Analysis Overview
SHA256
37b3035464123d188316fc8e7574f2e31768df08aca8e9dc2adceb41d34f2428
Threat Level: Shows suspicious behavior
The file winzip28-downwz.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Program crash
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 10:01
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-15 10:01
Reported
2024-06-15 10:03
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
54s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e575861\winzip28-downwz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e575861\winzip28-downwz.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e575861\winzip28-downwz.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3796 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e575861\winzip28-downwz.exe |
| PID 3796 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e575861\winzip28-downwz.exe |
| PID 3796 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e575861\winzip28-downwz.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe
"C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe"
C:\Users\Admin\AppData\Local\Temp\e575861\winzip28-downwz.exe
run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1100 -ip 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1804
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.installportal.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\e575861\winzip28-downwz.exe
| MD5 | 17687f01ca5191c5e9dd733b30248ea2 |
| SHA1 | 9b63db46a9d58b945dd9b850236ed8d4d7d3567a |
| SHA256 | 37b3035464123d188316fc8e7574f2e31768df08aca8e9dc2adceb41d34f2428 |
| SHA512 | d366482d520fb250de54441daa9744129e692c24faeec2e7dce071370cfeeb00b50ef10fe47a3d788d3c4a17719d6133420ab99c6384798ea2017dca6260eb3c |
C:\Users\Admin\AppData\Local\Temp\e575999\Load.html
| MD5 | 1757c2d0841f85052f85d8d3cd03a827 |
| SHA1 | 801b085330505bad85e7a5af69e6d15d962a7c3a |
| SHA256 | 3cf5674efaaf74beccd16d1b9bcf3ffb35c174d6d93375bc532b46d9b4b4ed35 |
| SHA512 | 4a12a55aac846f137c18849302e74d34df70ea5aaff78d57fce05b4776bedcde9e1b1032734e29650bcbac3e6932dfef75d97931443446a23e21cf5b3072dd9a |
C:\Users\Admin\AppData\Local\Temp\e575999\common\js\jquery-1.11.2.min.js
| MD5 | 5790ead7ad3ba27397aedfa3d263b867 |
| SHA1 | 8130544c215fe5d1ec081d83461bf4a711e74882 |
| SHA256 | 2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0 |
| SHA512 | 781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a |
C:\Users\Admin\AppData\Local\Temp\e575999\config\stubparams.js
| MD5 | 91f6304d426d676ec9365c3e1ff249d5 |
| SHA1 | 05a3456160862fbaf5b4a96aeb43c722e0a148da |
| SHA256 | 823f4f8dfe55d3ce894308122d6101fed1b8ef1eb8e93101945836655b2aed1b |
| SHA512 | 530f4fad6af5a0e600b037fcd094596652d2e3bf2f6d2ce465aae697ea90a361a0ffcc770c118102a0dd9bf12ab830ac6b459e57a268f435c88c049c127491f4 |
C:\Users\Admin\AppData\Local\Temp\e575999\config\config.js
| MD5 | 34f8eb4ea7d667d961dccfa7cfd8d194 |
| SHA1 | 80ca002efed52a92daeed1477f40c437a6541a07 |
| SHA256 | 30c3d0e8bb3620fe243a75a10f23d83436ff4b15acb65f4f016258314581b73d |
| SHA512 | b773b49c0bbd904f9f87b0b488ed38c23fc64b0bdd51ab78375a444ea656d929b3976808e715a62962503b0d579d791f9a21c45a53038ed7ae8263bd63bc0d50 |
C:\Users\Admin\AppData\Local\Temp\e575999\common\js\external.js
| MD5 | 140918feded87fe0a5563a4080071258 |
| SHA1 | 9a45488c130eba3a9279393d27d4a81080d9b96a |
| SHA256 | 25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6 |
| SHA512 | 56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6 |
C:\Users\Admin\AppData\Local\Temp\e575999\config\installparams.js
| MD5 | 5341de2e990c85795bcd6f09252f908b |
| SHA1 | b88dd2301853dfcab8b54f45be648b17131e83c6 |
| SHA256 | 8f93c4023af718e0f8e87d19a8b3e840a88dfb8e329fd8f5eaaa2a5b9bfa219e |
| SHA512 | e0fb846c9bb836c4d3b5c444d9b45b2e489354d55688cb7da710c199a9f8f11491b74d1ff631c38eca633165923a3271c2136040b23a52a8dc6825fffada70ae |
C:\Users\Admin\AppData\Local\Temp\e575999\common\js\common.js
| MD5 | 87daf84c22986fa441a388490e2ed220 |
| SHA1 | 4eede8fb28a52e124261d8f3b10e6a40e89e5543 |
| SHA256 | 787f5c13eac01bd8bbce329cc32d2f03073512e606b158e3fff07de814ea7f23 |
| SHA512 | af72a1d3757bd7731fa7dc3f820c0619e42634169643d786da5cce0c9b0d4babd4f7f57b12371180204a42fec6140a2cff0c13b37d183c9d6bbaeb8f5ce25e5f |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-15 10:01
Reported
2024-06-15 10:03
Platform
win11-20240508-en
Max time kernel
34s
Max time network
46s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e578434\winzip28-downwz.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e578434\winzip28-downwz.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2692 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e578434\winzip28-downwz.exe |
| PID 2692 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e578434\winzip28-downwz.exe |
| PID 2692 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e578434\winzip28-downwz.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe
"C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe"
C:\Users\Admin\AppData\Local\Temp\e578434\winzip28-downwz.exe
run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1644 -ip 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1744
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.installportal.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\e578434\winzip28-downwz.exe
| MD5 | 17687f01ca5191c5e9dd733b30248ea2 |
| SHA1 | 9b63db46a9d58b945dd9b850236ed8d4d7d3567a |
| SHA256 | 37b3035464123d188316fc8e7574f2e31768df08aca8e9dc2adceb41d34f2428 |
| SHA512 | d366482d520fb250de54441daa9744129e692c24faeec2e7dce071370cfeeb00b50ef10fe47a3d788d3c4a17719d6133420ab99c6384798ea2017dca6260eb3c |
C:\Users\Admin\AppData\Local\Temp\e57853d\Load.html
| MD5 | 1757c2d0841f85052f85d8d3cd03a827 |
| SHA1 | 801b085330505bad85e7a5af69e6d15d962a7c3a |
| SHA256 | 3cf5674efaaf74beccd16d1b9bcf3ffb35c174d6d93375bc532b46d9b4b4ed35 |
| SHA512 | 4a12a55aac846f137c18849302e74d34df70ea5aaff78d57fce05b4776bedcde9e1b1032734e29650bcbac3e6932dfef75d97931443446a23e21cf5b3072dd9a |
C:\Users\Admin\AppData\Local\Temp\e57853d\common\js\jquery-1.11.2.min.js
| MD5 | 5790ead7ad3ba27397aedfa3d263b867 |
| SHA1 | 8130544c215fe5d1ec081d83461bf4a711e74882 |
| SHA256 | 2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0 |
| SHA512 | 781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a |
C:\Users\Admin\AppData\Local\Temp\e57853d\config\stubparams.js
| MD5 | 91f6304d426d676ec9365c3e1ff249d5 |
| SHA1 | 05a3456160862fbaf5b4a96aeb43c722e0a148da |
| SHA256 | 823f4f8dfe55d3ce894308122d6101fed1b8ef1eb8e93101945836655b2aed1b |
| SHA512 | 530f4fad6af5a0e600b037fcd094596652d2e3bf2f6d2ce465aae697ea90a361a0ffcc770c118102a0dd9bf12ab830ac6b459e57a268f435c88c049c127491f4 |
C:\Users\Admin\AppData\Local\Temp\e57853d\common\js\common.js
| MD5 | 87daf84c22986fa441a388490e2ed220 |
| SHA1 | 4eede8fb28a52e124261d8f3b10e6a40e89e5543 |
| SHA256 | 787f5c13eac01bd8bbce329cc32d2f03073512e606b158e3fff07de814ea7f23 |
| SHA512 | af72a1d3757bd7731fa7dc3f820c0619e42634169643d786da5cce0c9b0d4babd4f7f57b12371180204a42fec6140a2cff0c13b37d183c9d6bbaeb8f5ce25e5f |
C:\Users\Admin\AppData\Local\Temp\e57853d\config\config.js
| MD5 | 34f8eb4ea7d667d961dccfa7cfd8d194 |
| SHA1 | 80ca002efed52a92daeed1477f40c437a6541a07 |
| SHA256 | 30c3d0e8bb3620fe243a75a10f23d83436ff4b15acb65f4f016258314581b73d |
| SHA512 | b773b49c0bbd904f9f87b0b488ed38c23fc64b0bdd51ab78375a444ea656d929b3976808e715a62962503b0d579d791f9a21c45a53038ed7ae8263bd63bc0d50 |
C:\Users\Admin\AppData\Local\Temp\e57853d\common\js\external.js
| MD5 | 140918feded87fe0a5563a4080071258 |
| SHA1 | 9a45488c130eba3a9279393d27d4a81080d9b96a |
| SHA256 | 25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6 |
| SHA512 | 56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6 |
C:\Users\Admin\AppData\Local\Temp\e57853d\config\installparams.js
| MD5 | 5341de2e990c85795bcd6f09252f908b |
| SHA1 | b88dd2301853dfcab8b54f45be648b17131e83c6 |
| SHA256 | 8f93c4023af718e0f8e87d19a8b3e840a88dfb8e329fd8f5eaaa2a5b9bfa219e |
| SHA512 | e0fb846c9bb836c4d3b5c444d9b45b2e489354d55688cb7da710c199a9f8f11491b74d1ff631c38eca633165923a3271c2136040b23a52a8dc6825fffada70ae |
C:\Users\Admin\AppData\Local\Temp\e57853d\pages\Initialization\page.html
| MD5 | b23411777957312ec2a28cf8da6bcb4a |
| SHA1 | 6dd3bdf8be0abb5cb8bf63a35de95c8304f5e7c7 |
| SHA256 | 4d0bdf44125e8be91eecaba44c9b965be9b0d2cb8897f3f35e94f2a74912f074 |
| SHA512 | e520b4096949a6d7648c197a57f8ce5462adb2cc260ccac712e5b939e7d259f1eee0dfc782959f3ea689befce99cddf38b56a2cc140566870b045114e9b240dc |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-15 10:01
Reported
2024-06-15 10:03
Platform
macos-20240611-en
Max time kernel
128s
Max time network
133s
Command Line
Signatures
Processes
/usr/libexec/xpcproxy
[xpcproxy com.apple.systemstats.daily]
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/winzip28-downwz.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/winzip28-downwz.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/winzip28-downwz.exe]
/bin/zsh
[/bin/zsh -c /Users/run/winzip28-downwz.exe]
/Users/run/winzip28-downwz.exe
[/Users/run/winzip28-downwz.exe]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.42.65.93:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 10:01
Reported
2024-06-15 10:03
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e576300\winzip28-downwz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e576300\winzip28-downwz.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e576300\winzip28-downwz.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 748 wrote to memory of 4620 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e576300\winzip28-downwz.exe |
| PID 748 wrote to memory of 4620 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e576300\winzip28-downwz.exe |
| PID 748 wrote to memory of 4620 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e576300\winzip28-downwz.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe
"C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe"
C:\Users\Admin\AppData\Local\Temp\e576300\winzip28-downwz.exe
run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1904
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.installportal.com | udp |
| US | 34.218.136.179:443 | www.installportal.com | tcp |
| US | 8.8.8.8:53 | 179.136.218.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\e576300\winzip28-downwz.exe
| MD5 | 17687f01ca5191c5e9dd733b30248ea2 |
| SHA1 | 9b63db46a9d58b945dd9b850236ed8d4d7d3567a |
| SHA256 | 37b3035464123d188316fc8e7574f2e31768df08aca8e9dc2adceb41d34f2428 |
| SHA512 | d366482d520fb250de54441daa9744129e692c24faeec2e7dce071370cfeeb00b50ef10fe47a3d788d3c4a17719d6133420ab99c6384798ea2017dca6260eb3c |
C:\Users\Admin\AppData\Local\Temp\e5763cb\Load.html
| MD5 | 1757c2d0841f85052f85d8d3cd03a827 |
| SHA1 | 801b085330505bad85e7a5af69e6d15d962a7c3a |
| SHA256 | 3cf5674efaaf74beccd16d1b9bcf3ffb35c174d6d93375bc532b46d9b4b4ed35 |
| SHA512 | 4a12a55aac846f137c18849302e74d34df70ea5aaff78d57fce05b4776bedcde9e1b1032734e29650bcbac3e6932dfef75d97931443446a23e21cf5b3072dd9a |
C:\Users\Admin\AppData\Local\Temp\e5763cb\common\js\jquery-1.11.2.min.js
| MD5 | 5790ead7ad3ba27397aedfa3d263b867 |
| SHA1 | 8130544c215fe5d1ec081d83461bf4a711e74882 |
| SHA256 | 2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0 |
| SHA512 | 781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a |
C:\Users\Admin\AppData\Local\Temp\e5763cb\config\config.js
| MD5 | 34f8eb4ea7d667d961dccfa7cfd8d194 |
| SHA1 | 80ca002efed52a92daeed1477f40c437a6541a07 |
| SHA256 | 30c3d0e8bb3620fe243a75a10f23d83436ff4b15acb65f4f016258314581b73d |
| SHA512 | b773b49c0bbd904f9f87b0b488ed38c23fc64b0bdd51ab78375a444ea656d929b3976808e715a62962503b0d579d791f9a21c45a53038ed7ae8263bd63bc0d50 |
C:\Users\Admin\AppData\Local\Temp\e5763cb\common\js\external.js
| MD5 | 140918feded87fe0a5563a4080071258 |
| SHA1 | 9a45488c130eba3a9279393d27d4a81080d9b96a |
| SHA256 | 25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6 |
| SHA512 | 56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6 |
C:\Users\Admin\AppData\Local\Temp\e5763cb\config\installparams.js
| MD5 | 5341de2e990c85795bcd6f09252f908b |
| SHA1 | b88dd2301853dfcab8b54f45be648b17131e83c6 |
| SHA256 | 8f93c4023af718e0f8e87d19a8b3e840a88dfb8e329fd8f5eaaa2a5b9bfa219e |
| SHA512 | e0fb846c9bb836c4d3b5c444d9b45b2e489354d55688cb7da710c199a9f8f11491b74d1ff631c38eca633165923a3271c2136040b23a52a8dc6825fffada70ae |
C:\Users\Admin\AppData\Local\Temp\e5763cb\config\stubparams.js
| MD5 | 91f6304d426d676ec9365c3e1ff249d5 |
| SHA1 | 05a3456160862fbaf5b4a96aeb43c722e0a148da |
| SHA256 | 823f4f8dfe55d3ce894308122d6101fed1b8ef1eb8e93101945836655b2aed1b |
| SHA512 | 530f4fad6af5a0e600b037fcd094596652d2e3bf2f6d2ce465aae697ea90a361a0ffcc770c118102a0dd9bf12ab830ac6b459e57a268f435c88c049c127491f4 |
C:\Users\Admin\AppData\Local\Temp\e5763cb\common\js\common.js
| MD5 | 87daf84c22986fa441a388490e2ed220 |
| SHA1 | 4eede8fb28a52e124261d8f3b10e6a40e89e5543 |
| SHA256 | 787f5c13eac01bd8bbce329cc32d2f03073512e606b158e3fff07de814ea7f23 |
| SHA512 | af72a1d3757bd7731fa7dc3f820c0619e42634169643d786da5cce0c9b0d4babd4f7f57b12371180204a42fec6140a2cff0c13b37d183c9d6bbaeb8f5ce25e5f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 10:01
Reported
2024-06-15 10:03
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f761999\winzip28-downwz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f761999\winzip28-downwz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\f761999\winzip28-downwz.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f761999\winzip28-downwz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f761999\winzip28-downwz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f761999\winzip28-downwz.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe
"C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe"
C:\Users\Admin\AppData\Local\Temp\f761999\winzip28-downwz.exe
run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.installportal.com | udp |
| US | 8.8.8.8:53 | www.installportal.com | udp |
| US | 8.8.8.8:53 | ipm.corel.com | udp |
Files
\Users\Admin\AppData\Local\Temp\f761999\winzip28-downwz.exe
| MD5 | 17687f01ca5191c5e9dd733b30248ea2 |
| SHA1 | 9b63db46a9d58b945dd9b850236ed8d4d7d3567a |
| SHA256 | 37b3035464123d188316fc8e7574f2e31768df08aca8e9dc2adceb41d34f2428 |
| SHA512 | d366482d520fb250de54441daa9744129e692c24faeec2e7dce071370cfeeb00b50ef10fe47a3d788d3c4a17719d6133420ab99c6384798ea2017dca6260eb3c |
C:\Users\Admin\AppData\Local\Temp\f761ae0\Load.html
| MD5 | 1757c2d0841f85052f85d8d3cd03a827 |
| SHA1 | 801b085330505bad85e7a5af69e6d15d962a7c3a |
| SHA256 | 3cf5674efaaf74beccd16d1b9bcf3ffb35c174d6d93375bc532b46d9b4b4ed35 |
| SHA512 | 4a12a55aac846f137c18849302e74d34df70ea5aaff78d57fce05b4776bedcde9e1b1032734e29650bcbac3e6932dfef75d97931443446a23e21cf5b3072dd9a |
C:\Users\Admin\AppData\Local\Temp\f761ae0\common\js\jquery-1.11.2.min.js
| MD5 | 5790ead7ad3ba27397aedfa3d263b867 |
| SHA1 | 8130544c215fe5d1ec081d83461bf4a711e74882 |
| SHA256 | 2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0 |
| SHA512 | 781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a |
C:\Users\Admin\AppData\Local\Temp\f761ae0\config\stubparams.js
| MD5 | 91f6304d426d676ec9365c3e1ff249d5 |
| SHA1 | 05a3456160862fbaf5b4a96aeb43c722e0a148da |
| SHA256 | 823f4f8dfe55d3ce894308122d6101fed1b8ef1eb8e93101945836655b2aed1b |
| SHA512 | 530f4fad6af5a0e600b037fcd094596652d2e3bf2f6d2ce465aae697ea90a361a0ffcc770c118102a0dd9bf12ab830ac6b459e57a268f435c88c049c127491f4 |
C:\Users\Admin\AppData\Local\Temp\f761ae0\config\installparams.js
| MD5 | 5341de2e990c85795bcd6f09252f908b |
| SHA1 | b88dd2301853dfcab8b54f45be648b17131e83c6 |
| SHA256 | 8f93c4023af718e0f8e87d19a8b3e840a88dfb8e329fd8f5eaaa2a5b9bfa219e |
| SHA512 | e0fb846c9bb836c4d3b5c444d9b45b2e489354d55688cb7da710c199a9f8f11491b74d1ff631c38eca633165923a3271c2136040b23a52a8dc6825fffada70ae |
C:\Users\Admin\AppData\Local\Temp\f761ae0\common\js\external.js
| MD5 | 140918feded87fe0a5563a4080071258 |
| SHA1 | 9a45488c130eba3a9279393d27d4a81080d9b96a |
| SHA256 | 25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6 |
| SHA512 | 56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6 |
C:\Users\Admin\AppData\Local\Temp\f761ae0\config\config.js
| MD5 | 34f8eb4ea7d667d961dccfa7cfd8d194 |
| SHA1 | 80ca002efed52a92daeed1477f40c437a6541a07 |
| SHA256 | 30c3d0e8bb3620fe243a75a10f23d83436ff4b15acb65f4f016258314581b73d |
| SHA512 | b773b49c0bbd904f9f87b0b488ed38c23fc64b0bdd51ab78375a444ea656d929b3976808e715a62962503b0d579d791f9a21c45a53038ed7ae8263bd63bc0d50 |
C:\Users\Admin\AppData\Local\Temp\f761ae0\common\js\common.js
| MD5 | 87daf84c22986fa441a388490e2ed220 |
| SHA1 | 4eede8fb28a52e124261d8f3b10e6a40e89e5543 |
| SHA256 | 787f5c13eac01bd8bbce329cc32d2f03073512e606b158e3fff07de814ea7f23 |
| SHA512 | af72a1d3757bd7731fa7dc3f820c0619e42634169643d786da5cce0c9b0d4babd4f7f57b12371180204a42fec6140a2cff0c13b37d183c9d6bbaeb8f5ce25e5f |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 10:01
Reported
2024-06-15 10:04
Platform
win10-20240611-en
Max time kernel
132s
Max time network
138s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e57ad28\winzip28-downwz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e57ad28\winzip28-downwz.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e57ad28\winzip28-downwz.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4220 wrote to memory of 5020 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e57ad28\winzip28-downwz.exe |
| PID 4220 wrote to memory of 5020 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e57ad28\winzip28-downwz.exe |
| PID 4220 wrote to memory of 5020 | N/A | C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe | C:\Users\Admin\AppData\Local\Temp\e57ad28\winzip28-downwz.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe
"C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe"
C:\Users\Admin\AppData\Local\Temp\e57ad28\winzip28-downwz.exe
run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\winzip28-downwz.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1900
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.installportal.com | udp |
| US | 35.155.148.122:443 | www.installportal.com | tcp |
| US | 8.8.8.8:53 | 122.148.155.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\e57ad28\winzip28-downwz.exe
| MD5 | 17687f01ca5191c5e9dd733b30248ea2 |
| SHA1 | 9b63db46a9d58b945dd9b850236ed8d4d7d3567a |
| SHA256 | 37b3035464123d188316fc8e7574f2e31768df08aca8e9dc2adceb41d34f2428 |
| SHA512 | d366482d520fb250de54441daa9744129e692c24faeec2e7dce071370cfeeb00b50ef10fe47a3d788d3c4a17719d6133420ab99c6384798ea2017dca6260eb3c |
C:\Users\Admin\AppData\Local\Temp\e57aeaf\Load.html
| MD5 | 1757c2d0841f85052f85d8d3cd03a827 |
| SHA1 | 801b085330505bad85e7a5af69e6d15d962a7c3a |
| SHA256 | 3cf5674efaaf74beccd16d1b9bcf3ffb35c174d6d93375bc532b46d9b4b4ed35 |
| SHA512 | 4a12a55aac846f137c18849302e74d34df70ea5aaff78d57fce05b4776bedcde9e1b1032734e29650bcbac3e6932dfef75d97931443446a23e21cf5b3072dd9a |
C:\Users\Admin\AppData\Local\Temp\e57aeaf\common\js\jquery-1.11.2.min.js
| MD5 | 5790ead7ad3ba27397aedfa3d263b867 |
| SHA1 | 8130544c215fe5d1ec081d83461bf4a711e74882 |
| SHA256 | 2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0 |
| SHA512 | 781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a |
C:\Users\Admin\AppData\Local\Temp\e57aeaf\config\stubparams.js
| MD5 | 91f6304d426d676ec9365c3e1ff249d5 |
| SHA1 | 05a3456160862fbaf5b4a96aeb43c722e0a148da |
| SHA256 | 823f4f8dfe55d3ce894308122d6101fed1b8ef1eb8e93101945836655b2aed1b |
| SHA512 | 530f4fad6af5a0e600b037fcd094596652d2e3bf2f6d2ce465aae697ea90a361a0ffcc770c118102a0dd9bf12ab830ac6b459e57a268f435c88c049c127491f4 |
C:\Users\Admin\AppData\Local\Temp\e57aeaf\config\installparams.js
| MD5 | 5341de2e990c85795bcd6f09252f908b |
| SHA1 | b88dd2301853dfcab8b54f45be648b17131e83c6 |
| SHA256 | 8f93c4023af718e0f8e87d19a8b3e840a88dfb8e329fd8f5eaaa2a5b9bfa219e |
| SHA512 | e0fb846c9bb836c4d3b5c444d9b45b2e489354d55688cb7da710c199a9f8f11491b74d1ff631c38eca633165923a3271c2136040b23a52a8dc6825fffada70ae |
C:\Users\Admin\AppData\Local\Temp\e57aeaf\common\js\common.js
| MD5 | 87daf84c22986fa441a388490e2ed220 |
| SHA1 | 4eede8fb28a52e124261d8f3b10e6a40e89e5543 |
| SHA256 | 787f5c13eac01bd8bbce329cc32d2f03073512e606b158e3fff07de814ea7f23 |
| SHA512 | af72a1d3757bd7731fa7dc3f820c0619e42634169643d786da5cce0c9b0d4babd4f7f57b12371180204a42fec6140a2cff0c13b37d183c9d6bbaeb8f5ce25e5f |
C:\Users\Admin\AppData\Local\Temp\e57aeaf\config\config.js
| MD5 | 34f8eb4ea7d667d961dccfa7cfd8d194 |
| SHA1 | 80ca002efed52a92daeed1477f40c437a6541a07 |
| SHA256 | 30c3d0e8bb3620fe243a75a10f23d83436ff4b15acb65f4f016258314581b73d |
| SHA512 | b773b49c0bbd904f9f87b0b488ed38c23fc64b0bdd51ab78375a444ea656d929b3976808e715a62962503b0d579d791f9a21c45a53038ed7ae8263bd63bc0d50 |
C:\Users\Admin\AppData\Local\Temp\e57aeaf\common\js\external.js
| MD5 | 140918feded87fe0a5563a4080071258 |
| SHA1 | 9a45488c130eba3a9279393d27d4a81080d9b96a |
| SHA256 | 25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6 |
| SHA512 | 56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6 |