| File name: | 1111.zip |
| Full analysis: | https://app.any.run/tasks/c2d04384-0205-4081-a01b-cc2e9d88e5e0 |
| Verdict: | Malicious activity |
| Analysis date: | December 02, 2023, 18:03:10 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 0DC70BF6A8BA0B3A37D65A1260379185 |
| SHA1: | 7ECF2566AEA392921EEEF26AD6BFBFB83B7B8B2F |
| SHA256: | B6FA1F48A9D5621C6EC6784E25E0C342AA2D2C89EDDFADF46E0CC4D46A8A20A2 |
| SSDEEP: | 96:+6g1XSO57/F8x68rav/TUqbGECl2nxCtEV3gYCuqw78Sk6Ez/ksYQ4W0rccidSfK:i57it24/xUQ+VRCU783DzssrLMPnTW |
MALICIOUS
No malicious indicators.SUSPICIOUS
Application launched itself
- Skype.exe (PID: 3028)
Reads the Internet Settings
- Skype.exe (PID: 3028)
Uses REG/REGEDIT.EXE to modify registry
- Skype.exe (PID: 3028)
Detected use of alternative data streams (AltDS)
- Skype.exe (PID: 3028)
INFO
Creates files or folders in the user directory
- Skype.exe (PID: 3028)
- Skype.exe (PID: 3276)
- Skype.exe (PID: 3216)
Reads Environment values
- Skype.exe (PID: 3028)
- Skype.exe (PID: 3276)
Manual execution by a user
- Skype.exe (PID: 3028)
- notepad++.exe (PID: 3728)
- chrome.exe (PID: 3124)
Checks supported languages
- Skype.exe (PID: 3028)
- Skype.exe (PID: 2600)
- Skype.exe (PID: 2332)
- Skype.exe (PID: 3216)
- Skype.exe (PID: 3276)
- Skype.exe (PID: 3384)
- Skype.exe (PID: 2492)
Reads product name
- Skype.exe (PID: 3028)
- Skype.exe (PID: 3276)
Reads CPU info
- Skype.exe (PID: 3028)
Reads the computer name
- Skype.exe (PID: 3028)
- Skype.exe (PID: 2332)
- Skype.exe (PID: 3216)
- Skype.exe (PID: 3276)
- Skype.exe (PID: 3384)
Reads the machine GUID from the registry
- Skype.exe (PID: 3028)
Process checks computer location settings
- Skype.exe (PID: 3028)
- Skype.exe (PID: 3276)
- Skype.exe (PID: 2492)
Create files in a temporary directory
- Skype.exe (PID: 3028)
Application launched itself
- chrome.exe (PID: 3124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0001 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:12:02 17:28:10 |
| ZipCRC: | 0x7fdb6071 |
| ZipCompressedSize: | 4589 |
| ZipUncompressedSize: | 14055 |
| ZipFileName: | Defender detected and quarantined 'Trojan:HTML/FakeAlert' in file 'This computer is BLOCKED.htm' during a scheduled scan |
Total processes
64
Monitored processes
23
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 924 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3624 --field-trial-handle=1188,i,13189726541380019095,7171067811204388264,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1008 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3820 --field-trial-handle=1188,i,13189726541380019095,7171067811204388264,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1276 | C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate | C:\Windows\System32\reg.exe | — | Skype.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1752 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2116 --field-trial-handle=1188,i,13189726541380019095,7171067811204388264,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1928 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2108 --field-trial-handle=1188,i,13189726541380019095,7171067811204388264,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2080 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=2240 --field-trial-handle=1188,i,13189726541380019095,7171067811204388264,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2332 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 --field-trial-handle=1312,i,17947882893896138863,12666991947265182938,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe | |||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: LOW Description: Skype Exit code: 0 Version: 8.100.0.203 Modules
| |||||||||||||||
| 2344 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2232 --field-trial-handle=1188,i,13189726541380019095,7171067811204388264,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2492 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1312,i,17947882893896138863,12666991947265182938,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe | |||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.100.0.203 Modules
| |||||||||||||||
| 2600 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad" --url=appcenter://generic?aid=a7417433-29d9-4bc0-8826-af367733939d&iid=ad142ee9-ecfe-4580-ec0f-259fb963ccd2&uid=ad142ee9-ecfe-4580-ec0f-259fb963ccd2 --annotation=IsOfficialBuild=1 --annotation=_companyName=Skype --annotation=_productName=skype-preview --annotation=_version=8.100.0.203 "--annotation=exe=C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=19.1.8 --initial-client-data=0x338,0x33c,0x340,0x334,0x344,0x7c63398,0x7c633a8,0x7c633b4 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | ||||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.100.0.203 Modules
| |||||||||||||||
Total events
6 391
Read events
6 290
Write events
100
Delete events
1
Modification events
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3728) notepad++.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3728) notepad++.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
Executable files
0
Suspicious files
57
Text files
27
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3028 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.dat | binary | |
MD5:5D187988D1591D3FD80F3EEA284F3A4D | SHA256:ADACD52C6DAEA932EE305C540588D43B2FEE1A1307D7E98B84778A10D104646B | |||
| 3028 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old | text | |
MD5:B4DCEF7068BF63E8D712B7528F1E9932 | SHA256:87D49743322980F35B8BAFDA3A6CDE33CCF9F03C4610782DA596CFCEB7CD873B | |||
| 3028 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old~RF20b6d1.TMP | text | |
MD5:E1DDEA1CF3B526AB5670B1BD5DB17961 | SHA256:CC37017D6A77C63A9786DC9E7555696B1C862745F1A35D24672D981D7E44F42F | |||
| 3028 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json | binary | |
MD5:0BCF67703377596741628EC37DF8D67A | SHA256:B23B8EE723EC0CF5651A2182F63AEEB51C3CB2FA3488A8DDC0274C2BA2BF1912 | |||
| 3028 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\52443478-18e1-438c-85b6-2cf4ccaf2e6f\Code Cache\js\index | binary | |
MD5:54CB446F628B2EA4A5BCE5769910512E | SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D | |||
| 3028 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EIWZE688OU7LS07DTMTA.temp | binary | |
MD5:47F942424BF006D023A0B4505A3711AB | SHA256:97CF99F6C785082A0041A08526239159508878AE85837993B4EE4C9AABF5C235 | |||
| 3276 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.conf | binary | |
MD5:99914B932BD37A50B983C5E7C90AE93B | SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A | |||
| 3028 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\52443478-18e1-438c-85b6-2cf4ccaf2e6f\Local Storage\leveldb\MANIFEST-000001 | binary | |
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB | SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 | |||
| 3028 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\GPUCache\data_1 | binary | |
MD5:1C5A4267A663675990A50EAA2678A4CD | SHA256:AD31759BA56047CAA6AA78B87C11FA8F5325A3A3F18B604040B45ACA26462081 | |||
| 2644 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2644.18762\Defender detected and quarantined 'Trojan_HTML\FakeAlert' in file 'This computer is BLOCKED.htm' during a scheduled scan | html | |
MD5:1AB11E5B375FAC2FAD33F8B9B076DE2C | SHA256:6312423C788C54C82C78714982783609875EDD76FACC2AF8AD94F0F75DD11B77 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
124
DNS requests
44
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3028 | Skype.exe | 52.113.194.133:443 | get.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
3028 | Skype.exe | 13.107.42.16:443 | a.config.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3028 | Skype.exe | 40.79.197.35:443 | pipe.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | JP | unknown |
3216 | Skype.exe | 172.217.16.206:443 | redirector.gvt1.com | GOOGLE | US | whitelisted |
3216 | Skype.exe | 13.107.246.45:443 | gateway.bingviz.microsoftapp.net | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
3216 | Skype.exe | 20.190.160.22:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
get.skype.com |
| whitelisted |
a.config.skype.com |
| whitelisted |
pipe.skype.com |
| whitelisted |
redirector.gvt1.com |
| whitelisted |
gateway.bingviz.microsoftapp.net |
| unknown |
login.live.com |
| whitelisted |
b.config.skype.com |
| whitelisted |
browser.pipe.aria.microsoft.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
Threats
Process | Message |
|---|---|
Skype.exe | [1202/180338.536:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|