Malware analysis update (1).zip Malicious activity | ANY.RUN

Add for printing

File name:	update (1).zip
Full analysis:	https://app.any.run/tasks/b4d99af0-a433-45ab-8691-740dca9ae4ec
Verdict:	Malicious activity
Analysis date:	July 20, 2024, 13:56:19
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion telegram
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	D32F89A8A3DD360DB3FA9B838163FFA0
SHA1:	66FBE2B33E545062A1399A4962B9AF4FBBD4B356
SHA256:	96DEC6E07229201A02F538310815C695CF6147C548FF1C6A0DEF2FE38F3DCBC8
SSDEEP:	49152:wFUG/KGKxVTQ8WqwjrFkiV4sKPGsECGu32l6PB6IVhvCT93emKGjBcAgAm/3Gbk5:wFUG/STQ8Wqw/FkiJKexu3igZv6jBcAY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 3800)
  - CrowdStrike.exe (PID: 7440)
  - cmd.exe (PID: 5936)
  - Champion.pif (PID: 6944)
  - RegAsm.exe (PID: 7092)
- Antivirus name has been found in the command line (generic signature)
  - findstr.exe (PID: 7416)
  - findstr.exe (PID: 3836)
  - findstr.exe (PID: 5460)
  - findstr.exe (PID: 7352)
- Create files in the Startup directory
  - RegAsm.exe (PID: 7092)
- Actions looks like stealing of personal data
  - RegAsm.exe (PID: 7092)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - CrowdStrike.exe (PID: 7440)
  - WinRAR.exe (PID: 3800)
  - Champion.pif (PID: 7016)
  - CrowdStrike.exe (PID: 4972)
  - GameBar.exe (PID: 3360)
  - StartMenuExperienceHost.exe (PID: 5720)
- Reads the date of Windows installation
  - CrowdStrike.exe (PID: 7440)
  - Champion.pif (PID: 7016)
  - CrowdStrike.exe (PID: 4972)
  - StartMenuExperienceHost.exe (PID: 5720)
- Starts CMD.EXE for commands execution
  - CrowdStrike.exe (PID: 7440)
  - cmd.exe (PID: 5936)
  - Champion.pif (PID: 7016)
  - CrowdStrike.exe (PID: 4972)
  - cmd.exe (PID: 5856)
- Executing commands from ".cmd" file
  - CrowdStrike.exe (PID: 7440)
  - CrowdStrike.exe (PID: 4972)
- Get information on the list of running processes
  - cmd.exe (PID: 5936)
  - cmd.exe (PID: 5856)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 5936)
  - cmd.exe (PID: 5856)
- Application launched itself
  - cmd.exe (PID: 5936)
  - cmd.exe (PID: 5856)
- Drops a file with a rarely used extension (PIF)
  - cmd.exe (PID: 5936)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 5936)
  - Champion.pif (PID: 6944)
  - RegAsm.exe (PID: 7092)
- Suspicious file concatenation
  - cmd.exe (PID: 7236)
  - cmd.exe (PID: 2928)
- The executable file from the user directory is run by the CMD process
  - Champion.pif (PID: 7016)
  - Champion.pif (PID: 6944)
  - CrowdStrike.exe (PID: 4972)
- Starts application with an unusual extension
  - cmd.exe (PID: 5936)
  - cmd.exe (PID: 5856)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 5936)
  - cmd.exe (PID: 5856)
- The process creates files with name similar to system file names
  - Champion.pif (PID: 6944)
  - WerFault.exe (PID: 1764)
- Process drops legitimate windows executable
  - Champion.pif (PID: 6944)
- Starts a Microsoft application from unusual location
  - RegAsm.exe (PID: 6984)
  - RegAsm.exe (PID: 7092)
- Drops a system driver (possible attempt to evade defenses)
  - RegAsm.exe (PID: 7092)
- Checks for external IP
  - RegAsm.exe (PID: 7092)
- Write to the desktop.ini file (may be used to cloak folders)
  - RegAsm.exe (PID: 7092)
- Creates file in the systems drive root
  - RegAsm.exe (PID: 7092)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - RegAsm.exe (PID: 7092)
- Executes application which crashes
  - GameBar.exe (PID: 3360)
  - RegAsm.exe (PID: 7092)
INFO
- Create files in a temporary directory
  - CrowdStrike.exe (PID: 7440)
  - CrowdStrike.exe (PID: 4972)
  - Champion.pif (PID: 6944)
  - RegAsm.exe (PID: 7092)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3800)
- Checks supported languages
  - CrowdStrike.exe (PID: 7440)
  - Champion.pif (PID: 7016)
  - CrowdStrike.exe (PID: 4972)
  - Champion.pif (PID: 6944)
  - RegAsm.exe (PID: 7092)
  - GameBar.exe (PID: 3360)
  - StartMenuExperienceHost.exe (PID: 5720)
  - TextInputHost.exe (PID: 8000)
  - SearchApp.exe (PID: 7020)
- Reads the computer name
  - CrowdStrike.exe (PID: 7440)
  - Champion.pif (PID: 7016)
  - CrowdStrike.exe (PID: 4972)
  - Champion.pif (PID: 6944)
  - RegAsm.exe (PID: 7092)
  - TextInputHost.exe (PID: 8000)
  - GameBar.exe (PID: 3360)
  - StartMenuExperienceHost.exe (PID: 5720)
  - SearchApp.exe (PID: 7020)
- Process checks computer location settings
  - CrowdStrike.exe (PID: 7440)
  - Champion.pif (PID: 7016)
  - CrowdStrike.exe (PID: 4972)
  - StartMenuExperienceHost.exe (PID: 5720)
  - SearchApp.exe (PID: 7020)
- Reads mouse settings
  - Champion.pif (PID: 7016)
  - Champion.pif (PID: 6944)
- Reads the machine GUID from the registry
  - RegAsm.exe (PID: 7092)
  - SearchApp.exe (PID: 7020)
- Reads Environment values
  - RegAsm.exe (PID: 7092)
  - SearchApp.exe (PID: 7020)
- Disables trace logs
  - RegAsm.exe (PID: 7092)
- Checks proxy server information
  - RegAsm.exe (PID: 7092)
  - SearchApp.exe (PID: 7020)
- Reads the software policy settings
  - RegAsm.exe (PID: 7092)
  - SearchApp.exe (PID: 7020)
- Attempting to use instant messaging service
  - RegAsm.exe (PID: 7092)
- Manual execution by a user
  - WerFault.exe (PID: 1764)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 1764)
  - GameBar.exe (PID: 3360)
  - WerFault.exe (PID: 7432)
- Process checks Internet Explorer phishing filters
  - SearchApp.exe (PID: 7020)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:07:20 11:11:18
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	update/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

204

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

676

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

852

timeout 15

C:\Windows\SysWOW64\timeout.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

timeout - pauses command processing

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1764

C:\WINDOWS\system32\WerFault.exe -u -p 4016 -s 3804

C:\Windows\System32\WerFault.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

2436

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

2928

cmd /c copy /b Treating + Viagra + Vision + Jul + Str 564784\L

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

3360

findstr /V "locatedflatrendsoperating" Ukraine

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll

3360

"C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe" -ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca

C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226107

Modules

Images
c:\program files\windowsapps\microsoft.xboxgamingoverlay_2.34.28001.0_x64__8wekyb3d8bbwe\gamebar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\windowsapps\microsoft.vclibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\msvcp140_app.dll
c:\program files\windowsapps\microsoft.vclibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\vcruntime140_app.dll
c:\program files\windowsapps\microsoft.vclibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\vccorlib140_app.dll

3396

timeout 15

C:\Windows\SysWOW64\timeout.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

timeout - pauses command processing

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

3544

cmd /c md 564784

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

3800

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\update (1).zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

37 134

Read events

37 030

Write events

102

Delete events

Modification events


(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\update (1).zip
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3800) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

1 093

Text files

140

Unknown types

Dropped files

PID	Process	Filename		Type
7440	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Recipes		binary
		MD5:D0808D4907E66F73A821AB6E7FC942C1	SHA256:221EEE5A84FDE75849816CDBB84F723E5C96A3E81922692DB21E7844B8537A04
7440	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Democracy		binary
		MD5:DEE42E543988CD988E8AEB4B03F488EB	SHA256:8F444581168196C045FABDE65F1C0667154AFE2FE6302E7FF342AEFD3B6B829D
7440	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Halo		binary
		MD5:E859420711C0FAFFEDF33DA17A2EB4B1	SHA256:5010762DC34EB3679AFE29CDA9C2040309D8A784BEA758F64ED4977773C20465
3800	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3800.10302\update\CrowdStrike.exe		executable
		MD5:755C0350038DAEFB29B888B6F8739E81	SHA256:4491901EFF338AB52C85A77A3FBD3CE80FDA738046EE3B7DA7BE468DA5B331A3
7440	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Handle		binary
		MD5:4DD2539DAA375331505B81E8BAD6F6F3	SHA256:2FA5DFE0785E6E2EE3CF30277E09BDB46D2B7FC096D40D6AAF78EC27F5B6B68B
7440	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Viagra		binary
		MD5:B6FE42E6BD0D9F4B87B6F73EF06A3D0B	SHA256:D1FBE283CCD1DB36BC91000CFB3694030DCC026FA1987118994B36C37E970E72
7440	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Ferry		binary
		MD5:05607FDAAA89639249B09951F5624870	SHA256:11BDE3AF35BD166FEA20604167525CC28A2EB2FD0BC66B054C190AF00447F50C
7440	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Buyers		binary
		MD5:A001542705E46D08B5B2D97CD0706599	SHA256:EE55F2498F769CBAF5E60C7E3E28A93BEEE507083920CF9D18C9CA9043409E56
7440	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Carroll		text
		MD5:9FAB9F640DB1F75FB8C18BFB50976ABD	SHA256:1FA1F7F0089F89E07406412C257AE546BB9728F7055F804E800E6C41A682C882
7440	CrowdStrike.exe	C:\Users\admin\AppData\Local\Temp\Consequences		pgc
		MD5:19E98CBB75F1B8BD8EFDE5FE0ABD34B2	SHA256:DF0CB092CD377DF6571BB86BB48E586E1A5012EDBE1C8A180DE8BE3FAE080356

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7092	RegAsm.exe	GET	200	104.16.185.241:80	http://icanhazip.com/	unknown	—	—	shared
7092	RegAsm.exe	GET	200	104.16.184.241:80	http://icanhazip.com/	unknown	—	—	shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
7856	svchost.exe	4.209.32.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4716	svchost.exe	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5620	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2760	svchost.exe	40.115.3.253:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5672	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4716	svchost.exe	40.126.32.138:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6256	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
login.live.com	40.126.32.68 40.126.32.138 40.126.32.134 20.190.160.20 40.126.32.140 20.190.160.14 40.126.32.76 20.190.160.17	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.184.206	whitelisted
XLuvBdVPcngNKMPfoEAAuT.XLuvBdVPcngNKMPfoEAAuT	—	unknown
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
www.bing.com	92.123.104.46 92.123.104.58 92.123.104.64 92.123.104.51 92.123.104.54 92.123.104.41 92.123.104.52 92.123.104.43 92.123.104.40 104.126.37.130 104.126.37.185 104.126.37.178 104.126.37.152 104.126.37.171 104.126.37.136 104.126.37.131 104.126.37.177 104.126.37.144	whitelisted
arc.msn.com	20.199.58.43	whitelisted
fd.api.iris.microsoft.com	20.74.47.205	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

Threats

PID	Process	Class	Message
7092	RegAsm.exe	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2168	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
7092	RegAsm.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
2168	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
7092	RegAsm.exe	Misc activity	ET HUNTING Telegram API Certificate Observed
7092	RegAsm.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7092	RegAsm.exe	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2168	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
7092	RegAsm.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request

Add for printing

No debug info

General Info

update (1).zip

D32F89A8A3DD360DB3FA9B838163FFA0

66FBE2B33E545062A1399A4962B9AF4FBBD4B356

96DEC6E07229201A02F538310815C695CF6147C548FF1C6A0DEF2FE38F3DCBC8

49152:wFUG/KGKxVTQ8WqwjrFkiV4sKPGsECGu32l6PB6IVhvCT93emKGjBcAgAm/3Gbk5:wFUG/STQ8Wqw/FkiJKexu3igZv6jBcAY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Antivirus name has been found in the command line (generic signature)

Create files in the Startup directory

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Executing commands from ".cmd" file

Get information on the list of running processes

Using 'findstr.exe' to search for text patterns in files and output

Application launched itself

Drops a file with a rarely used extension (PIF)

Executable content was dropped or overwritten

Suspicious file concatenation

The executable file from the user directory is run by the CMD process

Starts application with an unusual extension

Uses TIMEOUT.EXE to delay execution

The process creates files with name similar to system file names

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Drops a system driver (possible attempt to evade defenses)

Checks for external IP

Write to the desktop.ini file (may be used to cloak folders)

Creates file in the systems drive root

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Executes application which crashes

INFO

Create files in a temporary directory

Executable content was dropped or overwritten

Checks supported languages

Reads the computer name

Process checks computer location settings

Reads mouse settings

Reads the machine GUID from the registry

Reads Environment values

Disables trace logs

Checks proxy server information

Reads the software policy settings

Attempting to use instant messaging service

Manual execution by a user

Creates files or folders in the user directory

Process checks Internet Explorer phishing filters

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information