63106.down_meta | binary | |
MD5:9DD9CC00124220E5A0FEAD16F71B98B9 | SHA256:7B4BADBD3A8FCDBCD8B433689136B5974A9E76F2C5861CC54A5ABE7DF80BC635 | |||
| 5776 | luajit.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].json | binary | |
MD5:4B85268259C8CBFCC4CD80CFC8EF3691 | SHA256:3FC5839D3EED30AA1A1F0AA8CF79E62526299B70963781FF3C17936A0BF18C0C | |||
| 6944 | WinRAR.exe | C:\Users\admin\Desktop\Software\lua51.dll | executable | |
MD5:2F0394640486F2AC8DFB23EE05F904A9 | SHA256:012E772E3C72C5F500AAB86E78E99AFFF222BDC8D914BC32BB244ADE03D5A486 | |||
| 5064 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\7299b833-64bf-4028-b680-ac51adc28cb6.up_meta_secure | binary | |
MD5:266B53A99B26699F879E6CCE6378D491 | SHA256:1B6E6CF930FE0ED53866693547CA3B015B1A03A53FF829BA3C366FFF281C87A6 | |||
| 5064 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\7299b833-64bf-4028-b680-ac51adc28cb6.6001c431-abf8-4100-b688-ede734b63106.down_meta | binary | |
MD5:9DD9CC00124220E5A0FEAD16F71B98B9 | SHA256:7B4BADBD3A8FCDBCD8B433689136B5974A9E76F2C5861CC54A5ABE7DF80BC635 | |||
| 6944 | WinRAR.exe | C:\Users\admin\Desktop\Software\luajit.exe | executable | |
MD5:E1BAE2B33BBCF7D1DAD46F57FE537141 | SHA256:30F7BD2E98DF2EC3405F3AB4AAB5BE8F0DC1D9AC638286EDF390C4DDB74B4316 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
61
TCP/UDP connections
98
DNS requests
28
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5776 | luajit.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | — | — | whitelisted |
5776 | luajit.exe | PUT | 200 | 213.176.73.80:80 | http://213.176.73.80/api/YTAsODYsODIsOWQsYTEsODgsOTAsOTUsNjUsN2Qs | unknown | — | — | malicious |
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
5136 | SIHClient.exe | GET | 200 | 23.48.23.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5136 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 13.85.23.206:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | unknown |
— | — | GET | 200 | 184.30.21.171:443 | https://www.microsoft.com/ | unknown | html | 196 Kb | whitelisted |
— | — | POST | 200 | 20.223.35.26:443 | https://arc.msn.com/v4/api/register?asid=D29D9E7A7F944B98882B55B3763402B3&placement=cdmdevreg&country=US&locale=en-US&poptin=0&fmt=json&arch=AMD64&chassis=1&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19045.4046&dinst=1661339444&dmret=0&flightbranch=&flightring=Retail&icluc=0&localid=w%3AAC7699B0-48EA-FD22-C8DC-06A02098A0F0&oem=DELL&osbranch=vb_release&oslocale=en-US&osret=1&ossku=Professional&osskuid=48&prccn=4&prccs=3600&prcmf=AuthenticAMD&procm=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&ram=4096&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=15.3&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=260281&frdsk=218312&lo=3967267&tsu=1357797 | unknown | — | — | whitelisted |
— | — | POST | 400 | 20.190.160.4:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.131:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2112 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5776 | luajit.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | whitelisted |
5776 | luajit.exe | 184.30.21.171:443 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5776 | luajit.exe | 213.176.73.80:80 | — | — | US | malicious |
3216 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 20.190.160.2:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
ip-api.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
arc.msn.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |
5776 | luajit.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup ip-api.com |
2196 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) |
5776 | luajit.exe | A Network Trojan was detected | LOADER [ANY.RUN] SmartLoader Check-in |