| download: | /mukenscreamerit/Delta-Executor/releases/download/v616/DeltaExecutor.zip |
| Full analysis: | https://app.any.run/tasks/7efac480-113a-4e0a-8493-e3bb72a70172 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | June 14, 2024, 07:54:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | BE3F47E831402806B9B8833A2A9B58EF |
| SHA1: | 8BEDF8521ABC4275A16F0D0F328DB637E7D8782F |
| SHA256: | 3A56375E69C89F44C7D58427F065E4175FE7C03C72997B921514B09312C75604 |
| SSDEEP: | 24576:njrHTDFRRa5Pup5Lv3SOmA62vrmql1RfYPhxOOi5EKCVy:njrHvBa5mp5v30A62vrmql1RfYPhxOOE |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3972)
- luajit.exe (PID: 1488)
Connects to the CnC server
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
SMARTLOADER has been detected (SURICATA)
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
Uses Task Scheduler to run other applications
- luajit.exe (PID: 1488)
SUSPICIOUS
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 4080)
- cmd.exe (PID: 1628)
Reads the Internet Settings
- wscript.exe (PID: 1036)
- cmd.exe (PID: 4080)
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
Starts CMD.EXE for commands execution
- wscript.exe (PID: 1036)
- Setup.exe (PID: 2936)
- cmd.exe (PID: 2912)
The process executes VB scripts
- cmd.exe (PID: 4080)
Executing commands from a ".bat" file
- wscript.exe (PID: 1036)
Runs shell command (SCRIPT)
- wscript.exe (PID: 1036)
Executable content was dropped or overwritten
- luajit.exe (PID: 1488)
Connects to the server without a host name
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
Reads security settings of Internet Explorer
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
Reads settings of System Certificates
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
Checks Windows Trust Settings
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
Executing commands from ".cmd" file
- Setup.exe (PID: 2936)
Application launched itself
- cmd.exe (PID: 2912)
Adds/modifies Windows certificates
- luajit.exe (PID: 1488)
Checks for external IP
- ODAy.exe (PID: 2992)
- luajit.exe (PID: 1488)
Uses RUNDLL32.EXE to load library
- ODAy.exe (PID: 2992)
INFO
Manual execution by a user
- cmd.exe (PID: 4080)
- wmpnscfg.exe (PID: 1548)
- Setup.exe (PID: 2936)
- explorer.exe (PID: 1928)
- Setup.exe (PID: 2696)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3972)
Checks supported languages
- luajit.exe (PID: 1488)
- wmpnscfg.exe (PID: 1548)
- ODAy.exe (PID: 2992)
Reads the computer name
- luajit.exe (PID: 1488)
- wmpnscfg.exe (PID: 1548)
- ODAy.exe (PID: 2992)
Checks proxy server information
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
Creates files in the program directory
- luajit.exe (PID: 1488)
Reads the machine GUID from the registry
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
Reads the software policy settings
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
Creates files or folders in the user directory
- luajit.exe (PID: 1488)
- ODAy.exe (PID: 2992)
Create files in a temporary directory
- ODAy.exe (PID: 2992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:06:01 00:36:18 |
| ZipCRC: | 0x510e1df6 |
| ZipCompressedSize: | 78784 |
| ZipUncompressedSize: | 160045 |
| ZipFileName: | conf |
Total processes
66
Monitored processes
16
Malicious processes
7
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 764 | "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" | C:\Windows\System32\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1020 | "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" | C:\Windows\System32\cacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Control ACLs Program Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1036 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\getadmin.vbs" | C:\Windows\System32\wscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 1488 | luajit.exe conf | C:\Users\admin\Desktop\luajit.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1548 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1628 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\Desktop\Launcher.bat | C:\Windows\System32\cmd.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1928 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2276 | schtasks /create /sc daily /st 11:51 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest | C:\Windows\System32\schtasks.exe | — | luajit.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2696 | "C:\Windows\System32\oobe\Setup.exe" | C:\Windows\System32\oobe\Setup.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Installation and Setup Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2912 | C:\Windows\system32\cmd.exe /c C:\Windows\Setup\Scripts\ErrorHandler.cmd | C:\Windows\System32\cmd.exe | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
16 392
Read events
16 254
Write events
118
Delete events
20
Modification events
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\DeltaExecutor.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
4
Suspicious files
16
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3972 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3972.1532\lua51.dll | executable | |
MD5:3DFF7448B43FCFB4DC65E0040B0FFB88 | SHA256:FF976F6E965E3793E278FA9BF5E80B9B226A0B3932B9DA764BFFC8E41E6CDB60 | |||
| 4080 | cmd.exe | C:\Users\admin\AppData\Local\Temp\getadmin.vbs | text | |
MD5:D14A6C18536B08C2D91CC10129CEC2CA | SHA256:88F0E55BE41422957E8F4FEC8CAF0F9ED4E68D1F0290171BA8F4BD26C19FA17D | |||
| 3972 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3972.1532\Launcher.bat | text | |
MD5:9EDCC8710E562B5DAEED73ACAA17E2FD | SHA256:F1ED443FAA01092320E04E0231327BD59C6DF7344AD0F46CA4885D28AA2AFD60 | |||
| 1488 | luajit.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | der | |
MD5:486C8D947BE3D76EAE195F2E8616D09A | SHA256:4D4D13AC65CC00A380449B87150A9791F097CA7A3E51C36FF738424C86ED33ED | |||
| 1488 | luajit.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9 | binary | |
MD5:7600530039F849E8DD9ED236FBE636E4 | SHA256:20D56F0C48491E79F8AF85C7928E259BD35E61E028A6275DAFCD3C322E4A9C7A | |||
| 1488 | luajit.exe | C:\Users\admin\Pictures\90059C37132041A4B58D2B75A9850D2F | binary | |
MD5:8651343B04EB537B1E80642C716D5CFC | SHA256:47E7B693417CCE286AF26E48B5DDEFD3DED2175876538A0B1D0739E03AD52989 | |||
| 2992 | ODAy.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\conf[1].log | — | |
MD5:— | SHA256:— | |||
| 2992 | ODAy.exe | C:\Users\admin\AppData\Roaming\Lua\bin\lua.dll | — | |
MD5:— | SHA256:— | |||
| 1488 | luajit.exe | C:\ProgramData\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODAy.exe | executable | |
MD5:DD98A43CB27EFD5BCC29EFB23FDD6CA5 | SHA256:1CF20B8449EA84C684822A5E8AB3672213072DB8267061537D1CE4EC2C30C42A | |||
| 1488 | luajit.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | binary | |
MD5:A5472911A5A96B0D4F8C1799DF5E9852 | SHA256:EEC69DA325FBA4083B6E4CC7F4FB7D3887F1ECB851ED45A1E45E57121E3A5F3C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
23
DNS requests
13
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1488 | luajit.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | — | — | unknown |
1488 | luajit.exe | GET | 304 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11e533397a336eb2 | unknown | — | — | unknown |
1488 | luajit.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | — | — | unknown |
1488 | luajit.exe | GET | 301 | 140.82.121.3:80 | http://github.com/user-attachments/files/15521948/conf.log | unknown | — | — | unknown |
1488 | luajit.exe | PUT | 200 | 193.233.164.80:80 | http://193.233.164.80/api/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms | unknown | — | — | unknown |
1488 | luajit.exe | GET | — | 104.18.38.233:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D | unknown | — | — | unknown |
1488 | luajit.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CEE4o94a2bBo7lCzSxA63QqU%3D | unknown | — | — | unknown |
1488 | luajit.exe | GET | 200 | 104.18.38.233:80 | http://crl.comodoca.com/AAACertificateServices.crl | unknown | — | — | unknown |
1488 | luajit.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd | unknown | — | — | unknown |
2992 | ODAy.exe | PUT | 200 | 193.233.164.80:80 | http://193.233.164.80/api/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1488 | luajit.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | unknown |
1488 | luajit.exe | 184.30.21.171:443 | www.microsoft.com | AKAMAI-AS | DE | unknown |
1488 | luajit.exe | 199.232.210.172:80 | ctldl.windowsupdate.com | FASTLY | US | unknown |
1488 | luajit.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1488 | luajit.exe | 193.233.164.80:80 | — | OOO Regional Wireless networks | RU | unknown |
1488 | luajit.exe | 140.82.121.3:80 | github.com | GITHUB | US | unknown |
1488 | luajit.exe | 140.82.121.3:443 | github.com | GITHUB | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ip-api.com |
| shared |
www.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
github.com |
| shared |
ocsp.comodoca.com |
| whitelisted |
crl.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
objects.githubusercontent.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1488 | luajit.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
1488 | luajit.exe | A Network Trojan was detected | LOADER [ANY.RUN] SmartLoader Check-in |
2992 | ODAy.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
2992 | ODAy.exe | A Network Trojan was detected | LOADER [ANY.RUN] SmartLoader Check-in |