Edit tour

Windows Analysis Report
MDE_File_Sample_39fcbadcdb2708c0aef13776eca6ccd7370cf644.zip

Overview

General Information

Sample name:	MDE_File_Sample_39fcbadcdb2708c0aef13776eca6ccd7370cf644.zip
Analysis ID:	1541184
MD5:	b1114059d5b05be6d2d72e36c5faf24b
SHA1:	154bd0e4d01ba93d98d0dfc816c975155ba74461
SHA256:	a2b371673dc9bf2d5b28909c3f953a3a9a7ebc7f0a04bef99590dab294310dd8

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Creates a process in suspended mode (likely to inject code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 4904 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

7zG.exe (PID: 6024 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\39fcbadcdb2708c0aef13776eca6ccd7370cf644~\" -ad -an -ai#7zMap30539:132:7zEvent18843 MD5: 50F289DF0C19484E970849AAC4E6F977)

7zG.exe (PID: 7008 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap14814:132:7zEvent15960 MD5: 50F289DF0C19484E970849AAC4E6F977)

mspaint.exe (PID: 6004 cmdline: "C:\Windows\system32\mspaint.exe" "C:\Users\user\Desktop\.rsrc\0\ICON\50.ico" MD5: F221A4CCAFEC690101C59F726C95B646)

notepad.exe (PID: 816 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\.rsrc\1033\version.txt MD5: 27F71B12CB585541885A31BE22F61C83)

OpenWith.exe (PID: 5564 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

notepad.exe (PID: 2644 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\.text MD5: 27F71B12CB585541885A31BE22F61C83)

notepad.exe (PID: 4376 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\.text MD5: 27F71B12CB585541885A31BE22F61C83)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: classification engine

Classification label: clean1.winZIP@9/19@0/0

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\.text

Source: C:\Windows\System32\OpenWith.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03

Source: C:\Windows\System32\mspaint.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\39fcbadcdb2708c0aef13776eca6ccd7370cf644~\" -ad -an -ai#7zMap30539:132:7zEvent18843
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap14814:132:7zEvent15960
Source: unknown	Process created: C:\Windows\System32\mspaint.exe "C:\Windows\system32\mspaint.exe" "C:\Users\user\Desktop\.rsrc\0\ICON\50.ico"
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\.rsrc\1033\version.txt
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\.text
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\.text
Source: unknown	Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\.text

Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: acgenral.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: ninput.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: msftedit.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: uiribbon.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: efswrt.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: sti.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: wiatrace.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: atlthunk.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mspaint.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: efswrt.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: msvcp110_win.dll

Source: C:\Program Files\7-Zip\7zG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Source: C:\Windows\System32\mspaint.exe

File opened: C:\Windows\system32\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\7-Zip\7zG.exe

Window detected: Number of UI elements: 15

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\OpenWith.exe TID: 1240

Thread sleep count: 32 > 30

Source: C:\Windows\System32\mspaint.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\OpenWith.exe

Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\.text

Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\.rsrc\1033\version.txt VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\.text VolumeInformation
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\Desktop\.text VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Rundll32	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541184
Start date and time:	2024-10-24 15:00:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	MDE_File_Sample_39fcbadcdb2708c0aef13776eca6ccd7370cf644.zip
Detection:	CLEAN
Classification:	clean1.winZIP@9/19@0/0
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: MDE_File_Sample_39fcbadcdb2708c0aef13776eca6ccd7370cf644.zip

Created / dropped Files

C:\Users\user\Desktop\.reloc

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.10191042566270775
Encrypted:	false
SSDEEP:
MD5:	5748EC0E501142A7F24462B04506F6BD
SHA1:	D267D3E0E1D15789DE323D45970E1FC0DED21E67
SHA-256:	6F9D6346BB7B4A96EB95BFFFA04A84B5AB99F3397A2B9200C94654E5EBC6B996
SHA-512:	2062590B27B8F5925522C2960B5FA6920DB72D670A468993C11C709B89455182AB10C139B293227696F0848E69BE4B90A07A0E10D5AD197F68F17C0B8C8E14D2
Malicious:	false
Reputation:	unknown
Preview:	.........7......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\.rsrc\0\GROUP_ICON\103

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.575359735700981
Encrypted:	false
SSDEEP:
MD5:	C1F39C8ED15621D492A506E474E2E806
SHA1:	268DD4D4A232F5EBB2D4281D6A9513F3A6F540B5
SHA-256:	ADE87C5B5213340E5C10A37158BB8760E40FDBFBC373BA9FC8A0B6A1BF2E03F2
SHA-512:	534AFD2BB8B24F07CD51C4C41BFD244F61C744710905218954CCEC711903FF2AFAB984C248116794E42D5B7645EF14B8576CB71802E0192D05981A8FAB359439
Malicious:	false
Reputation:	unknown
Preview:	......00.... ..%..2. .... .....3....... .h...4.

C:\Users\user\Desktop\.rsrc\0\GROUP_ICON\32512

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	2.7265285012521856
Encrypted:	false
SSDEEP:
MD5:	F429E92977EC034294BC46DD96ED1576
SHA1:	82E67757E87BC707410CBCE2216771010D443DF2
SHA-256:	677428A38169BD19F643B8D69B4429743AB1C3C20B700EE4026E0CD27AC749D4
SHA-512:	16A60390A87A2BE7EB55306CB5F8E1F97946B574DF01F08677C1648859B270C964908B64E26E895C2A37B4DF0AC789BCF1BF4DDE4BFA82DCE88876B6AD27D23E
Malicious:	false
Reputation:	unknown
Preview:	............ .h..... .... .......00.... ..%....@@.... .(B.......... .(........... .. ....

C:\Users\user\Desktop\.rsrc\0\ICON\1.ico

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	MS Windows icon resource - 1 icon, 16x16
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	2.6355486549243423
Encrypted:	false
SSDEEP:
MD5:	FC1FA51476F72A8956C5103ADF4BEA8F
SHA1:	B7DD160BEDBCE2D9374663E2C6759A2EFC4A5290
SHA-256:	277ECD38029A8C51DB3453A25A8335C2043B7832A6D8BE79A705F3FE4CF311C0
SHA-512:	AFBEE6554938D4477EAB3F641A5DA950020B27B1BF8BA3E2AE57603A214404AD6F406D2BC72C1F4C848745512C5006C71C6E58296858B3B141AA0BABD023A044
Malicious:	false
Reputation:	unknown
Preview:	..............h.......(....... ..... .....0..............................................................................................................K...k...k...L...........................................).......g...L...O...g..............................)...........E.......g...........a.......E...........)...............!.......E.......g...................E.......!...................#.......E.......g...........+...9...E.......#...................#.......E.......g...........t.......E.......#...................#.......E.......g...........k.......E.......#...........................Z...........5...4...........T.......4...............................-...................+...........\...............V...................+..............K...............h...................S...........d...b...Z...........C.......\|...................E.......P.......z...................N...U...........................=...........X...:...3...[...........<...................................m..................

C:\Users\user\Desktop\.rsrc\0\ICON\2.ico

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	MS Windows icon resource - 1 icon, 32x32
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	2.1207097028461157
Encrypted:	false
SSDEEP:
MD5:	D4398F932D2584291AE0C41EF3256462
SHA1:	FBE09C53CDDA5F57F4C7442A1ACAC3043DC9E7D0
SHA-256:	67FC4DF5DFBA3D6CF7C1C581CD57D46CC5B8E33E84F197E98E2962199769111B
SHA-512:	58C0B5BAACE0D136B2B7D00DC78D837A954828237463B8AA9718694A01607E95373338144D86C1FBF998403C80D6931F11AB489EDEB562B3E6A5DF9E5BCA528E
Malicious:	false
Reputation:	unknown
Preview:	...... ..............(... ...@..... ............................................................................................................................................................................................................................................................................................................................................p...........................q...........................................................................................T...........................................T...................................................................6.......+.......U...........................................U.......,.......6...................................................................U...................A...E...................U...................................................................................U...........................................U...................................................;...h..........................

C:\Users\user\Desktop\.rsrc\0\ICON\3.ico

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	MS Windows icon resource - 1 icon, 48x48
Category:	dropped
Size (bytes):	9662
Entropy (8bit):	1.7586771924134013
Encrypted:	false
SSDEEP:
MD5:	8B5B044B4F0B91D9B9A8D8AE5B43CE7B
SHA1:	BC9E965BDD2998F33770495567FF22CA64D5154A
SHA-256:	942E1EA52B6D63A97D490E8A2CB86D7FDEF6B1286DD4B9258A610A8B67FC7FF4
SHA-512:	4D48CCABB5BA3CD8BE4424999DC8D50F9E52D7AB144FB7B26049E34EDF43F9DE58FF621FC8037EFF1641BDA5724DA4805E600C1DA8E3BEE618B7FF2FCAF8D76A
Malicious:	false
Reputation:	unknown
Preview:	......00.......%......(...0...`..... .....P%.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................O.......r...........................................r.......N..............................................................................................................................................."...................................#......................................................

C:\Users\user\Desktop\.rsrc\0\ICON\4.ico

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	MS Windows icon resource - 1 icon, 64x64
Category:	dropped
Size (bytes):	16958
Entropy (8bit):	1.6410687727272069
Encrypted:	false
SSDEEP:
MD5:	4FDE2BF79F9134A4EDB0D62C404B5273
SHA1:	95749AF5B41F60392CA1DDBE9E9C03E0111C5916
SHA-256:	BBE086D946925B8687B32EAF20A322EE964CAA3D29755218734AE25EF49261EC
SHA-512:	0D1102E5013D4383A2D6B6E66F262F9A2C7D38B8DD743BC8EA9C90E8932FB8F771785EFBF727AE704C3CA1C6EF06C121276399BFF2CC93B912FF1195D73DCFF2
Malicious:	false
Reputation:	unknown
Preview:	......@@......(B......(...@......... ......B............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\.rsrc\0\ICON\5.ico

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	MS Windows icon resource - 1 icon, -128x-128
Category:	dropped
Size (bytes):	67646
Entropy (8bit):	1.3585233224927453
Encrypted:	false
SSDEEP:
MD5:	62EC26FE76F3150A2A5568E838456F81
SHA1:	D246DE69FD182B8B882D5CC9BE837A6957C2FB2D
SHA-256:	47DAC6F09B9CDAC355E3E770F696CD1D6B0D3C9A4B808A12C99980CAEF1C8FC0
SHA-512:	DDA4B41012B660AF2A16955CC4F880C2C4BBDE385E904856DECD48960838607343825FC6E50966E9883CCB5ABDAAC235AB8B154869637E3115575FDDC38617BA
Malicious:	false
Reputation:	unknown
Preview:	..............(.......(............. ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\.rsrc\0\ICON\50.ico

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	MS Windows icon resource - 1 icon, 48x48
Category:	dropped
Size (bytes):	9662
Entropy (8bit):	4.970601403959669
Encrypted:	false
SSDEEP:
MD5:	C93CA19D6E28734B44FE9EA024314491
SHA1:	95A207B0EC993CA838EB78D6541595D9FB0383F2
SHA-256:	85ACA66BD14EFEE38F850BA372BCF59286ABC1698CD2DBCE24871860AD5BB09F
SHA-512:	C1318E8E49FC50179A71BC7DD63624AD43B43D7405CCE60665FC6015B7A60CA51EC54131BF666B81B75D4CD2F9695A0A0843E57419EF1935407DAACE844274CE
Malicious:	false
Reputation:	unknown
Preview:	......00.......%......(...0...`..... ......%.......................................\|W..yT..uP..sN..pM..mN..lN..iN..gO..eP..bP..`P.._P..^P..]O..\O..ZO..YO..XO..VO..UO..SO..QO..QO..OO..LN..LN..LO..LO..LO..LO..LO..LO..LO..NQ..OR..TW..]_,.....................................\|V^.\|M..yK..vM..uM..sM..pM..nN..lO..jO..hO..fP..cP..`P.._P..^P..]P..\O..[O..ZO..YO..WO..UO..TO..RO..QO..PO..NO..LN..LO..LO..LO..LO..LO..LO..LO..KN..KN..MP..VY..`c..........................x_..}P..~K..{L..yM..wM..uM..sN..pN..nN..lO..jO..hO..eP..cP..aP..`P.._P..^P..]P..[O..ZO..YO..XO..WO..UO..SO..RO..QO..NO..MN..LO..LO..LO..LO..LO..LO..LO..LO..LO..KN..SV..be..................z^}.x_...P...L..~M..{M..zM..wM..uM..sN..qN..oO..mO..jO..hP..fP..dP..bP..aP..`P.._P..^P..]P..[O..ZO..YO..XO..VO..UO..SO..RO..PO..NO..MN..LO..LO..LO..LO..LO..LO..LO..LO..KN..SV..bd..........}\C.{]..z^...Q...K...M..}M..\|M..yN..wN..vN..tO..qO..oO..mO..jP..hP..fP..dQ..cP..bP..`P.._P..^P..]P..\O..[O..ZO..XO..WO..UO..TO..RO..QO..PO..MN..LN..LO..LO..LO..LO..L

C:\Users\user\Desktop\.rsrc\0\ICON\51.ico

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	MS Windows icon resource - 1 icon, 32x32
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.127253828248516
Encrypted:	false
SSDEEP:
MD5:	7BAB7CAAFC713358205CAB475CFAA752
SHA1:	F32FAB3BADBB7D2212F136E4AD6F6F42138FF6B3
SHA-256:	2F30A4EE4A94753409536E77C79FF037880513E2301BA17BA3B3A2393387DE4D
SHA-512:	053E325456CEB4A7455F4B4ECF1ACD1D5EF7024A18B05997CC0AF0E8A788867EA644464944746C87C80811544D6B06C3F12B94C1FACDF699CB6964549726BF12
Malicious:	false
Reputation:	unknown
Preview:	...... ..............(... ...@..... ......................................\|V<.yQ..tN..pM..mN..iO..fO..cP.._P..^P..\O..ZO..YO..VO..TO..RO..PO..MO..LO..LO..LO..LO..LO..NQ..RU..Y\R.....................y\~.}M..{K..wM..tN..qN..mN..jO..gP..cP..aP.._P..^P..[O..ZO..XO..UO..SO..QO..OO..LO..LO..LO..LO..LO..KN..KN..UW..be..........{^v.{[...M..~M..{M..wN..tN..qO..nO..kO..gP..dQ..bP..`P..^P..]O..[O..YO..WO..UO..SO..PO..NO..LO..LO..LO..LO..LO..KN..UX......~['.\|]..\|\...M...M..~M..{N..xN..uO..qO..nP..kP..gQ..eQ..cQ..aP.._P..^P..\O..[O..XO..WO..TO..RO..PO..MO..LO..LO..LO..LO..KN..\_P.Z..~[..\|]...P...M...N..~N..{N..rG..mE..kG..nO..kP..hQ..eQ..dQ..bQ..aP.._P..]P..[O..SG..NE..NG..SN..QO..OO..LO..LO..LO..KN..SV..Y..Z..}]...X...M...N...N..{K...\|..........oM..kK..lQ..hR..fR..dQ..cQ..bQ..]M..XI...~..........WO..TN..SO..PO..NO..LO..LO..NQ..X..Y...[..}\...T...M..}G......................\|]..gG..lQ..iR..gR..eR..]I..dR......................PF..WO..TO..RO..PO..MO..LO..W..X..Y...[..}]...T..~C...............

C:\Users\user\Desktop\.rsrc\0\ICON\52.ico

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	MS Windows icon resource - 1 icon, 16x16
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.380590078476181
Encrypted:	false
SSDEEP:
MD5:	3DCF5A91BAAE2FBC77D11157EAE407E6
SHA1:	F7FBA3C015D9440E71AE2AEB284574127D8B1B6B
SHA-256:	63BD458FA8F437317FE233D4D3E3BAA48C711B97E6850C4E35733F464719D9D6
SHA-512:	2A343A9A6016BCA7D55EC370D6FAF981BEC1979232D4AC3AADFA3E62258F50358ADE3AE1CD0E25CFFCE326A4DC99D77EB688A616054FCD8A762DB5E04BF7A2D6
Malicious:	false
Reputation:	unknown
Preview:	..............h.......(....... ..... .....@........................{Wm.wM..pN..iO..bP..^P..[O..WO..RO..MO..LO..LO..MP..VY{.....{]d.~T..~K..wM..lI..gL..dQ..`P..]O..YO..RL..JI..LN..KO..KN..WZz..[...X...L..~N...n...`..dH..eQ..cP..XG..h]..vo..UP..NN..KN..MQ..X...[..}N...o..............cG..]F...~...........}..OG..RO..MO..V..Y..xT..........................................TF..YO..UO..Q..S..\|O..........................................ZH.._P..[O..\...q..}t..................pE..e>.................._I..dQ..aP..........}....................~...y..................bJ..hR..fQ...................................................x..gO..kT..jR..............}...................................mT..nW..mV..h^..................u........................i..lM..r[..l^..ff..cl..................u..........................lX..md..gi..dl..dk..............~...v...........................o]..oc..lf..gi..dk..............}...z....................{..e..v^..sb..od..kg..fj....[.....}...{...z...v...q...o...r....R..}

C:\Users\user\Desktop\.rsrc\0\ICON\6

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	8195
Entropy (8bit):	7.9205035282503635
Encrypted:	false
SSDEEP:
MD5:	A3F70E04D57EA8FA9643232F93486790
SHA1:	73C20014FB9E39692AB756C976A9F44C476D73B7
SHA-256:	F060645052CF7248F0BDC8AF6AD002940514515A25B93F322911A3116089314C
SHA-512:	D0F730B3F521E6A93D3D0A064AA22423F45D39E4A72B2AA05A93D8E4C61339E92A2DA44FF239FD3F9832E87D2EFE43E1443EFC86CDCE817F8CE33E7705C9E3EC
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR.............\r.f....sRGB.........gAMA......a.....pHYs..........o.d....bKGD..............IDATx^...nS..=....H..S.d.F.HT...(.d..-)u}t.hPH.&.2...2t..L....!ST..~..^..z;..}.....g.....}.~.s....^........1..c.1..c.1..c.1..c.1..c.1..c.1..c.1..c.1..R3...K.4...TJ.A.....4..4..n6..G...<J.I.=...t;....=Aj....!.F..Z..2iE4../..d...G.J..0.....6....>7.hvc..........\.t1.Q...a..4....$.'...Cm.At....... <Nj......./C...!z..{y.x..gp":.c.W.3.l.j.F...fh..F.u.F2.'..1.w.KS.6.5@..{.....[...gd..p,:.c...4.a.P.4...m......<.#8.......8.`l..IO...]...ds+:...!....... ...+H>..~..6&....D_......da.....-.O ..?W.Z8..!.A0%..(...m./.7..0.B....!(......d_....)h.0.g...d...$...4.g....n....G3...2.@._.i......\|^....^R\|e..=.q......>...D.m<..F.G...f.6.s...z.. m.1..Mh....36.....I.'....:.'..ZO/...H..zhe.#I:...9m.U.L..%.KS5}K.....}.C .'.l..4~..;..F.y.]..B.M.j.;....R(..!......jI.}Y+.w..N+>v....nf=..F....L.U.U..j..q.7........fK.8j]..j*G.]).No8...}5.1.e./.....E?Ggq../...S.!..m.z.j.w..R

C:\Users\user\Desktop\.rsrc\0\MANIFEST\1

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	490
Entropy (8bit):	5.0011168136751865
Encrypted:	false
SSDEEP:
MD5:	B7DB84991F23A680DF8E95AF8946F9C9
SHA1:	CAC699787884FB993CED8D7DC47B7C522C7BC734
SHA-256:	539DC26A14B6277E87348594AB7D6E932D16AABB18612D77F29FE421A9F1D46A
SHA-512:	D4A78DAF4AE93952197208752D801390CE39A519E7F5AA1360C42FC563EC0E221625B1BFEC2A9564FD3DCD14C18B74D5D9FA6E57C2BCED40C1F32C6814B4C523
Malicious:	false
Reputation:	unknown
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>....<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false"/>.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>

C:\Users\user\Desktop\.rsrc\1033\DIALOG\105

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	data
Category:	dropped
Size (bytes):	514
Entropy (8bit):	2.7389296474792513
Encrypted:	false
SSDEEP:
MD5:	386770584473E271F23DCED36427F4FF
SHA1:	D14CE95F784B35E4E3EBEE535476EBCD3E380C19
SHA-256:	425B8270F7CA42A927EAE6BEA468ACF414A3E4B58B5BA2C56AAAE4D1B2C11014
SHA-512:	E7BD459DC14642E2222477A05694DB86E526C90333A6E0E711C91A8D5893036C09A27F75855D2B416F3DA4ECB59E7A466D82B7CB7ABDD56F6DABB040DA34C1F3
Malicious:	false
Reputation:	unknown
Preview:	............H........K...............M.S. .S.h.e.l.l. .D.l.g..............P....2..........................P....2..........................P....2..........................@..-.,..........................@....K..........................P....A..........................P..#.T..........................@....T..........................P....B..........................X....B..........................P....L.#........................P...............................P...............................P,.................g...

C:\Users\user\Desktop\.rsrc\1033\DIALOG\106

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	data
Category:	dropped
Size (bytes):	248
Entropy (8bit):	2.911481510640998
Encrypted:	false
SSDEEP:
MD5:	FA83652660409E90E0DB9731AD2ADB17
SHA1:	0A8F0AF67723C87FE26CCF676B8E19EC6357B4DC
SHA-256:	4A55BD714F5D50CD8EABBA10E57F0618F1842717DCFA582D73A917B1933CD1D4
SHA-512:	D97885F9C2846A042EC3C0D01A756D22FDA7A989D55CD61EFBC945ABCDCFD74CA0284C745CF8BEBF2D2FAB82718F7B57AB0B701F67D2319CA6B5F55BCE663C07
Malicious:	false
Reputation:	unknown
Preview:	............H..@......,...............M.S. .S.h.e.l.l. .D.l.g..............P....<..........................P....,.......m.s.c.t.l.s._.p.r.o.g.r.e.s.s.3.2..................P....,........................@.@....,.n.....S.y.s.L.i.s.t.V.i.e.w.3.2.......

C:\Users\user\Desktop\.rsrc\1033\DIALOG\111

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	data
Category:	dropped
Size (bytes):	238
Entropy (8bit):	2.898867641096242
Encrypted:	false
SSDEEP:
MD5:	663040D6315B1D6CE8C0334D182ED8FC
SHA1:	EBCFFF801A12FB8AD1200A4526FCA8BD2C3E96CF
SHA-256:	CB3C86CBCB579244A6F819F9C1807A7E89B6E600982EC6EA0841FCDCB16A9EFD
SHA-512:	A6A4DD7641083E24E09FF1E851E26B191A46F623705098777BAF0784003637577417330E78DF6BDD28EFC98D0CB9EDD1D259CB78327946EAE5E7A5117D13445F
Malicious:	false
Reputation:	unknown
Preview:	........................*.............M.S. .S.h.e.l.l. .D.l.g..............P(...x..........................P..................g................P(...x...L.......P.l.e.a.s.e. .w.a.i.t. .w.h.i.l.e. .S.e.t.u.p. .i.s. .l.o.a.d.i.n.g...........

C:\Users\user\Desktop\.rsrc\1033\version.txt

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	data
Category:	dropped
Size (bytes):	1362
Entropy (8bit):	3.487463175663984
Encrypted:	false
SSDEEP:
MD5:	5C8361197C6E08DE729DD6A134B0CF8F
SHA1:	3B5B76D28E56F82A81A3DEC61635E9D603EFFBA9
SHA-256:	464C60D27B0D58E60D69A4FC542A9524793589EBA380696F1FC11B8176C70FFA
SHA-512:	80B0B6D9769A0B0762BFD8E423B85837419179BCF68D7FADE79E456DC1793417BB0A4C4538F72808FEDDAB9F79A1DE1D20FB594AF88FEC7461FF31B02BE972B4
Malicious:	false
Reputation:	unknown
Preview:	F.I.L.E.V.E.R.S.I.O.N. . . . .1.,.2.,.7.,.0.....P.R.O.D.U.C.T.V.E.R.S.I.O.N. .1.,.2.,.7.,.0.....F.I.L.E.F.L.A.G.S.M.A.S.K. . .0.x.0.....F.I.L.E.F.L.A.G.S. . . . . . .0.x.0.....F.I.L.E.O.S. . . . . . . . . .V.O.S._.U.N.K.N.O.W.N. .\|. .V.O.S._._.W.I.N.D.O.W.S.3.2.....F.I.L.E.T.Y.P.E. . . . . . . .V.F.T._.A.P.P.....F.I.L.E.S.U.B.T.Y.P.E. . . . .0.x.0.....{..... . .B.L.O.C.K. .".S.t.r.i.n.g.F.i.l.e.I.n.f.o."..... . .{..... . . . .B.L.O.C.K. .".0.4.0.9.0.4.e.4."..... . . . .{..... . . . . . .V.A.L.U.E. .".C.o.m.m.e.n.t.s.".,. . . . . . . . . . .".C.o.o.l.c.u.t. .i.n.s.t.a.l.l.e.r."..... . . . . . .V.A.L.U.E. .".C.o.m.p.a.n.y.N.a.m.e.".,. . . . . . . .".G.O.P.L.A.Y. .N.E.T.W.O.R.K. .T.E.C.H.N.O.L.O.G.Y. .L.I.M.I.T.E.D."..... . . . . . .V.A.L.U.E. .".F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.".,. . . .".C.o.o.l.c.u.t. .i.n.s.t.a.l.l.e.r."..... . . . . . .V.A.L.U.E. .".F.i.l.e.V.e.r.s.i.o.n.".,. . . . . . . .".1...2...7...0."..... . . . . . .V.A.L.U.E. .".L.e.g.a.l.C.o.p.y.r.i.g.h.t.".,. . . . .".C.o.p.y.

C:\Users\user\Desktop\.text

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	data
Category:	dropped
Size (bytes):	325632
Entropy (8bit):	5.916583900051678
Encrypted:	false
SSDEEP:
MD5:	FB6314C1A359C408744C0030931847F2
SHA1:	1ED26E62D17A16617531BB5BED5146F75FAA6E6C
SHA-256:	339E8174A0E9E749D949B61E37C8E52B6A85C806C5E131B4EF372D3CCED72768
SHA-512:	43BE5696B7824A64A72A30C7E693935773E2CBF77101ABD2570A45E0BECE33A3B76E72F66FFEAA7FA73099F0F1E2EE847838AF10F1327321A3D9003EEB42B44A
Malicious:	false
Reputation:	unknown
Preview:	........H............d......S....m...E............................................(....&..(......s.........s ........s!........s"........&........&..(-....".......Vs....(2...t...........(3.....(4......(I...s5...}.....(.....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+.6..('...}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{....+."..}....&.{ ...+.6..('...} ...&.{!...+.6..('...}!......o1....r...p......%.r...p.....(b....&..(.....j....(G...('...r...p(Q......su...zf.(-......(i...s5...}"...&.{=...+."..}=...&.{>...+."..}>...&.{?...+.6..('...}?...&.{@...+."..}@...&.{A...+.6..('...}A...&.{B...+.6..('...}B...&.{C...+.6..('...}C...&.{D...+.6..('...}D...&.{E...+.6..('...}E...*&.{F.

C:\Users\user\Desktop\CERTIFICATE

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	data
Category:	dropped
Size (bytes):	7656
Entropy (8bit):	7.285767534722034
Encrypted:	false
SSDEEP:
MD5:	65D7AF9522B7EA54347D2E058B3F2484
SHA1:	57E92E93693C921F1B27B8CAED95501A1DA8E2A7
SHA-256:	808CA187D6B4C24ABDF29465736E883CBC4DF61ABFAE1D221C148CEF8A0851B8
SHA-512:	2DAB51D2E97775B63935E0643D109665F81201AE1FE53B6AD788C802BD53BA161F67661F660788023205C8CFA99C75ED0EC3580C8065DFE70A73F334E9A3E682
Malicious:	false
Reputation:	unknown
Preview:	........0......H..........0......1.0...+......0h..+.....7....Z0X03..+.....7...0%.... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...........s......\|..P'0..nh....0...0..........._D...^La...1[F.0....H........0l1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1+0)..U..."DigiCert EV Code Signing CA (SHA2)0...200917000000Z..210922120000Z0...1.0...+.....7<.....CN1.0...+.....7<........1.0...+.....7<........1.0...U....Private Organization1.0...U....91440115766121586D1.0...U....CN1.0...U.......1.0...U.......1-0+..U...$............1-0+..U...$............0.."0...*.H.............0..................t~..'.m.+.....o...rBi..Z...'....../c.Q..X..v..o..`..4a..&.Bw..^../$by$3(;J...L..z..^../....f.g..z..fM.)~.[.L..B....VVJ...k].$.5.Hj5.G{.+.u.&..ci..D.A.....H+...p...^..!@>....0..-Lhj~W....@.~z.O+.1....a...+...R.8.h.u...\|.i.h. 1...e.d.8..........0...0...U.#..0.....~.m2j..#.p.j:..k..0...U......i..C@.r.0..X..W..0

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.998965353078328
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	MDE_File_Sample_39fcbadcdb2708c0aef13776eca6ccd7370cf644.zip
File size:	188'460 bytes
MD5:	b1114059d5b05be6d2d72e36c5faf24b
SHA1:	154bd0e4d01ba93d98d0dfc816c975155ba74461
SHA256:	a2b371673dc9bf2d5b28909c3f953a3a9a7ebc7f0a04bef99590dab294310dd8
SHA512:	789cd1c5e1dc8500042a85b53996a470d65c0a33e90772485ff8d2cf37fc26f12fd553e3a2958a97d4cb7b5c63cd2a6630ef333d60f2ed3fb7e8f83d5ccf196e
SSDEEP:	3072:i7APcikkTCm+WA91umxh9h4BiMunDzxQ3zEFBFRuTZDdANdmh0/Y2MdXhuywBVET:i2RCHWMU2h4IpQ3wmZJANdmO/YNFhIVq
TLSH:	F0042380746FC5BA6929EF25C8269F8B518AFC50DC89EED7788F03F5F9E4560E294102
File Content Preview:	PK........NfXY..>.2.......(.$.39fcbadcdb2708c0aef13776eca6ccd7370cf644.. ............M.&.....M.&.....M.&..P....\.......PM....A9Z...]d4+.v.....!.......4!-/M.........1...+.?....AT....f..q0'...)...&.e...k.[.....x0xx...M.2(..J..l...").8HU..k.1.......l..b!8...

File Icon


Icon Hash:	1c1c1e4e4ececedc

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MDE_File_Sample_39fcbadcdb2708c0aef13776eca6ccd7370cf644.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

C:\Users\user\Desktop\.reloc

C:\Users\user\Desktop\.rsrc\0\GROUP_ICON\103

C:\Users\user\Desktop\.rsrc\0\GROUP_ICON\32512

C:\Users\user\Desktop\.rsrc\0\ICON\1.ico

C:\Users\user\Desktop\.rsrc\0\ICON\2.ico

C:\Users\user\Desktop\.rsrc\0\ICON\3.ico

C:\Users\user\Desktop\.rsrc\0\ICON\4.ico

C:\Users\user\Desktop\.rsrc\0\ICON\5.ico

C:\Users\user\Desktop\.rsrc\0\ICON\50.ico

C:\Users\user\Desktop\.rsrc\0\ICON\51.ico

C:\Users\user\Desktop\.rsrc\0\ICON\52.ico

C:\Users\user\Desktop\.rsrc\0\ICON\6

C:\Users\user\Desktop\.rsrc\0\MANIFEST\1

C:\Users\user\Desktop\.rsrc\1033\DIALOG\105

C:\Users\user\Desktop\.rsrc\1033\DIALOG\106

C:\Users\user\Desktop\.rsrc\1033\DIALOG\111

C:\Users\user\Desktop\.rsrc\1033\version.txt

C:\Users\user\Desktop\.text

C:\Users\user\Desktop\CERTIFICATE

Static File Info

General

File Icon

Windows Analysis Report
MDE_File_Sample_39fcbadcdb2708c0aef13776eca6ccd7370cf644.zip