File name:

IRC-Worm.Win32.Fagot.zip

Full analysis: https://app.any.run/tasks/1e19ba3e-3ce1-4f37-a240-ba29a375fa2e
Verdict: Malicious activity
Analysis date: May 19, 2024, 20:02:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

2BF50419DDFB8EBC93ECEE03A6766383

SHA1:

DC7E4868A7239FFDE67357DF6D1181ACE872C780

SHA256:

8590A818DA9EF7E3DCB5A5AF61FECF17BF0A93B7BB4107EE6DF5E1C5D8E45480

SSDEEP:

6144:yBd2WUsoef3PXIofg2AVXT8KVCdVd33GFGwPLKXpDae0jp:qd1TJIhVXoRdvnYGwPLMae0l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3980)
      • Skype-Setup.exe (PID: 1548)
      • Skype-Setup.exe (PID: 2188)
      • fagot.exe (PID: 952)
      • Skype-Setup.tmp (PID: 856)

    • Changes the login/logoff helper path in the registry

      • fagot.exe (PID: 820)
      • fagot.exe (PID: 952)

    • Changes the autorun value in the registry

      • fagot.exe (PID: 952)

    • Deletes the SafeBoot registry key

      • fagot.exe (PID: 952)

    • Creates a writable file in the system directory

      • fagot.exe (PID: 952)

  • SUSPICIOUS

    • Application launched itself

      • Skype.exe (PID: 1764)

    • Reads the Internet Settings

      • Skype.exe (PID: 1764)
      • Skype-Setup.tmp (PID: 856)

    • Executable content was dropped or overwritten

      • Skype-Setup.exe (PID: 1548)
      • Skype-Setup.exe (PID: 2188)
      • Skype-Setup.tmp (PID: 856)
      • fagot.exe (PID: 952)

    • Searches for installed software

      • Skype-Setup.tmp (PID: 856)

    • Uses TASKKILL.EXE to kill process

      • Skype-Setup.tmp (PID: 856)

    • Reads security settings of Internet Explorer

      • Skype-Setup.tmp (PID: 856)

    • Process drops legitimate windows executable

      • Skype-Setup.tmp (PID: 856)

    • Reads the Windows owner or organization settings

      • Skype-Setup.tmp (PID: 856)
      • fagot.exe (PID: 952)

    • Changes the Home page of Internet Explorer

      • fagot.exe (PID: 952)

    • Changes the title of the Internet Explorer window

      • fagot.exe (PID: 952)

    • Reads the date of Windows installation

      • fagot.exe (PID: 952)

    • The process drops C-runtime libraries

      • Skype-Setup.tmp (PID: 856)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3980)

    • Checks supported languages

      • fagot.exe (PID: 820)
      • Skype.exe (PID: 1764)
      • Skype.exe (PID: 1424)
      • Skype.exe (PID: 1368)
      • Skype.exe (PID: 2068)
      • Skype.exe (PID: 2268)
      • Skype-Setup.tmp (PID: 2124)
      • Skype.exe (PID: 2508)
      • wmpnscfg.exe (PID: 1900)
      • Skype-Setup.exe (PID: 2188)
      • Skype-Setup.tmp (PID: 856)
      • fagot.exe (PID: 952)
      • Skype-Setup.exe (PID: 1548)

    • Manual execution by a user

      • fagot.exe (PID: 820)
      • Skype.exe (PID: 1764)
      • wmpnscfg.exe (PID: 1900)
      • fagot.exe (PID: 1480)
      • fagot.exe (PID: 952)
      • firefox.exe (PID: 1644)

    • Reads product name

      • Skype.exe (PID: 1764)

    • Reads Environment values

      • Skype.exe (PID: 1764)
      • fagot.exe (PID: 952)

    • Creates files or folders in the user directory

      • Skype.exe (PID: 1764)

    • Reads CPU info

      • Skype.exe (PID: 1764)

    • Reads the computer name

      • Skype.exe (PID: 1764)
      • Skype.exe (PID: 2068)
      • Skype.exe (PID: 2268)
      • Skype.exe (PID: 2508)
      • Skype-Setup.tmp (PID: 2124)
      • wmpnscfg.exe (PID: 1900)
      • Skype-Setup.tmp (PID: 856)
      • fagot.exe (PID: 952)
      • Skype.exe (PID: 1424)

    • Create files in a temporary directory

      • Skype-Setup.exe (PID: 2188)
      • Skype-Setup.tmp (PID: 856)
      • Skype-Setup.exe (PID: 1548)

    • Creates files in the program directory

      • Skype-Setup.tmp (PID: 856)

    • Reads Windows Product ID

      • fagot.exe (PID: 952)

    • Application launched itself

      • firefox.exe (PID: 1644)
      • firefox.exe (PID: 2780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:12:03 12:37:30
ZipCRC: 0xd833ef6f
ZipCompressedSize: 186354
ZipUncompressedSize: 381952
ZipFileName: IRC-Worm.Win32.Fagot.a
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
22
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe fagot.exe skype.exe skype.exe skype.exe no specs skype.exe no specs skype-setup.exe skype.exe no specs skype-setup.tmp no specs skype.exe no specs wmpnscfg.exe no specs skype-setup.exe skype-setup.tmp taskkill.exe no specs fagot.exe no specs fagot.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
820"C:\Users\admin\Desktop\fagot.exe" C:\Users\admin\Desktop\fagot.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\fagot.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
856"C:\Users\admin\AppData\Local\Temp\is-QI7A2.tmp\Skype-Setup.tmp" /SL5="$30204,88729071,404480,C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /SPAWNWND=$201BC /NOTIFYWND=$60182 /silent !desktopiconC:\Users\admin\AppData\Local\Temp\is-QI7A2.tmp\Skype-Setup.tmp
Skype-Setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
5
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-qi7a2.tmp\skype-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
952"C:\Users\admin\Desktop\fagot.exe" C:\Users\admin\Desktop\fagot.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\fagot.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
1368"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad" --url=appcenter://generic?aid=a7417433-29d9-4bc0-8826-af367733939d&iid=ad142ee9-ecfe-4580-ec0f-259fb963ccd2&uid=ad142ee9-ecfe-4580-ec0f-259fb963ccd2 --annotation=IsOfficialBuild=1 --annotation=_companyName=Skype --annotation=_productName=skype-preview --annotation=_version=8.110.0.215 "--annotation=exe=C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=19.1.8 --initial-client-data=0x32c,0x330,0x334,0x328,0x338,0x7b8c2d8,0x7b8c2e8,0x7b8c2f4C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1424"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1320 --field-trial-handle=1336,i,18422754130700279209,449581166882106587,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
LOW
Description:
Skype
Exit code:
0
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1480"C:\Users\admin\Desktop\fagot.exe" C:\Users\admin\Desktop\fagot.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\fagot.exe
c:\windows\system32\ntdll.dll
1548"C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /silent !desktopiconC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype Setup
Exit code:
5
Version:
8.110.0.218
Modules
Images
c:\users\admin\appdata\roaming\microsoft\skype for desktop\skype-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1644"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1764"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1888"C:\Windows\System32\taskkill.exe" /f /im Skype.exeC:\Windows\System32\taskkill.exeSkype-Setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
Total events
20 092
Read events
14 299
Write events
53
Delete events
5 740

Modification events

(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\IRC-Worm.Win32.Fagot.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
108
Suspicious files
15
Text files
8
Unknown types
4

Dropped files

PID
Process
Filename
Type
1764Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old~RF109f7e.TMPtext
MD5:FF878337359379694741312E6B39EF79
SHA256:AFDE1D769112411CE68EBA5A2821FED0E058B8A31D0795F6047718DD324B3C8F
1764Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.oldtext
MD5:AEAB6EEF48334E4749D630894ADCA674
SHA256:7B1139E4ABA3CF16CA2C097DC19F515B73C934315CC497769B6627C6252AE264
1764Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.jsonbinary
MD5:8AAB3FFA37C9CEF3FF1B107AE8FD1335
SHA256:AB9B6A671A41D213308E5D83C4DC72F090C25CD97392CB43A6EEF2FB55159833
1548Skype-Setup.exeC:\Users\admin\AppData\Local\Temp\is-V0NP7.tmp\Skype-Setup.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
1764Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.datbinary
MD5:3B2AEFD32F61DB8110091B81A16A9AD1
SHA256:27A6D2020F45CD9D3F4DFCF837EC661A1D997B08D23E3CB41B94186C21A50B37
856Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-4O927.tmpexecutable
MD5:8894176AF3EA65A09AE5CF4C0E6FF50F
SHA256:C64B7C6400E9BACC1A4F1BAED6374BFBCE9A3F8CF20C2D03F81EF18262F89C60
856Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-01G7Q.tmpexecutable
MD5:D91BF81CF5178D47D1A588B0DF98EB24
SHA256:F8E3B45FD3E22866006F16A9E73E28B5E357F31F3C275B517692A5F16918B492
856Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:EEFE86B5A3AB256BEED8621A05210DF2
SHA256:1D1C11FC1AD1FEBF9308225C4CCF0431606A4AB08680BA04494D276CB310BF15
856Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:D91BF81CF5178D47D1A588B0DF98EB24
SHA256:F8E3B45FD3E22866006F16A9E73E28B5E357F31F3C275B517692A5F16918B492
856Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:879920C7FA905036856BCB10875121D9
SHA256:7E4CBA620B87189278B5631536CDAD9BFDA6E12ABD8E4EB647CB85369A204FE8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1764
Skype.exe
52.113.194.133:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1764
Skype.exe
13.107.42.16:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1764
Skype.exe
184.28.88.180:443
download.skype.com
AKAMAI-AS
US
unknown

DNS requests

Domain
IP
Reputation
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
download.skype.com
  • 184.28.88.180
whitelisted
detectportal.firefox.com
unknown

Threats

No threats detected
Process
Message
Skype.exe
[0519/210326.370:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
fagot.exe
FTH: (952): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IRC-Worm.Win32.Fagot.zip