| File name: | 13919824335.zip |
| Full analysis: | https://app.any.run/tasks/2208798b-750c-4b2a-bcc5-3f3c899ec3fb |
| Verdict: | Malicious activity |
| Analysis date: | January 04, 2024, 18:43:26 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | AB6F86538433EE3FD2F373C6E99F31C0 |
| SHA1: | 81D5CF667B24FD11EF9280382A5C651899CDEDD6 |
| SHA256: | EFB8CB497045DE271A236971F68873F30FB623135076D67CE50F3B16CC9F47B5 |
| SSDEEP: | 98304:ieQ0YuUG0g2NxRprl6b1bZR8sw7EPhyKmUKIGThgtTHAHhCnOqhdAUFMmljZ/iL3:nsnKM |
MALICIOUS
Unusual execution from MS Office
- EXCEL.EXE (PID: 584)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 2328)
Steals credentials from Web Browsers
- taskhost.exe (PID: 3452)
SUSPICIOUS
Creates a Folder object (SCRIPT)
- EXCEL.EXE (PID: 584)
Starts application with an unusual extension
- EXCEL.EXE (PID: 584)
Runs shell command (SCRIPT)
- EXCEL.EXE (PID: 584)
Reads the Internet Settings
- ccupdate.tmp (PID: 1636)
- rundll32.exe (PID: 2424)
- rundll32.exe (PID: 3856)
- sipnotify.exe (PID: 2092)
Uses RUNDLL32.EXE to load library
- ccupdate.tmp (PID: 1636)
- rundll32.exe (PID: 4060)
- rundll32.exe (PID: 3856)
Starts CMD.EXE for commands execution
- rundll32.exe (PID: 2424)
The process verifies whether the antivirus software is installed
- rundll32.exe (PID: 2424)
Reads settings of System Certificates
- sipnotify.exe (PID: 2092)
INFO
The process uses the downloaded file
- EXCEL.EXE (PID: 584)
Manual execution by a user
- EXCEL.EXE (PID: 584)
- mmc.exe (PID: 2588)
- mmc.exe (PID: 2724)
- IMEKLMG.EXE (PID: 4032)
- IMEKLMG.EXE (PID: 4048)
- wmpnscfg.exe (PID: 784)
- wmpnscfg.exe (PID: 1652)
Checks supported languages
- ccupdate.tmp (PID: 1636)
- IMEKLMG.EXE (PID: 4048)
- IMEKLMG.EXE (PID: 4032)
- wmpnscfg.exe (PID: 784)
- wmpnscfg.exe (PID: 1652)
Reads the computer name
- ccupdate.tmp (PID: 1636)
- IMEKLMG.EXE (PID: 4032)
- wmpnscfg.exe (PID: 784)
- wmpnscfg.exe (PID: 1652)
- IMEKLMG.EXE (PID: 4048)
Create files in a temporary directory
- ccupdate.tmp (PID: 1636)
- rundll32.exe (PID: 2424)
Executes as Windows Service
- taskhost.exe (PID: 3452)
- EOSNotify.exe (PID: 3552)
The process executes via Task Scheduler
- ctfmon.exe (PID: 4084)
- sipnotify.exe (PID: 2092)
- rundll32.exe (PID: 4060)
Application launched itself
- rundll32.exe (PID: 3856)
- rundll32.exe (PID: 4060)
Reads security settings of Internet Explorer
- sipnotify.exe (PID: 2092)
Creates files or folders in the user directory
- rundll32.exe (PID: 3764)
Process checks are UAC notifies on
- IMEKLMG.EXE (PID: 4048)
- IMEKLMG.EXE (PID: 4032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:00:00 00:00:00 |
| ZipCRC: | 0x02025902 |
| ZipCompressedSize: | 2517251 |
| ZipUncompressedSize: | 4594396 |
| ZipFileName: | 52e3a856548825ec0a3d6630e881ff4f79d2a11bc3420a73d42e161fabed53d9 |
Total processes
76
Monitored processes
20
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 584 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 784 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1636 | C:\Users\admin\AppData\Roaming\ccupdate.tmp | C:\Users\admin\AppData\Roaming\ccupdate.tmp | — | EXCEL.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1652 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2044 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\13919824335.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 1073807364 Version: 5.91.0 Modules
| |||||||||||||||
| 2092 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\System32\sipnotify.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: sipnotify Exit code: 0 Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
| 2328 | "C:\Windows\System32\cmd.exe" /C schtasks.exe /Create /f /XML C:\Users\admin\AppData\Local\Temp\sduchxll.tmp /TN MSAProfileNotificationHandler | C:\Windows\System32\cmd.exe | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2424 | "C:\Windows\System32\rundll32.exe" conf4256.dll f8qb1355 d665 | C:\Windows\System32\rundll32.exe | — | ccupdate.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2588 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\System32\mmc.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2620 | schtasks.exe /Create /f /XML C:\Users\admin\AppData\Local\Temp\sduchxll.tmp /TN MSAProfileNotificationHandler | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
10 017
Read events
9 901
Write events
100
Delete events
16
Modification events
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (584) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
Executable files
1
Suspicious files
8
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR5B2B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\ccupdate.tmp | — | |
MD5:— | SHA256:— | |||
| 584 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\ccupdate.tmp | — | |
MD5:— | SHA256:— | |||
| 584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF4275E00CCD997398.TMP | — | |
MD5:— | SHA256:— | |||
| 584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso5FEF.tmp | — | |
MD5:— | SHA256:— | |||
| 1636 | ccupdate.tmp | C:\Users\admin\AppData\Local\Temp\tmp5696\conf4256.dll | — | |
MD5:— | SHA256:— | |||
| 1636 | ccupdate.tmp | C:\Users\admin\AppData\Local\Temp\tmp5696\d665 | — | |
MD5:— | SHA256:— | |||
| 1636 | ccupdate.tmp | C:\Users\admin\AppData\Local\Temp\tmp5696\Background.bmp | — | |
MD5:— | SHA256:— | |||
| 2424 | rundll32.exe | C:\ProgramData\MSAProfileNotificationHandler.dll | — | |
MD5:— | SHA256:— | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2044.30611\52e3a856548825ec0a3d6630e881ff4f79d2a11bc3420a73d42e161fabed53d9 | document | |
MD5:EF9BA2491DBDF4FD10C259227F1DF80E | SHA256:52E3A856548825EC0A3D6630E881FF4F79D2A11BC3420A73D42E161FABED53D9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2092 | sipnotify.exe | HEAD | 200 | 23.197.138.118:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133488676485670000 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2092 | sipnotify.exe | 23.197.138.118:80 | query.prod.cms.rt.microsoft.com | Akamai International B.V. | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | Fetching Next Channel failed -259-No more data is available
|
mmc.exe | Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
|
mmc.exe | Getting next publisher from enum failed-259-No more data is available
|
mmc.exe | Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
|
mmc.exe | Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
|
mmc.exe | Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
|