Windows Analysis Report
Quarantined Messages.zip

Overview

General Information

Sample name: Quarantined Messages.zip
Analysis ID: 1579853
MD5: 95b15b0c14256650abb9232e5872afc2
SHA1: 245814a68ee4d404602fe4d9018385ad23ff456a
SHA256: 0608a908e284c1ab45e913b5378eebbcf98519c8be34f4ecd5a0510f50bd4c3c
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)

Classification

Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: classification engine Classification label: clean2.winZIP@4/1@0/0
Source: C:\Windows\SysWOW64\unarchiver.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\SysWOW64\unarchiver.exe File created: C:\Users\user\AppData\Local\Temp\unarchiver.log Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Quarantined Messages.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\rrw4j4yb.kce" "C:\Users\user\Desktop\Quarantined Messages.zip"
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\rrw4j4yb.kce" "C:\Users\user\Desktop\Quarantined Messages.zip" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Section loaded: 7z.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_012B2B68 push D97C6C94h; retf 0_2_012B2B92
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_012B2A87 push ebp; retf 0_2_012B2A62
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_012B26EC push 7A906C85h; retf 0_2_012B2706
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_012B29FF push ebp; retf 0_2_012B2A62
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_012B2BFF push D97C6C94h; retf 0_2_012B2B92
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 1560000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 30B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 50B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Window / User API: threadDelayed 682 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Window / User API: threadDelayed 9289 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6092 Thread sleep count: 682 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6092 Thread sleep time: -341000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6092 Thread sleep count: 9289 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6092 Thread sleep time: -4644500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_012BB1D6 GetSystemInfo, 0_2_012BB1D6
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\rrw4j4yb.kce" "C:\Users\user\Desktop\Quarantined Messages.zip" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
No contacted IP infos