Windows Analysis Report
mydoc.zip

Overview

General Information

Sample name: mydoc.zip
Analysis ID: 1544432
MD5: 91cdc0b030d0fed60dde68b0b8a826c2
SHA1: a461780985b8c53f1969e2964cc587c941d5f4a6
SHA256: 1146651d66ab9255aa2a92f78292c3622fba2b9d054a5f748470365fb3dc5645
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis

Classification

Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: classification engine Classification label: clean2.winZIP@3/1@0/0
Source: C:\Windows\SysWOW64\unarchiver.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\unarchiver.exe File created: C:\Users\user\AppData\Local\Temp\unarchiver.log Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\mydoc.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\pk3m1tos.mei" "C:\Users\user\Desktop\mydoc.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\pk3m1tos.mei" "C:\Users\user\Desktop\mydoc.zip" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 4A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 24B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 8A0000 memory commit | memory reserve | memory write watch Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\unarchiver.exe Window / User API: threadDelayed 485 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Window / User API: threadDelayed 9487 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3420 Thread sleep count: 485 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3420 Thread sleep time: -242500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3420 Thread sleep count: 9487 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3420 Thread sleep time: -4743500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\pk3m1tos.mei" "C:\Users\user\Desktop\mydoc.zip" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1544432 Sample: mydoc.zip Startdate: 29/10/2024 Architecture: WINDOWS Score: 2 5 unarchiver.exe 4 2->5         started        process3 7 7za.exe 1 5->7         started       
No contacted IP infos