| File name: | Public.zip |
| Full analysis: | https://app.any.run/tasks/f65eb2e3-e5d8-4290-a64a-83c361edd1d8 |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | January 23, 2024, 07:50:10 |
| OS: | Windows 8.1 Professional (build: 9600, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | AEEB764C6FB1E3E7D0BA56C3C0A526A2 |
| SHA1: | 40F7BBDAD646004A64158CB8D720EB20BF760390 |
| SHA256: | 8D1BB10B94DF4D718450CE9D3F32B671DBB5888F2A6A67C45970A6E761A452C0 |
| SSDEEP: | 6144:dbAzpKHw/c4FN25hadj5DGRBdTFnRSxoIHENlOxdXOd6Z7:dbKpKqrWMYRBdTFg2UENlg+dO7 |
MALICIOUS
FAKETLS has been detected (SURICATA)
- nvTaskBar.exe (PID: 2724)
Drops the executable file immediately after the start
- nvTaskBar.exe (PID: 2724)
The DLL Hijacking
- integratedoffice.exe (PID: 1472)
SUSPICIOUS
Executable content was dropped or overwritten
- nvTaskBar.exe (PID: 2724)
INFO
Drops the executable file immediately after the start
- WinRAR.exe (PID: 1604)
Process checks whether UAC notifications are on
- WinRAR.exe (PID: 1604)
Reads the computer name
- nvTaskBar.exe (PID: 2724)
- integratedoffice.exe (PID: 1472)
Checks supported languages
- nvTaskBar.exe (PID: 2724)
- integratedoffice.exe (PID: 1472)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1604)
Manual execution by a user
- nvTaskBar.exe (PID: 2724)
- winword.exe (PID: 2324)
Executes as Windows Service
- integratedoffice.exe (PID: 1472)
Reads Microsoft Office registry keys
- integratedoffice.exe (PID: 1472)
Reads the machine GUID from the registry
- integratedoffice.exe (PID: 1472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:01:04 13:21:08 |
| ZipCRC: | 0x17cd8733 |
| ZipCompressedSize: | 41172 |
| ZipUncompressedSize: | 80896 |
| ZipFileName: | nView.dll |
Total processes
49
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1472 | "C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe" | C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Office Click-to-Run Exit code: 0 Version: 15.0.4433.1508 Modules
| |||||||||||||||
| 1604 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Public.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2324 | "C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE" /n "C:\Users\admin\Desktop\shoesmemory.rtf" /o "" | C:\Program Files\Microsoft Office 15\root\office15\winword.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 15.0.4433.1506 Modules
| |||||||||||||||
| 2724 | "C:\Users\admin\Desktop\nvTaskBar.exe" | C:\Users\admin\Desktop\nvTaskBar.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
11 301
Read events
10 755
Write events
427
Delete events
119
Modification events
| (PID) Process: | (1604) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\125\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1604) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\EfiGuard-v1.1.zip | |||
| (PID) Process: | (1604) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\EfiGuard-v1.1.1.zip | |||
| (PID) Process: | (1604) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (1604) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\EfiGuard-v1.1.1-silent.zip | |||
| (PID) Process: | (1604) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1604) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1604) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1604) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1604) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1A0000001A000000DA03000003020000 | |||
Executable files
3
Suspicious files
8
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2324 | winword.exe | C:\Users\admin\AppData\Local\Temp\CVRB0AE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2324 | winword.exe | C:\Users\admin\AppData\Roaming\Microsoft\Word\~WRL0001.tmp | — | |
MD5:— | SHA256:— | |||
| 2724 | nvTaskBar.exe | C:\Users\admin\Desktop\C | text | |
MD5:1140F724FF8FFC8744262DD4A3258BBB | SHA256:065A8EB0A46A773265C7E36A0981B170CFE3E8B1D9D3AB4E5F3DD353FED1D165 | |||
| 1604 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1604.22577\nView.dll | executable | |
MD5:7EA17FFB336A7D8B24D62BA78151D264 | SHA256:DD261A5DB199B32414C33136AED44C3EBE2AE55F18991AE3DC341FC43A1EF7F4 | |||
| 2324 | winword.exe | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | binary | |
MD5:C56F602E4484646838FA34BEF722DF4B | SHA256:D1ACB8042AEF9E857E47F65E1754F8865F57195CE16DBF127DDD6133D595FD66 | |||
| 1604 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1604.22577\nvTaskBar.exe | executable | |
MD5:485651BE4F204CFD8A27256D4F8263B6 | SHA256:F4B00F018AE7F68B116A9DE0B8DBA940AF1F4AAA61E895D9C9312BC217CCB8EF | |||
| 2724 | nvTaskBar.exe | C:\Users\admin\Desktop\NVDriverSearch.ct | executable | |
MD5:128CFFF31AA393605ECECF2689A40FD6 | SHA256:5AFE21142999659A4050F6E038A6DAB96CF4827F332497049A91CDB1A4D4828B | |||
| 2324 | winword.exe | C:\Users\admin\Desktop\~$oesmemory.rtf | pgc | |
MD5:C56F602E4484646838FA34BEF722DF4B | SHA256:D1ACB8042AEF9E857E47F65E1754F8865F57195CE16DBF127DDD6133D595FD66 | |||
| 2324 | winword.exe | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\shoesmemory.rtf.LNK | binary | |
MD5:57700CF6C162805D33B141AA00A4E3DA | SHA256:0431499B5925981F0067A53D83EF3DEFEAD86C85756892F41E3AC27DB3981BC9 | |||
| 2324 | winword.exe | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:4A3CE573B9D7B32AD271484E166FDC45 | SHA256:76BF6CEBBD8DC62028949850AA34A7F9EC9CBC615E3D074AFF4B7EB0D114664E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
25
DNS requests
4
Threats
21
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
372 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2724 | nvTaskBar.exe | 91.245.253.46:443 | www.militarytc.com | M247 Ltd | SG | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.militarytc.com |
| unknown |
www.microsoft.com |
| whitelisted |
win8.ipv6.microsoft.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2724 | nvTaskBar.exe | A Network Trojan was detected | BACKDOOR [ANY.RUN] FakeTLS Unk APT (psbl Crosswalk) |
2724 | nvTaskBar.exe | A Network Trojan was detected | BACKDOOR [ANY.RUN] FakeTLS Unk APT (psbl Crosswalk) |
2724 | nvTaskBar.exe | A Network Trojan was detected | BACKDOOR [ANY.RUN] FakeTLS Unk APT (psbl Crosswalk) |
2724 | nvTaskBar.exe | A Network Trojan was detected | BACKDOOR [ANY.RUN] FakeTLS Unk APT (psbl Crosswalk) |
2724 | nvTaskBar.exe | A Network Trojan was detected | BACKDOOR [ANY.RUN] FakeTLS Unk APT (psbl Crosswalk) |
2724 | nvTaskBar.exe | A Network Trojan was detected | BACKDOOR [ANY.RUN] FakeTLS Unk APT (psbl Crosswalk) |
2724 | nvTaskBar.exe | A Network Trojan was detected | BACKDOOR [ANY.RUN] FakeTLS Unk APT (psbl Crosswalk) |
2724 | nvTaskBar.exe | A Network Trojan was detected | BACKDOOR [ANY.RUN] FakeTLS Unk APT (psbl Crosswalk) |
2724 | nvTaskBar.exe | A Network Trojan was detected | BACKDOOR [ANY.RUN] FakeTLS Unk APT (psbl Crosswalk) |
2724 | nvTaskBar.exe | A Network Trojan was detected | BACKDOOR [ANY.RUN] FakeTLS Unk APT (psbl Crosswalk) |
Process | Message |
|---|---|
WinRAR.exe | SHIMVIEW: ShimInfo(Complete)
|
nvTaskBar.exe | SHIMVIEW: ShimInfo(Complete)
|
winword.exe | SHIMVIEW: ShimInfo(Complete)
|