| File name: | bulut_sorusturma-2025-03-21_R7KMPv.zip |
| Full analysis: | https://app.any.run/tasks/3470d144-a8f9-4cfb-9ae5-16c4f7af81dd |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | March 21, 2025, 11:59:01 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 23F356F10C5130D0243272C933CDFED5 |
| SHA1: | 74E9232C2F394D283E111268E051F2891D0186B8 |
| SHA256: | C2A4F6E37586E0C05190B3DB992AE9B0E66473D67B68449D3ECBD924F5DDD796 |
| SSDEEP: | 12:5jQWnT9/8y5R0Rud1apOq+rLWINmNY1Wt5tak:9xnT9sRud1aMI5j |
MALICIOUS
CVE-2024-43451 has been detected
- WinRAR.exe (PID: 2284)
SMBSCAN has been detected (SURICATA)
- System (PID: 4)
SUSPICIOUS
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 2284)
Execution of CURL command
- WinRAR.exe (PID: 2284)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 2284)
Uses pipe srvsvc via SMB (transferring data)
- conhost.exe (PID: 7684)
Executable content was dropped or overwritten
- curl.exe (PID: 7960)
The executable file from the user directory is run by the CMD process
- a.exe (PID: 8120)
Potential Corporate Privacy Violation
- curl.exe (PID: 7960)
- System (PID: 4)
Block-list domains
- curl.exe (PID: 7960)
Process requests binary or script from the Internet
- curl.exe (PID: 7960)
INFO
Execution of CURL command
- cmd.exe (PID: 7664)
Local mutex for internet shortcut management
- WinRAR.exe (PID: 2284)
Checks supported languages
- curl.exe (PID: 7960)
- a.exe (PID: 8120)
Reads the computer name
- curl.exe (PID: 7960)
Reads security settings of Internet Explorer
- BackgroundTransferHost.exe (PID: 5596)
- BackgroundTransferHost.exe (PID: 6048)
- BackgroundTransferHost.exe (PID: 2392)
Reads the software policy settings
- BackgroundTransferHost.exe (PID: 5596)
Creates files or folders in the user directory
- curl.exe (PID: 7960)
- BackgroundTransferHost.exe (PID: 5596)
Checks proxy server information
- BackgroundTransferHost.exe (PID: 5596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2025:03:21 00:01:24 |
| ZipCRC: | 0x1827c0bd |
| ZipCompressedSize: | 195 |
| ZipUncompressedSize: | 299 |
| ZipFileName: | bulut-logs-2025-03-21.url |
Total processes
151
Monitored processes
18
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4 | System | [System Process] | |||||||||||||
User: SYSTEM Integrity Level: SYSTEM | |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2284 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\bulut_sorusturma-2025-03-21_R7KMPv.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 2392 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2852 | schtasks.exe /RUN /TN "\Microsoft\Windows\DiskCleanup\SilentCleanup" /I | C:\Windows\System32\schtasks.exe | — | a.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5596 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5960 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6048 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7324 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7356 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
4 597
Read events
4 567
Write events
28
Delete events
2
Modification events
| (PID) Process: | (2284) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (2284) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (2284) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (2284) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\bulut_sorusturma-2025-03-21_R7KMPv.zip | |||
| (PID) Process: | (2284) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2284) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2284) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2284) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2284) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
| Operation: | write | Name: | {FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214E4-0000-0000-C000-000000000046} 0xFFFF |
Value: 0100000000000000E1D689A7589ADB01 | |||
| (PID) Process: | (2284) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
Executable files
1
Suspicious files
6
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7684 | conhost.exe | \Device\Mup:\sorusturma-gelir-idaresi-baskanligi-gib-gov-tr.appdolo.store\PIPE\srvsvc | — | |
MD5:— | SHA256:— | |||
| 5596 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\426abd07-c3f0-42f9-8e70-cdb19767191c.down_data | — | |
MD5:— | SHA256:— | |||
| 2284 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2284.15860\bulut-logs-2025-03-21.url | binary | |
MD5:B48716885527B2E307086412308FF91D | SHA256:CD95DB011E5966C56CA0D771D931CB5527C483100C33BC492BFC61E188EC3986 | |||
| 5596 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D | binary | |
MD5:B97E400964900BC2D8274B887D5AA1F4 | SHA256:9EE0020FE1FECDEEE0309A80F5EB6BC02AF0793E11C4A230C7931D4C6BC662ED | |||
| 7960 | curl.exe | C:\Users\admin\AppData\Roaming\x.xml | xml | |
MD5:5796CE9C4BB6EB0B4B6FC073247A445E | SHA256:48328E322E5FF9C21CB19D9AA5DB2AF37745ED9947A20149062076BCD4AEACC2 | |||
| 5596 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\35ca4406-8e36-41ab-9eed-4a3afe45e37f.2ce3a70a-d585-4781-987d-58a36ff3b3cd.down_meta | binary | |
MD5:80D73A1EBCBECC1F56D589374F0995B5 | SHA256:88DCB528B70C204D021E05B906B62FE5F7171EE2B10A22B43EDE8414F3188A45 | |||
| 5596 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\426abd07-c3f0-42f9-8e70-cdb19767191c.2ce3a70a-d585-4781-987d-58a36ff3b3cd.down_meta | binary | |
MD5:80D73A1EBCBECC1F56D589374F0995B5 | SHA256:88DCB528B70C204D021E05B906B62FE5F7171EE2B10A22B43EDE8414F3188A45 | |||
| 7960 | curl.exe | C:\Users\admin\AppData\Roaming\a.exe | executable | |
MD5:555428E86F3EFABCBB2DC774F6609A4C | SHA256:356C2D5D2C5BC6D7B39341996755B65FA2CD642F837508DD8BDC1857E4E2EDC3 | |||
| 5596 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D | binary | |
MD5:667ACEE87615757832AA5EAB5D4D2EF3 | SHA256:39004469FAB8D84E4E1E129B7FC49E88931C89A959D1EE7E766B9DAD6AD1E082 | |||
| 5596 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\35ca4406-8e36-41ab-9eed-4a3afe45e37f.up_meta_secure | binary | |
MD5:1920A4F1598D687DF0D085983C442033 | SHA256:19BC45F34D715376E230C860B34E1774C26503078883DB166D8CA765BA1BEFBE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
25
DNS requests
19
Threats
206
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7960 | curl.exe | GET | 200 | 217.197.107.32:80 | http://bounsecz3.ddns.net/x1.xml | unknown | — | — | malicious |
7960 | curl.exe | GET | 200 | 217.197.107.32:80 | http://bounsecz3.ddns.net/a.exe | unknown | — | — | malicious |
7464 | backgroundTaskHost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
2772 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
2772 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
5596 | BackgroundTransferHost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.19.11.120:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 91.92.43.59:445 | sorusturma-gelir-idaresi-baskanligi-gib-gov-tr.appdolo.store | Euro Crypt EOOD | BG | unknown |
5024 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 40.115.3.253:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 20.190.159.131:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
7960 | curl.exe | 217.197.107.32:80 | bounsecz3.ddns.net | — | LU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
sorusturma-gelir-idaresi-baskanligi-gib-gov-tr.appdolo.store |
| unknown |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
bounsecz3.ddns.net |
| malicious |
arc.msn.com |
| whitelisted |
www.bing.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] NTLM Over SMB (NTLMSSP_NEGOTIATE) |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Possible NTLM Hash leak over SMB (NTLMSSP_AUTH) |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] NTLM Over SMB (NTLMSSP_NEGOTIATE) |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Query an EXE file via SMB2 from an external server |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Successful connection to external SMB server |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Successful connection to external SMB server |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Successful connection to external SMB server |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Successful connection to external SMB server |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Successful connection to external SMB server |
4 | System | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Successful connection to external SMB server |