| File name: | b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18.zip |
| Full analysis: | https://app.any.run/tasks/0135a372-ac5b-4907-a5d1-ecbe866c96a1 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 23, 2024, 14:10:49 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract |
| MD5: | 2EA79D476FF0006C73CF3C90027351B3 |
| SHA1: | DE91A1CA2CA55ED0ED3B0BAB5AC42132271F08D5 |
| SHA256: | B7E042D2ACCDF4A488C3CD46CCD95D6AD5B5A8BE71B5D6D76B8046F17DEBAA18 |
| SSDEEP: | 6144:55jSAx5O9lYDFC6Qj+23IywGcIzimbiDpqqHz:5hSAxg9uFC6q+23IyNLbiNqE |
MALICIOUS
PUBLOAD has been detected (SURICATA)
- Analysis of the third meeting of NDSC.exe (PID: 664)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2580)
- Analysis of the third meeting of NDSC.exe (PID: 664)
SUSPICIOUS
Executable content was dropped or overwritten
- Analysis of the third meeting of NDSC.exe (PID: 664)
INFO
Checks supported languages
- Analysis of the third meeting of NDSC.exe (PID: 664)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2580)
Reads the computer name
- Analysis of the third meeting of NDSC.exe (PID: 664)
Creates files in the program directory
- Analysis of the third meeting of NDSC.exe (PID: 664)
Creates files or folders in the user directory
- Analysis of the third meeting of NDSC.exe (PID: 664)
Reads the machine GUID from the registry
- Analysis of the third meeting of NDSC.exe (PID: 664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2023:11:09 10:56:08 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | Analysis of the third meeting of NDSC/ |
Total processes
39
Monitored processes
2
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 664 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2580.4577\Analysis of the third meeting of NDSC\Analysis of the third meeting of NDSC.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2580.4577\Analysis of the third meeting of NDSC\Analysis of the third meeting of NDSC.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2580 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
1 149
Read events
1 132
Write events
17
Delete events
0
Modification events
| (PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
4
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 664 | Analysis of the third meeting of NDSC.exe | C:\ProgramData\gameinstall\BrMod104.dll | executable | |
MD5:9986675DD46EBD333589419456A70C50 | SHA256:2A00D95B658E11CA71A8DE532999DD33DDEE7F80432653427EAA885B611DDD87 | |||
| 2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2580.4577\Analysis of the third meeting of NDSC\BrMod104.dll | executable | |
MD5:9986675DD46EBD333589419456A70C50 | SHA256:2A00D95B658E11CA71A8DE532999DD33DDEE7F80432653427EAA885B611DDD87 | |||
| 2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2580.4577\Analysis of the third meeting of NDSC\Analysis of the third meeting of NDSC.exe | executable | |
MD5:12A77201922AF5EB8302B24401817FCD | SHA256:CE4F7E7CE82A5621B5409CCB633E27269A05CE17D1B049FEDA9FBC4793E6C484 | |||
| 664 | Analysis of the third meeting of NDSC.exe | C:\ProgramData\gameinstall\Analysis of the third meeting of NDSC.exe | executable | |
MD5:12A77201922AF5EB8302B24401817FCD | SHA256:CE4F7E7CE82A5621B5409CCB633E27269A05CE17D1B049FEDA9FBC4793E6C484 | |||
| 664 | Analysis of the third meeting of NDSC.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a6356ecc6025d4d797fc752f6fd045e2_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:3FC7E09170C27C7FC9C3528478D0CEBD | SHA256:FED9FC43BEEC04D9967E6ED8CA0A309D5112F16338D2FB588997C35F7B7A221A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
0
Threats
8
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
664 | Analysis of the third meeting of NDSC.exe | POST | 200 | 123.253.32.15:443 | http://www.asia.microsoft.com:443/v11/2/windowsupdate/redir/v6-winsp1-wuredir?878182977 | unknown | text | 24.0 Kb | unknown |
664 | Analysis of the third meeting of NDSC.exe | POST | 200 | 123.253.32.15:443 | http://www.download.windowsupdate.com:443/msdownload/update/v3/static/trustedr/en/GrKTNorS43_yHJ4CcLVRYo6jp | unknown | text | 8 b | unknown |
664 | Analysis of the third meeting of NDSC.exe | POST | 200 | 123.253.32.15:443 | http://www.download.windowsupdate.com:443/msdownload/update/v3/static/trustedr/en/Xd0I9qbTGiAUnRTePkCqRHWee | unknown | text | 8 b | unknown |
664 | Analysis of the third meeting of NDSC.exe | POST | 200 | 123.253.32.15:443 | http://www.download.windowsupdate.com:443/msdownload/update/v3/static/trustedr/en/bNvlxd5tlCCElzWbh4xyJPcQc | unknown | text | 8 b | unknown |
664 | Analysis of the third meeting of NDSC.exe | POST | 200 | 123.253.32.15:443 | http://www.download.windowsupdate.com:443/msdownload/update/v3/static/trustedr/en/R5A_XPvfqXQZTEzgr6SRwKjyP | unknown | text | 8 b | unknown |
664 | Analysis of the third meeting of NDSC.exe | POST | 200 | 123.253.32.15:443 | http://www.download.windowsupdate.com:443/msdownload/update/v3/static/trustedr/en/ZWD4vvpphsx1WJTir5R4NqdIw | unknown | text | 8 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
664 | Analysis of the third meeting of NDSC.exe | 123.253.32.15:443 | — | Gigabit Hosting Sdn Bhd | MY | unknown |
DNS requests
Threats
PID | Process | Class | Message |
|---|---|---|---|
664 | Analysis of the third meeting of NDSC.exe | Malware Command and Control Activity Detected | LOADER [ANY.RUN] PUBLOAD Activity (Earth Preta / Mustang Panda) |
664 | Analysis of the third meeting of NDSC.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
664 | Analysis of the third meeting of NDSC.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
664 | Analysis of the third meeting of NDSC.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
664 | Analysis of the third meeting of NDSC.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
664 | Analysis of the third meeting of NDSC.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
664 | Analysis of the third meeting of NDSC.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
664 | Analysis of the third meeting of NDSC.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |