analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Electronic form Dt 06.21.2022.zip

Full analysis: https://app.any.run/tasks/c26ee8b7-3d99-4e4f-b51f-61adf280b26f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: June 27, 2022, 07:33:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

4E76C0E72D78D9EE18C0333F404C26CF

SHA1:

34F2EAE8240312C5BC605352E86100827611CD2F

SHA256:

F732FEB8786A9C7A8EE81913C07EF0494923E830C24B5095A4A216853D575C22

SSDEEP:

384:ep6TNm6xI9xekHLn++6T0IEvYS51l/zOo8vz5Eqvj3cT/WiQ:S6s6G5QT03vYS5/zOPdvYT/WiQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • EXCEL.EXE (PID: 3416)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3416)
    • Registers / Runs the DLL via REGSVR32.EXE

      • EXCEL.EXE (PID: 3416)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3416)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 804)
    • Checks supported languages

      • WinRAR.exe (PID: 804)
    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 804)
    • Reads default file associations for system extensions

      • WinRAR.exe (PID: 804)
    • Drops a file with a compile date too recent

      • EXCEL.EXE (PID: 3416)
  • INFO

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 804)
      • EXCEL.EXE (PID: 3416)
    • Checks supported languages

      • EXCEL.EXE (PID: 3416)
      • regsvr32.exe (PID: 2420)
      • regsvr32.exe (PID: 3532)
      • regsvr32.exe (PID: 2400)
    • Reads the computer name

      • EXCEL.EXE (PID: 3416)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 3416)
    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 3416)
    • Checks Windows Trust Settings

      • EXCEL.EXE (PID: 3416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Electronic form Dt 06.21.2022.xls
ZipUncompressedSize: 56832
ZipCompressedSize: 18590
ZipCRC: 0x7cc818cd
ZipModifyDate: 2022:06:21 22:15:02
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs excel.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
804"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Electronic form Dt 06.21.2022.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3416"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2420C:\Windows\System32\regsvr32.exe /S ..\peg1.ocxC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3532C:\Windows\System32\regsvr32.exe /S ..\peg2.ocxC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2400C:\Windows\System32\regsvr32.exe /S ..\peg3.ocxC:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
6 811
Read events
6 712
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
5
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3416EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR2131.tmp.cvr
MD5:
SHA256:
804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb804.38524\Electronic form Dt 06.21.2022.xlsdocument
MD5:B4AA7A6790D8D0A4484FEE5C9D3EDD91
SHA256:A0DE1F3AF78BEF68DDFCABF4B7CEDFA0E466AC65648A5E81E591702B463C96B1
3416EXCEL.EXEC:\Users\admin\peg1.ocxexecutable
MD5:400ACF98C6709C5789F5AE59287C8E8E
SHA256:3A845CF36F9A04EB6FA48E329316966BC0FA456D1DC68CE315E41BDDA3B50EC4
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F8B7C3256F5D1243492F6BA96F024FA4binary
MD5:859CAEE8678A539AF4962056777FFBDD
SHA256:7341691AE870A5614C9E26E301ECD6EFAE2E14554170457A6018AE06275B5B65
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:EC8FF3B1DED0246437B1472C69DD1811
SHA256:E634C2D1ED20E0638C95597ADF4C9D392EBAB932D3353F18AF1E4421F4BB9CAB
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F8B7C3256F5D1243492F6BA96F024FA4der
MD5:DFB97CE42C51D9577C51952074F98ACE
SHA256:275CDC9078983DFA7BFE78C09839BE9C86A51C25C064A7C07CFD6D7A04EF958B
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1F6D0F8EA9747BFE0EBC7BC7496E46E8
SHA256:9004B28F4E38094A0B796629485C2C6BE65FC1268A5E6AD96A3D6F0BB9A4C583
3416EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\5eArcW7P[1].dllexecutable
MD5:400ACF98C6709C5789F5AE59287C8E8E
SHA256:3A845CF36F9A04EB6FA48E329316966BC0FA456D1DC68CE315E41BDDA3B50EC4
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:55AB743F9950FE25BC993A17A3C42DC5
SHA256:A23F1CD4E99B17DCE295972F47E67EEA2DBAFE2244ED60DD44FB6358CCEAACD5
3416EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
9
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3416
EXCEL.EXE
GET
200
166.62.28.144:80
http://subbalakshmi.com/data_winning/kYv6xb/
US
executable
314 Kb
suspicious
3416
EXCEL.EXE
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
3416
EXCEL.EXE
GET
177.11.48.94:80
http://www.dh.net.br/catalogo1/0cJpUJXBhuBaMdVWQf/
BR
unknown
3416
EXCEL.EXE
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?309c5dfb5ecfe189
US
compressed
4.70 Kb
whitelisted
3416
EXCEL.EXE
GET
200
184.24.77.79:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgM1OnL%2FOkWb2eDsuqsGNmS02g%3D%3D
US
der
503 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3416
EXCEL.EXE
166.62.28.144:80
subbalakshmi.com
GoDaddy.com, LLC
US
suspicious
3416
EXCEL.EXE
103.45.230.202:443
webhoanggia.com
Quang Trung Software City Development Company
VN
suspicious
3416
EXCEL.EXE
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3416
EXCEL.EXE
184.24.77.54:80
r3.o.lencr.org
Time Warner Cable Internet LLC
US
suspicious
3416
EXCEL.EXE
175.45.125.128:443
www.controlnetworks.com.au
Vocus Connect International Backbone
AU
suspicious
3416
EXCEL.EXE
23.45.105.185:80
x1.c.lencr.org
Akamai International B.V.
NL
unknown
3416
EXCEL.EXE
177.11.48.94:80
www.dh.net.br
Brasil Site Informatica LTDA
BR
unknown
3416
EXCEL.EXE
184.24.77.79:80
r3.o.lencr.org
Time Warner Cable Internet LLC
US
suspicious

DNS requests

Domain
IP
Reputation
subbalakshmi.com
  • 166.62.28.144
suspicious
webhoanggia.com
  • 103.45.230.202
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
x1.c.lencr.org
  • 23.45.105.185
whitelisted
r3.o.lencr.org
  • 184.24.77.54
  • 184.24.77.79
shared
www.dh.net.br
  • 177.11.48.94
unknown
www.controlnetworks.com.au
  • 175.45.125.128
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3416
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3416
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3416
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
3416
EXCEL.EXE
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3416
EXCEL.EXE
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3416
EXCEL.EXE
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3416
EXCEL.EXE
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info