| File name: | SopiremInfoextrait.zip |
| Full analysis: | https://app.any.run/tasks/62e4f37b-a102-4a0a-a86e-481bde44e3c2 |
| Verdict: | Malicious activity |
| Analysis date: | November 27, 2024, 14:08:32 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=store |
| MD5: | 4165B8005D4AA7DEFEC4FA9FC90492CE |
| SHA1: | 6960C3ED07BA39D1BDFAD828B1F80A25AAA285A6 |
| SHA256: | 62818FB1152A9DBE3E08C0999850D918A17CD49E1C3E75498B6E170F8E57958C |
| SSDEEP: | 98304:T49iqML7FLN2PMhbqEANMSHQdosswhtATV72zGGIgD+anuS0Jm7k9lMhjsYiOp3J:UkWi |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 1040)
Starts Visual C# compiler
- sdiagnhost.exe (PID: 3400)
SUSPICIOUS
Probably uses Microsoft diagnostics tool to execute malicious payload
- pcwrun.exe (PID: 1556)
Executable content was dropped or overwritten
- csc.exe (PID: 1212)
- csc.exe (PID: 3084)
- csc.exe (PID: 3040)
Uses .NET C# to load dll
- sdiagnhost.exe (PID: 3400)
Uses RUNDLL32.EXE to load library
- msdt.exe (PID: 3012)
The process executes via Task Scheduler
- SopiremInfoEvalSR3.exe (PID: 3560)
- SopiremInfoEvalSR3.exe (PID: 992)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1040)
Manual execution by a user
- SopiremInfoEvalSR3.exe (PID: 2324)
- pcwrun.exe (PID: 1556)
The process uses the downloaded file
- WinRAR.exe (PID: 1040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xpi | | | Mozilla Firefox browser extension (66.6) |
|---|---|---|
| .zip | | | ZIP compressed archive (33.3) |
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2024:11:27 14:55:34 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | SopiremInfo/ |
Total processes
56
Monitored processes
14
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 992 | C:\Users\admin\Desktop\SopiremInfo\EvalSR3\SopiremInfoEvalSR3.exe | C:\Users\admin\Desktop\SopiremInfo\EvalSR3\SopiremInfoEvalSR3.exe | — | taskeng.exe | |||||||||||
User: admin Company: Sopirem Integrity Level: MEDIUM Description: SopiremInfoSR3 Exit code: 3221226540 Version: 1.0.3685.29490 Modules
| |||||||||||||||
| 1040 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Downloads\SopiremInfoextrait.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1208 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES3C7A.tmp" "c:\Users\admin\AppData\Local\Temp\CSC3C6A.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.5003 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 1212 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\nmk_wrp0.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | sdiagnhost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 1236 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES3E01.tmp" "c:\Users\admin\AppData\Local\Temp\CSC3DF0.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.5003 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 1556 | C:\Windows\system32\pcwrun.exe "C:\Users\admin\Desktop\SopiremInfo\EvalSR3\SopiremInfoEvalSR3.exe" | C:\Windows\System32\pcwrun.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Program Compatibility Troubleshooter Invoker Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2324 | "C:\Users\admin\Desktop\SopiremInfo\EvalSR3\SopiremInfoEvalSR3.exe" | C:\Users\admin\Desktop\SopiremInfo\EvalSR3\SopiremInfoEvalSR3.exe | explorer.exe | ||||||||||||
User: admin Company: Sopirem Integrity Level: HIGH Description: SopiremInfoSR3 Exit code: 0 Version: 1.0.3685.29490 Modules
| |||||||||||||||
| 3012 | C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\admin\AppData\Local\Temp\PCW343C.xml /skip TRUE | C:\Windows\System32\msdt.exe | — | pcwrun.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3040 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\aileeha_.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | sdiagnhost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 3080 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES3D17.tmp" "c:\Users\admin\AppData\Local\Temp\CSC3D16.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.5003 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
Total events
7 682
Read events
7 628
Write events
54
Delete events
0
Modification events
| (PID) Process: | (1040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1040) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (1040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (1040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (1040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Downloads\SopiremInfoextrait.zip | |||
| (PID) Process: | (1040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1040) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
11
Suspicious files
10
Text files
38
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1040.33954\SopiremInfo\EvalSR3\es\SopiremInfoSR3.chm | chm | |
MD5:D6A37166F9F85BBB522BEE097DAB17BD | SHA256:E5CE188BDE457E6D4FCCA37EA903019BEC0D3B90C7FC92C5D9EEC635BCE21FE1 | |||
| 1040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1040.33954\SopiremInfo\EvalSR3\fr\SopiremInfoSR3.chm | chm | |
MD5:9406B6E7A1220086D561D101C2414748 | SHA256:CA9399F263A27DE1BB37B6A2FA5DA21F6F76CBA32984048F3502B3916BA8950F | |||
| 1040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1040.33954\SopiremInfo\EvalSR3\es\Simulateur.resources.dll | executable | |
MD5:A184B077058B4B850CD2B2495C3AEAEB | SHA256:71E30EE579B0B27CC6C577955B4E70A9BD0E5188F47DD629408FE1070E1061D5 | |||
| 1040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1040.33954\SopiremInfo\EvalSR3\fr\Licence.rtf | text | |
MD5:02B3DED107904E1611A7C5514C07B9E5 | SHA256:1C9A4BA65922EA5F95A53A395C3CA2CF484306B7A2B9CDA04C61407E1AEEAE9D | |||
| 1040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1040.33954\SopiremInfo\EvalSR3\tp\tp01_01.xml | xml | |
MD5:9B4B2D2AA091DD5B3B6C23F61C34960E | SHA256:601B96C636A4516774D58030BE0998DEC6B9A4630B333D00ADC3328DCCB0C5DE | |||
| 1040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1040.33954\SopiremInfo\EvalSR3\en\SopiremInfoSR3.chm | chm | |
MD5:9A20D79C1129EC10B64A408D4AFE7BA2 | SHA256:1B42DBAE1AA9C656823BB6D930784309519C26F13800B1F39CF03BF4CA167B5A | |||
| 1040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1040.33954\SopiremInfo\EvalSR3\SopiremInfoEvalSR3.exe | executable | |
MD5:954C00DB37DE51957C40827ABE10919A | SHA256:1AF694EE49174AC8849D967179AF977300A5F41AE765D3A02C72798E078B6208 | |||
| 1040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1040.33954\SopiremInfo\EvalSR3\param.xml | xml | |
MD5:2A1102F16F1DABAE7065DE99D73E6BB1 | SHA256:403392131D26E0AD84F95E4493E08C552064DA209A5A66102EEF6BC77C8B1945 | |||
| 1040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1040.33954\SopiremInfo\EvalSR3\tp\tp01_02.xml | xml | |
MD5:B39364A584BFAB4995151B3600118C28 | SHA256:899D34D6CD45E2637571CEF5622CBE824BFB383D5060B2936B4124AD5536BA9D | |||
| 1040 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1040.33954\SopiremInfo\EvalSR3\tp\tp02_02.xml | xml | |
MD5:58645012FFC45D7264CD3D218DE7059B | SHA256:6615CE3A19C6939A7D78BE71998CA656E600FDC1366B9033C4E678E666915408 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1108 | svchost.exe | 224.0.0.252:5355 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
Threats
Process | Message |
|---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|