| File name: | malware-dorkbot.zip |
| Full analysis: | https://app.any.run/tasks/d77a5dad-2b26-41ab-b7ce-41737ba8ba67 |
| Verdict: | Malicious activity |
| Analysis date: | June 14, 2024, 07:49:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v5.1 to extract, compression method=AES Encrypted |
| MD5: | F86D1D3F14224311493D0C6B667FFBFD |
| SHA1: | 44B5840074FF06D9354F9635407E68658614AE33 |
| SHA256: | 54738A34D0C3DF63C139D98E60196EAE1F690894957EC1120ED01266640B6E27 |
| SSDEEP: | 1536:H9ZWv4snJjfVlyQo+iJUMMZG7MY7RZk1v3ijdWVl+x9B:dZWgoJjf5o+i2lG7MY7RZk1fiJWl+zB |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3972)
Application was injected by another process
- ctfmon.exe (PID: 1416)
- explorer.exe (PID: 1180)
- taskeng.exe (PID: 296)
- dwm.exe (PID: 544)
Runs injected code in another process
- 5ef7ff9bda8ff5f5b6154a27e1f37a51f01fd56e2e37aeb1ac71d1d6bf6a20c1.exe (PID: 4064)
Changes the autorun value in the registry
- explorer.exe (PID: 1180)
Connects to the CnC server
- explorer.exe (PID: 1180)
SUSPICIOUS
Executable content was dropped or overwritten
- explorer.exe (PID: 1180)
INFO
Checks supported languages
- 5ef7ff9bda8ff5f5b6154a27e1f37a51f01fd56e2e37aeb1ac71d1d6bf6a20c1.exe (PID: 4064)
- wmpnscfg.exe (PID: 328)
Drops the executable file immediately after the start
- explorer.exe (PID: 1180)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3972)
Manual execution by a user
- 5ef7ff9bda8ff5f5b6154a27e1f37a51f01fd56e2e37aeb1ac71d1d6bf6a20c1.exe (PID: 4064)
Reads the computer name
- 5ef7ff9bda8ff5f5b6154a27e1f37a51f01fd56e2e37aeb1ac71d1d6bf6a20c1.exe (PID: 4064)
- wmpnscfg.exe (PID: 328)
Reads security settings of Internet Explorer
- explorer.exe (PID: 1180)
Creates files or folders in the user directory
- explorer.exe (PID: 1180)
Reads the Internet Settings
- explorer.exe (PID: 1180)
Checks proxy server information
- explorer.exe (PID: 1180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 51 |
|---|---|
| ZipBitFlag: | 0x0003 |
| ZipCompression: | Unknown (99) |
| ZipModifyDate: | 2024:06:03 07:27:06 |
| ZipCRC: | 0x3b2d5285 |
| ZipCompressedSize: | 51425 |
| ZipUncompressedSize: | 96256 |
| ZipFileName: | 5ef7ff9bda8ff5f5b6154a27e1f37a51f01fd56e2e37aeb1ac71d1d6bf6a20c1.exe |
Total processes
36
Monitored processes
7
Malicious processes
2
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 296 | taskeng.exe {7D66FB6A-BD74-4FE5-8B2A-4F4BBBAF9944} | C:\Windows\System32\taskeng.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Engine Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 328 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 544 | "C:\Windows\system32\Dwm.exe" | C:\Windows\System32\dwm.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1180 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1416 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3972 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\malware-dorkbot.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 4064 | "C:\Users\admin\Desktop\5ef7ff9bda8ff5f5b6154a27e1f37a51f01fd56e2e37aeb1ac71d1d6bf6a20c1.exe" | C:\Users\admin\Desktop\5ef7ff9bda8ff5f5b6154a27e1f37a51f01fd56e2e37aeb1ac71d1d6bf6a20c1.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
7 204
Read events
7 157
Write events
40
Delete events
7
Modification events
| (PID) Process: | (1180) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000005ECAE606A2BB334E84348D8DB47BEB35000000000200000000001066000000010000200000005118DADCBF54331E00D5EE301C1E37ADA22DB4870A54FB4A6E59FA9B60FDDB24000000000E8000000002000020000000B3E4B78D09779A5B76CC9EDCA0FB210AD4C9989D0CACCAC66AA29CC98258514930000000B93E56A8DD46A792217ACB2779A3B0D90721C67C350E4BBD78DD4500A594A89E196B94873C2CE39235DA8694B1728AC640000000EB8A51A96332215DDCA6B5C8CDB5561C253814F07ABB4C9F4B58B1A3DAA2267F5DBF5A32FA0ABDF05FFA2059C00D02F4D174EAD26E35522B1B562A7428C16D00 | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\malware-dorkbot.zip | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1180 | explorer.exe | C:\Users\admin\AppData\Roaming\Zeeoen.exe | executable | |
MD5:E84977359949F63C93245790E8A90506 | SHA256:5EF7FF9BDA8FF5F5B6154A27E1F37A51F01FD56E2E37AEB1AC71D1D6BF6A20C1 | |||
| 3972 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3972.21239\5ef7ff9bda8ff5f5b6154a27e1f37a51f01fd56e2e37aeb1ac71d1d6bf6a20c1.exe | executable | |
MD5:E84977359949F63C93245790E8A90506 | SHA256:5EF7FF9BDA8FF5F5B6154A27E1F37A51F01FD56E2E37AEB1AC71D1D6BF6A20C1 | |||
| 1180 | explorer.exe | C:\Users\admin\Desktop\5ef7ff9bda8ff5f5b6154a27e1f37a51f01fd56e2e37aeb1ac71d1d6bf6a20c1.exe | executable | |
MD5:E84977359949F63C93245790E8A90506 | SHA256:5EF7FF9BDA8FF5F5B6154A27E1F37A51F01FD56E2E37AEB1AC71D1D6BF6A20C1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
11
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1180 | explorer.exe | 95.142.44.96:8080 | dead.fflyy.su | EuroByte LLC | RU | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.wipmania.com |
| unknown |
dead.fflyy.su |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1180 | explorer.exe | A Network Trojan was detected | ET MALWARE Likely Bot Nick in IRC (USA +..) |
1180 | explorer.exe | A Network Trojan was detected | ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-3) |
1180 | explorer.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS IRC - NICK and Possible Windows XP/7 |
1180 | explorer.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS IRC - NICK and 3 Letter Country Code |
1180 | explorer.exe | Misc activity | ET INFO IRC Nick change on non-standard port |
1180 | explorer.exe | A client was using an unusual port | ET POLICY IRC Channel JOIN on non-standard port |
1180 | explorer.exe | A client was using an unusual port | ET POLICY IRC Channel JOIN on non-standard port |
1180 | explorer.exe | Misc activity | ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin |
1180 | explorer.exe | A Network Trojan was detected | ET MALWARE Backdoor.Win32.Dorkbot.AR Join IRC channel |
2 ETPRO signatures available at the full report