Malware analysis Official invitation.zip Malicious activity

Add for printing

File name:	Official invitation.zip
Full analysis:	https://app.any.run/tasks/a3546157-2160-4d96-aec6-25224fa14128
Verdict:	Malicious activity
Analysis date:	December 24, 2024, 10:22:08
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	17F8B90BC723FC70A1874FBAB149C84D
SHA1:	19739E0D21FB6BE235ECC3252370AE6CC39E4BB5
SHA256:	C0C1E0F4736A95893ECD6DA8B093B07CD1413A6735E3C6B379D161C9F2ADB45C
SSDEEP:	98304:nulftCshNKEzUOLqVRaeKtqW6QjrDZyMl5e1kDNzHNzm1Bwmw+c2SJBWLLeI9xPD:U9BFHbhJ6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: on
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 3144)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Official invitation.exe (PID: 6680)
- The process executes via Task Scheduler
  - emailService.exe (PID: 4876)
- Reads security settings of Internet Explorer
  - emailService.exe (PID: 4876)
- Checks Windows Trust Settings
  - emailService.exe (PID: 4876)
- Connects to unusual port
  - emailService.exe (PID: 4876)
INFO
- The process uses the downloaded file
  - WinRAR.exe (PID: 3144)
  - emailService.exe (PID: 4876)
- Creates files or folders in the user directory
  - Official invitation.exe (PID: 6680)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3144)
- Reads the computer name
  - Official invitation.exe (PID: 6680)
  - Official invitation.exe (PID: 4244)
  - emailService.exe (PID: 4876)
- Reads the machine GUID from the registry
  - Official invitation.exe (PID: 6680)
  - emailService.exe (PID: 4876)
- Checks supported languages
  - Official invitation.exe (PID: 6680)
  - Official invitation.exe (PID: 4244)
  - emailService.exe (PID: 4876)
- Manual execution by a user
  - Official invitation.exe (PID: 6680)
  - Official invitation.exe (PID: 4244)
- Create files in a temporary directory
  - emailService.exe (PID: 4876)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:12:23 22:11:16
ZipCRC:	0x9e1783f1
ZipCompressedSize:	5649824
ZipUncompressedSize:	7522816
ZipFileName:	Official invitation.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

133

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3144

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Official invitation.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4244

"C:\Users\admin\Downloads\Official invitation\Official invitation.exe"

C:\Users\admin\Downloads\Official invitation\Official invitation.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

TatoPm

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\downloads\official invitation\official invitation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

4876

"C:\users\admin\AppData\Local\Microsoft\Windows\serviceTools\emailService.exe" -all 12.10.2022

C:\Users\admin\AppData\Local\Microsoft\Windows\serviceTools\emailService.exe

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Description:

EmailManagement

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\microsoft\windows\servicetools\emailservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

6620

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

6680

"C:\Users\admin\Downloads\Official invitation\Official invitation.exe"

C:\Users\admin\Downloads\Official invitation\Official invitation.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

TatoPm

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\downloads\official invitation\official invitation.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

7060

C:\WINDOWS\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding

C:\Windows\explorer.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\twinapi.dll

7124

C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\SysWOW64\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

12 076

Read events

12 043

Write events

Delete events

Modification events


(PID) Process:	(3144) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(3144) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(3144) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(3144) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\Official invitation.zip
(PID) Process:	(3144) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3144) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3144) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3144) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3144) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(3144) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4876	emailService.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cbfsyj00.bwl.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6680	Official invitation.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\serviceTools\emailService.exe.config		xml
		MD5:8CD05ED3D741BE3F20CA182BE6F429A7	SHA256:D7BE84B65B10076A7658C35124CE114C7E2B451B6EDBA4D1A41B5473E58D0EC0
4876	emailService.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_iczwx5ea.r0r.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4876	emailService.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f3ljelqo.qpa.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4876	emailService.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0f1hues2.xvq.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6680	Official invitation.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\serviceTools\emailService.exe		executable
		MD5:D4F77F6188C428DB6A1E17A73E71A99D	SHA256:BCE30DF20DD93249B57A871F0E5D5791E8C9209ED79BBC967AE054BA3C54315D
4876	emailService.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:5F62DFB53E47D6CD6715ABE772A855F8	SHA256:C327736DF96A1BC7AC8A64CFC9935A7665EE601ACCC469BAB24E3822FA7AEFC0
3144	WinRAR.exe	C:\Users\admin\Downloads\Official invitation\Official invitation.exe		executable
		MD5:1A650573EB02A9FAF93E9C1853A42F08	SHA256:F8F1D1C5076B045E3FCB0CFEFE99118696916775EBF2A1385211752443080F1D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5064	SearchApp.exe	2.23.209.140:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3996	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3976	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5064	SearchApp.exe	104.126.37.152:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5064	SearchApp.exe	204.79.197.222:443	fp.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4876	emailService.exe	37.98.226.123:993	eco.pmo.gov.iq	ScopeSky for communications, internet and technology services LLC	IQ	unknown

DNS requests

Domain	IP	Reputation
www.bing.com	2.23.209.140 2.23.209.135 2.23.209.150 2.23.209.141 2.23.209.149 2.23.209.144 2.23.209.133 2.23.209.148 2.23.209.131 104.126.37.152 104.126.37.123 104.126.37.155 104.126.37.130 104.126.37.171 104.126.37.178 104.126.37.137 104.126.37.136 104.126.37.170	whitelisted
google.com	142.250.185.78	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
fp.msedge.net	204.79.197.222	whitelisted
self.events.data.microsoft.com	52.182.143.214	whitelisted
eco.pmo.gov.iq	37.98.226.123	unknown
dns.msftncsi.com	131.107.255.255	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18 2a01:111:f100:a000::4134:4847	whitelisted
18.31.95.13.in-addr.arpa	—	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

Official invitation.zip

17F8B90BC723FC70A1874FBAB149C84D

19739E0D21FB6BE235ECC3252370AE6CC39E4BB5

C0C1E0F4736A95893ECD6DA8B093B07CD1413A6735E3C6B379D161C9F2ADB45C

98304:nulftCshNKEzUOLqVRaeKtqW6QjrDZyMl5e1kDNzHNzm1Bwmw+c2SJBWLLeI9xPD:U9BFHbhJ6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SUSPICIOUS

Executable content was dropped or overwritten

The process executes via Task Scheduler

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Connects to unusual port

INFO

The process uses the downloaded file

Creates files or folders in the user directory

Executable content was dropped or overwritten

Reads the computer name

Reads the machine GUID from the registry

Checks supported languages

Manual execution by a user

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings