| File name: | Worm.zip |
| Full analysis: | https://app.any.run/tasks/ed157aeb-bfbc-4d03-b05f-5bb093c902e5 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | August 31, 2024, 19:44:38 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 3167CF08DBACEBA1206755950E02E66C |
| SHA1: | F608F322801E6BA035136276FE743CF81D555E97 |
| SHA256: | 755A1889E618E61C581615A4DF7DF74D313D9EFABF33AC1F64D39C4E6B7309C3 |
| SSDEEP: | 49152:lIpveKxv//pnMYFlZWhrAgcRDhYjcoTja5lVr+6ZFmZdEgIGI5TQz/FUtoGpNAmu:wPvBMEElkYjnTja5lVxZQbnQB4azPXB6 |
MALICIOUS
Changes the autorun value in the registry
- Mantas.exe (PID: 6780)
- svchost.exe (PID: 740)
- reg.exe (PID: 2036)
- reg.exe (PID: 5772)
- reg.exe (PID: 3972)
- reg.exe (PID: 4996)
- reg.exe (PID: 4316)
- reg.exe (PID: 2636)
- reg.exe (PID: 2360)
- reg.exe (PID: 6288)
- reg.exe (PID: 5504)
- reg.exe (PID: 6616)
- reg.exe (PID: 1680)
- reg.exe (PID: 5880)
- reg.exe (PID: 6132)
- reg.exe (PID: 6456)
- reg.exe (PID: 1128)
- reg.exe (PID: 6056)
- reg.exe (PID: 4020)
- Bezilom.exe (PID: 360)
Actions looks like stealing of personal data
- Mantas.exe (PID: 6780)
Changes appearance of the Explorer extensions
- svchost.exe (PID: 1060)
Changes the login/logoff helper path in the registry
- Fagot.a.exe (PID: 1496)
Starts NET.EXE to view/change shared resources
- cmd.exe (PID: 6612)
- net.exe (PID: 6636)
- net.exe (PID: 5556)
- net.exe (PID: 2580)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 4692)
- Heap41A.exe (PID: 2092)
- Heap41A.exe (PID: 4316)
Executable content was dropped or overwritten
- Mantas.exe (PID: 6780)
- Heap41A.exe (PID: 2092)
- svchost.exe (PID: 740)
- Nadlote.exe (PID: 5944)
Drops the executable file immediately after the start
- Mantas.exe (PID: 6780)
- Heap41A.exe (PID: 2092)
- svchost.exe (PID: 740)
- Nadlote.exe (PID: 5944)
The process creates files with name similar to system file names
- Mantas.exe (PID: 6780)
- Heap41A.exe (PID: 2092)
- svchost.exe (PID: 740)
- WerFault.exe (PID: 1828)
Reads the date of Windows installation
- Heap41A.exe (PID: 2092)
- Heap41A.exe (PID: 4316)
Starts itself from another location
- svchost.exe (PID: 740)
Application launched itself
- svchost.exe (PID: 1060)
Executes application which crashes
- Fagot.a.exe (PID: 1496)
- wscript.exe (PID: 2580)
Gets full path of the running script (SCRIPT)
- wscript.exe (PID: 2580)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 2580)
Uses WMI to retrieve WMI-managed resources (SCRIPT)
- wscript.exe (PID: 2580)
Gets a collection of all available drive names (SCRIPT)
- wscript.exe (PID: 2580)
Creates file in the systems drive root
- Bezilom.exe (PID: 360)
- Nadlote.exe (PID: 5944)
- smss.exe (PID: 5212)
Runs shell command (SCRIPT)
- wscript.exe (PID: 2580)
Reads data from a binary Stream object (SCRIPT)
- wscript.exe (PID: 2580)
Gets the drive type (SCRIPT)
- wscript.exe (PID: 2580)
There is functionality for taking screenshot (YARA)
- Netres.a.exe (PID: 1556)
- Fagot.a.exe (PID: 1496)
Starts application from unusual location
- Nadlote.exe (PID: 5944)
- cmd.exe (PID: 7036)
- smss.exe (PID: 5212)
- cmd.exe (PID: 2660)
- ipconfig.exe (PID: 3980)
- cmd.exe (PID: 2648)
- PING.EXE (PID: 4088)
- PING.EXE (PID: 6460)
- cmd.exe (PID: 2036)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 1480)
- cmd.exe (PID: 1124)
- cmd.exe (PID: 1944)
- cmd.exe (PID: 4732)
- cmd.exe (PID: 6684)
- cmd.exe (PID: 6552)
- cmd.exe (PID: 7060)
- cmd.exe (PID: 1156)
- cmd.exe (PID: 252)
- cmd.exe (PID: 2112)
- cmd.exe (PID: 5000)
- cmd.exe (PID: 6540)
- cmd.exe (PID: 6940)
- cmd.exe (PID: 6576)
- cmd.exe (PID: 5940)
- cmd.exe (PID: 6424)
- cmd.exe (PID: 6636)
- cmd.exe (PID: 4524)
- cmd.exe (PID: 2904)
- cmd.exe (PID: 6408)
- cmd.exe (PID: 3328)
- cmd.exe (PID: 4760)
- cmd.exe (PID: 6304)
Starts CMD.EXE for commands execution
- Nadlote.exe (PID: 5944)
- smss.exe (PID: 5212)
Process uses IPCONFIG to get network configuration information
- cmd.exe (PID: 2660)
Detected use of alternative data streams (AltDS)
- smss.exe (PID: 5212)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 4692)
Checks supported languages
- Nople.exe (PID: 5612)
- Netres.a.exe (PID: 1556)
- Mantas.exe (PID: 6780)
- Heap41A.exe (PID: 2092)
- Fagot.a.exe (PID: 1496)
- svchost.exe (PID: 740)
- svchost.exe (PID: 1060)
- svchost.exe (PID: 5112)
- Bumerang.exe (PID: 6584)
- svchost.exe (PID: 6372)
- Heap41A.exe (PID: 4316)
- svchost.exe (PID: 5516)
- Bezilom.exe (PID: 360)
- Vobus.exe (PID: 6380)
- Nadlote.exe (PID: 5944)
- smss.exe (PID: 5212)
- DComExploit.exe (PID: 940)
- DComExploit.exe (PID: 5916)
Creates files or folders in the user directory
- Netres.a.exe (PID: 1556)
- WerFault.exe (PID: 6716)
- WerFault.exe (PID: 1828)
Reads the computer name
- Nople.exe (PID: 5612)
- Netres.a.exe (PID: 1556)
- Heap41A.exe (PID: 2092)
- Bumerang.exe (PID: 6584)
- Fagot.a.exe (PID: 1496)
- Heap41A.exe (PID: 4316)
- Bezilom.exe (PID: 360)
- Nadlote.exe (PID: 5944)
- smss.exe (PID: 5212)
Manual execution by a user
- Netres.a.exe (PID: 1556)
- Nople.exe (PID: 5612)
- Mantas.exe (PID: 6780)
- Heap41A.exe (PID: 2092)
- Heap41A.exe (PID: 1172)
- Fagot.a.exe (PID: 1496)
- Bumerang.exe (PID: 6584)
- Heap41A.exe (PID: 6488)
- Heap41A.exe (PID: 4316)
- wscript.exe (PID: 2580)
- Bezilom.exe (PID: 360)
- Vobus.exe (PID: 6380)
- Nadlote.exe (PID: 5944)
- DComExploit.exe (PID: 940)
- DComExploit.exe (PID: 5916)
The process uses the downloaded file
- WinRAR.exe (PID: 4692)
- Heap41A.exe (PID: 2092)
- Heap41A.exe (PID: 4316)
Create files in a temporary directory
- Heap41A.exe (PID: 2092)
- Heap41A.exe (PID: 4316)
- Bezilom.exe (PID: 360)
- Nadlote.exe (PID: 5944)
- smss.exe (PID: 5212)
Process checks computer location settings
- Heap41A.exe (PID: 2092)
- Heap41A.exe (PID: 4316)
Reads the software policy settings
- WerFault.exe (PID: 6716)
- WerFault.exe (PID: 1828)
Checks proxy server information
- WerFault.exe (PID: 6716)
- WerFault.exe (PID: 1828)
UPX packer has been detected
- svchost.exe (PID: 5112)
- svchost.exe (PID: 6372)
Reads Microsoft Office registry keys
- OpenWith.exe (PID: 892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:08:31 15:43:22 |
| ZipCRC: | 0x643ce414 |
| ZipCompressedSize: | 9211 |
| ZipUncompressedSize: | 28672 |
| ZipFileName: | Worm/Bezilom.exe |
Total processes
244
Monitored processes
116
Malicious processes
8
Suspicious processes
21
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 252 | cmd /c REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f | C:\Windows\SysWOW64\cmd.exe | — | smss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 252 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 360 | "C:\Users\admin\AppData\Local\Temp\Worm\Worm\Bezilom.exe" | C:\Users\admin\AppData\Local\Temp\Worm\Worm\Bezilom.exe | explorer.exe | ||||||||||||
User: admin Company: Integrity Level: MEDIUM Version: 1.00.0004 Modules
| |||||||||||||||
| 740 | "C:\Users\admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe" MicrosoftPowerPoint\install.txt | C:\Users\admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe | Heap41A.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: AutoHotkey Exit code: 0 Version: 1, 0, 46, 08 Modules
| |||||||||||||||
| 892 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\Windows\System32\OpenWith.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 940 | "C:\Users\admin\AppData\Local\Temp\Worm\Worm\Blaster\DComExploit.exe" | C:\Users\admin\AppData\Local\Temp\Worm\Worm\Blaster\DComExploit.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 1060 | C:\heap41a\svchost.exe C:\heap41a\std.txt | C:\heap41a\svchost.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: HIGH Description: AutoHotkey Exit code: 0 Version: 1, 0, 46, 08 Modules
| |||||||||||||||
| 1124 | cmd /c REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f | C:\Windows\SysWOW64\cmd.exe | — | smss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1124 | REG ADD HKLM\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V smss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f | C:\Windows\SysWOW64\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1128 | REG ADD HKCU\Software\MICROSOFT\WINDOWS\CURRENTVERSION\RUN /V Csrss /t REG_SZ /d "c:\RECYCLER\smss.exe " /f | C:\Windows\SysWOW64\reg.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
29 681
Read events
28 411
Write events
1 268
Delete events
2
Modification events
| (PID) Process: | (4692) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (4692) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (4692) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
| (PID) Process: | (4692) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Worm.zip | |||
| (PID) Process: | (4692) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (4692) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (4692) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (4692) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (4692) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Worm | |||
| (PID) Process: | (1556) Netres.a.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | delete value | Name: | Network check |
Value: | |||
Executable files
120
Suspicious files
8
Text files
37
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4692 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Worm\Worm\Blaster\607B60AD512C50B7D71DCCC057E85F1C | executable | |
MD5:607B60AD512C50B7D71DCCC057E85F1C | SHA256:3E363D76D3949CC218A83A2EE13603D643E3274D3CFF71247E38B92BDB391CFA | |||
| 4692 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Worm\Worm\Nople.exe | executable | |
MD5:7D595027F9FDD0451B069C0C65F2A6E4 | SHA256:D2518DF72D5CCE230D98A435977D9283B606A5A4CAFE8CD596641F96D8555254 | |||
| 4692 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Worm\Worm\NadIote\Nadlote.exe | executable | |
MD5:57AECBCDCB3A5AD31AC07C5A62B56085 | SHA256:AB020413DCE53C9D57CF22D75EAF1339D72252D5316617A935149E02FEE42FD3 | |||
| 4692 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Worm\Worm\Heap41A.exe | executable | |
MD5:4F30003916CC70FCA3CE6EC3F0FF1429 | SHA256:746153871F816ECE357589B2351818E449B1BEECFB21EB75A3305899CE9AE37C | |||
| 4692 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Worm\Worm\Fagot.a.exe | executable | |
MD5:30CDAB5CF1D607EE7B34F44AB38E9190 | SHA256:1517527C1D705A6EBC6EC9194AA95459E875AC3902A9F4AAB3BF24B6A6F8407F | |||
| 4692 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Worm\Worm\Netres.a.exe | executable | |
MD5:D543F8D2644B09445D9BC4A8A4B1A8C0 | SHA256:1C0E2B7981FFA9E86185B7A7AAC93F13629D92D8F58769569483202B3A926CE5 | |||
| 4692 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Worm\Worm\Vobfus\Vobus.exe | executable | |
MD5:966BB4BDFE0EDB89EC2D43519C6DE3AF | SHA256:EF12832D67A099282B6AAD1BF2858375DD4B53C67638DAF12A253BC9F918B77F | |||
| 1556 | Netres.a.exe | C:\Users\admin\AppData\Local\VirtualStore\v1.log | text | |
MD5:87FD370671B22ACFD2A57A845B085BD3 | SHA256:5B1D52FE82C2A0AC5A4F69B214A3CCACD961086EE974044A4C362CDA40878A41 | |||
| 6780 | Mantas.exe | C:\Users\admin\Documents\heart.jpg | image | |
MD5:58B1840B979AE31F23AA8EB3594D5C17 | SHA256:B2BB460AA299C6064E7FC947BFF314E0F915C6EE6F8F700007129E3B6A314F47 | |||
| 6780 | Mantas.exe | C:\Users\admin\Documents\mantas.jpg | image | |
MD5:58B1840B979AE31F23AA8EB3594D5C17 | SHA256:B2BB460AA299C6064E7FC947BFF314E0F915C6EE6F8F700007129E3B6A314F47 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
17
DNS requests
4
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1356 | svchost.exe | 20.106.86.13:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 20.106.86.13:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2120 | MoUsoCoreWorker.exe | 20.106.86.13:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4324 | svchost.exe | 20.106.86.13:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1356 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6716 | WerFault.exe | 13.89.179.12:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1828 | WerFault.exe | 13.89.179.12:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
Nople.exe | |
Nople.exe | |
Nople.exe | |
Nople.exe |