Malware analysis Spacesniffer_1_3_0_2.zip Malicious activity

Add for printing

File name:	Spacesniffer_1_3_0_2.zip
Full analysis:	https://app.any.run/tasks/cc3142c7-20e8-470d-a36f-0f3041a8b1f0
Verdict:	Malicious activity
Analysis date:	November 19, 2024, 12:29:55
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	305A00E687D50428D3540409022BCF79
SHA1:	4EEA738A664894D1CFD7C43F70938552A443A5EE
SHA256:	8056B8FF55C452CC87E35D69928CCCBCFC5AF848DB1ABB4FE0364510986E068B
SSDEEP:	98304:hIgCfFjkv3kXsh2YAB3bl9RRJTdRELWW2OBuxuS3i/+BkOpdg92sEt7NyRqN4nNe:MtgDY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 5180)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 5180)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 5180)
- Executable content was dropped or overwritten
  - setup.exe (PID: 2940)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5180)
- The process uses the downloaded file
  - WinRAR.exe (PID: 5180)
- Create files in a temporary directory
  - setup.exe (PID: 2940)
- Checks supported languages
  - setup.exe (PID: 2940)
  - SpaceSniffer.exe (PID: 3816)
- Creates files or folders in the user directory
  - setup.exe (PID: 2940)
- Reads the computer name
  - SpaceSniffer.exe (PID: 3816)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:11:07 05:38:46
ZipCRC:	0xd5b540de
ZipCompressedSize:	2048268
ZipUncompressedSize:	4343296
ZipFileName:	lua54.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

113

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2940

"C:\Users\admin\AppData\Local\Temp\Rar$EXa5180.21484\setup.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa5180.21484\setup.exe

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa5180.21484\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\rar$exa5180.21484\lua54.dll
c:\windows\system32\shlwapi.dll

3816

C:\Users\admin\AppData\Local\CiscoSoftware\SpaceSniffer.exe

—

setup.exe

User:

admin

Company:

Uderzo Software e Consulenza Informatica

Integrity Level:

MEDIUM

Description:

Disk space analysis tool

Version:

1.3.0.2

Modules

Images
c:\users\admin\appdata\local\ciscosoftware\spacesniffer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

5180

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Spacesniffer_1_3_0_2.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

1 865

Read events

1 857

Write events

Delete events

Modification events


(PID) Process:	(5180) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5180) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5180) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5180) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Spacesniffer_1_3_0_2.zip
(PID) Process:	(5180) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5180) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5180) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5180) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2940	setup.exe	C:\Users\admin\AppData\Local\CiscoSoftware\SpaceSniffer.exe		executable
		MD5:B310E7335EAE66A533E985B377E81612	SHA256:FC0629D450F8A57BC93E1BA1CDEF0BFF49C1A4CF0725C2A1F52116FD67D9FE8E
2940	setup.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa5180.21484\nitro.log		text
		MD5:36DFD0DD5B1C86765B3DB974CBD9B0A5	SHA256:20D191B15566048FDC0CDEBDFD8A813DA3B02A9B7B47CF56C4D412888D8C6A8D
5180	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa5180.21484\msvcp140.dll		executable
		MD5:6C3AD90EE8D03A4CE68DBB34B0D72B1E	SHA256:7B8A6F283884E6448559DCF510B00C1A885BFB8E598EA05CD2C290C874657326
5180	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa5180.21484\lua54.dll		executable
		MD5:1AB0BD090BAD841CD73F165DDBD3F41E	SHA256:50C2AFD792BFE2966133EE385054EAAE1F73B04E013EF3434EF2407F99D7F037
5180	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa5180.21484\setup.exe		executable
		MD5:8EB22CBBAACB740BDDF7CE1FF8EEA868	SHA256:C1757C37D186B1B9868E0B92025D073EF0347ADF2059163D9DFD26EC94258023
5180	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa5180.21484\vcruntime140_1.dll		executable
		MD5:7E986E7469D9AB3B1138353418DA1793	SHA256:0E560532E721B6938DAFE4055EEDD0251BA5EB5994CD96937CEBBCF16A7DDAE5
5180	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa5180.21484\vcruntime140.dll		executable
		MD5:C22AB531881B21277BA168E6F311D225	SHA256:642AE52687A7A6BFB03D0B20DC7E07F4B11CECA634F7EB7BA184D6711AB51A51

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4932	svchost.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.200.189.225:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.200.189.225:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4932	svchost.exe	GET	200	23.200.189.225:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3556	SIHClient.exe	GET	200	23.200.189.225:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
3556	SIHClient.exe	GET	200	23.200.189.225:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.48.23.169:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.169:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4932	svchost.exe	23.48.23.169:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.200.189.225:80	www.microsoft.com	Moratelindo Internet Exchange Point	ID	whitelisted
4932	svchost.exe	23.200.189.225:80	www.microsoft.com	Moratelindo Internet Exchange Point	ID	whitelisted
—	—	23.200.189.225:80	www.microsoft.com	Moratelindo Internet Exchange Point	ID	whitelisted
5064	SearchApp.exe	2.19.193.66:443	www.bing.com	Akamai International B.V.	TR	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
crl.microsoft.com	23.48.23.169 23.48.23.164 23.48.23.141 23.48.23.193 23.48.23.147 23.48.23.190 23.48.23.145 23.48.23.143 23.48.23.177	whitelisted
www.microsoft.com	23.200.189.225	whitelisted
google.com	142.251.39.110	whitelisted
www.bing.com	2.19.193.66	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
self.events.data.microsoft.com	20.42.73.30	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Spacesniffer_1_3_0_2.zip

305A00E687D50428D3540409022BCF79

4EEA738A664894D1CFD7C43F70938552A443A5EE

8056B8FF55C452CC87E35D69928CCCBCFC5AF848DB1ABB4FE0364510986E068B

98304:hIgCfFjkv3kXsh2YAB3bl9RRJTdRELWW2OBuxuS3i/+BkOpdg92sEt7NyRqN4nNe:MtgDY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SUSPICIOUS

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Executable content was dropped or overwritten

INFO

Executable content was dropped or overwritten

The process uses the downloaded file

Create files in a temporary directory

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings