Windows Analysis Report
MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip

Overview

General Information

Sample name:	MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip
Analysis ID:	1523194
MD5:	434f24d28137d65158cc1f2f3884d15c
SHA1:	495059dba83d7261950e7d88a43d0e06744642bd
SHA256:	73d337681a668b086f3dd875f789c40093234361a1c01d99740130806758cbbd
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries the installation date of Windows

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp

Virustotal: Detection: 10%

Perma Link

Source: unknown	HTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49708 version: TLS 1.2

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: d3vnxrgxbv8od6.cloudfront.net

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.66.121.171:443 -> 192.168.2.16:49708 version: TLS 1.2

Source: classification engine

Classification label: mal48.winZIP@7/3@1/4

Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp

Mutant created: \Sessions\1\BaseNamedObjects\{c4b370a2-7bdd-4171-a11d-9b50cd52258f}I

Source: C:\Users\user\Desktop\$R11M6SU.exe

File created: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp

Source: C:\Users\user\Desktop\$R11M6SU.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\$R11M6SU.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\$R11M6SU.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\$R11M6SU.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\$R11M6SU.exe "C:\Users\user\Desktop\$R11M6SU.exe"
Source: C:\Users\user\Desktop\$R11M6SU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp "C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp" /SL5="$60266,875199,832512,C:\Users\user\Desktop\$R11M6SU.exe"
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Process created: C:\Users\user\Desktop\$R11M6SU.exe "C:\Users\user\Desktop\$R11M6SU.exe" /SPAWNWND=$402B6 /NOTIFYWND=$60266
Source: C:\Users\user\Desktop\$R11M6SU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp "C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp" /SL5="$502B4,875199,832512,C:\Users\user\Desktop\$R11M6SU.exe" /SPAWNWND=$402B6 /NOTIFYWND=$60266
Source: C:\Users\user\Desktop\$R11M6SU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp "C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp" /SL5="$60266,875199,832512,C:\Users\user\Desktop\$R11M6SU.exe"
Source: C:\Users\user\Desktop\$R11M6SU.exe	Process created: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp "C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp" /SL5="$502B4,875199,832512,C:\Users\user\Desktop\$R11M6SU.exe" /SPAWNWND=$402B6 /NOTIFYWND=$60266

Source: C:\Users\user\Desktop\$R11M6SU.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\$R11M6SU.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\$R11M6SU.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\$R11M6SU.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\$R11M6SU.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\$R11M6SU.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\$R11M6SU.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\$R11M6SU.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\$R11M6SU.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\$R11M6SU.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: winhttpcom.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Section loaded: ondemandconnroutehelper.dll

Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp

Window found: window name: TSelectLanguageForm

Source: MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip

Static file information: File size 1240227 > 1048576

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	File created: C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\botva2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\$R11M6SU.exe	File created: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	File created: C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\$R11M6SU.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\$R11M6SU.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\botva2.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\_isetup\_setup64.tmp			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp TID: 2972	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp TID: 6772	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp TID: 2336	Thread sleep time: -30000s >= -30000s

Queries the installation date of Windows

Source: C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Users\user\AppData\Local\Temp\is-MEH4D.tmp\$R11M6SU.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.66.121.171	d3vnxrgxbv8od6.cloudfront.net	United States		3	MIT-GATEWAYSUS	false

Contacted Domains

Name	IP	Active
d3vnxrgxbv8od6.cloudfront.net	18.66.121.171	true

ID:	1523194
Product:	CloudBasic
Start time:	09:33:45
Start date:	01.10.2024
Sample:	MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	434f24d28137d65158cc1f2f3884d15c
SHA1:	495059dba83d7261950e7d88a43d0e06744642bd
SHA256:	73d337681a668b086f3dd875f789c40093234361a1c01d99740130806758cbbd
Filetype:	ZIP compressed archive (8000/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\is-I76QC.tmp\$R11M6SU.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	B2CCB7BA365ACEAAEF948F02F13B6811	00441F2FD59F4DA97BAF79EBC7BBF818D5F2F813	E55665FA6A6179721815FF2F62CC8E8A2D74ED038E55E3BFE11A3AEAFEC6837A
C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\is-MKE94.tmp\botva2.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	67965A5957A61867D661F05AE1F4773E	F14C0A4F154DC685BB7C65B2D804A02A0FB2360D	450B9B0BA25BF068AFBC2B23D252585A19E282939BF38326384EA9112DFD0105

Windows Analysis Report
MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
MDE_File_Sample_d40d71effb912ebf90e190f862d1d86f16e1e4c6.zip