Windows Analysis Report
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

Overview

General Information

Sample URL: http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download
Analysis ID: 1419158
Infos:

Detection

Score: 23
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Downloads suspicious files via Chrome
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Tries to load missing DLLs

Classification

Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\license.txt Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknown TCP traffic detected without corresponding DNS query: 104.89.170.181
Source: unknown TCP traffic detected without corresponding DNS query: 104.89.170.181
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 03 Apr 2024 05:37:32 GMTServer: Apache/2.4.29 (Ubuntu)Set-Cookie: oc0m4jav1y6q=f0v2v8p5hopslc21sc0jealdr2; path=/; HttpOnlyExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Pragma: publicX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Frame-Options: SameoriginContent-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *; connect-src *X-Robots-Tag: noneContent-Disposition: attachment; filename*=UTF-8''MotionPro_Windows_1.2.25%20%281%29.zip; filename="MotionPro_Windows_1.2.25%20%281%29.zip"Content-Transfer-Encoding: binaryContent-Length: 56270833Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 50 4b 03 04 0a 00 00 00 00 00 0c a4 8c 57 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00 00 4d 6f 74 69 6f 6e 50 72 6f 53 65 74 75 70 2f 50 4b 03 04 14 00 00 00 08 00 8d a1 8c 57 0e 76 c0 a1 c7 12 00 00 3e 20 04 00 1e 00 00 00 4d 6f 74 69 6f 6e 50 72 6f 53 65 74 75 70 2f 61 70 70 6c 69 63 61 74 69 6f 6e 2e 69 63 6f ed dd 0b 94 94 f5 79 c7 f1 3f 17 01 11 88 07 51 10 05 d6 14 0d f6 a6 cd 49 a2 69 cd e1 d8 a4 1e 4f 62 1b a3 22 97 05 11 6f 88 09 20 20 de 62 aa 82 17 b4 d6 62 b4 46 31 7a 34 98 63 6a da a3 56 ab 56 13 c1 6a b0 96 1c 1b 2f b1 8a b2 f7 0b 77 f6 c6 b2 c0 ba 4f 9f ff 3b 2f b8 41 f6 9d 57 76 e7 d9 f7 9d f7 fb c9 f9 1d 8d 0b bb 3b 33 ef 77 66 76 66 77 d6 b9 3e fa 3f af 8f 2b 71 13 4a fa bb a3 f4 df 27 e4 fe 83 73 7d 73 ff 3d a0 6f 3b e2 30 17 2c 89 44 64 88 ee 14 dd 6c dd 2d ba 95 ba 55 ba 77 74 d5 ba cd ba 46 5d 13 63 09 5c 63 78 8c 56 87 c7 ec aa f0 18 f6 c7 f2 a5 ba af ea 86 3a 04 f4 bc 18 a0 9b a8 5b a2 7b 59 d7 20 40 71 6b 08 8f f5 25 e1 b1 3f c0 65 8c 9e e6 33 74 f7 e9 6a 05 c8 b6 da b0 85 33 5c 11 d3 d3 77 94 ee 2a dd bb 02 e0 40 7c 1b 8b 75 a3 5c 91 d0 d3 52 a2 5b 1e 7e 7d 04 20 bf 16 dd 8f 7d 3b 2e a5 fc e3 1c ba 65 ba 36 01 70 30 da c2 86 52 f5 98 a1 7e be 33 c2 c7 40 01 74 9f 6f e9 02 97 70 fa 39 9e a0 7b 41 00 14 82 6f eb 04 97 dc db fc 16 01 50 48 3b 92 76 5f 40 3f 9f 15 02 c0 d2 0a d7 cb f4 73 18 a9 5b 23 00 Data Ascii: PKWMotionProSetup/PKWv> MotionProSetup/application.icoy?QIiOb"o bbF1z4cjVVj/wO;/AWv;3wfvfw>?+qJ's}s=o;0,Ddl-UwtF]c\cxV:[{Y @qk%?e3tj3\w*@|u\R[~} };.e6p0R~3@top9{AoPH;v_@?s[#
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /index.php/s/0jEImnXiQQYBh5D/download HTTP/1.1Host: nxtgen.infinitevaults.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: nxtgen.infinitevaults.com
Source: MotionProSetup.exe.6.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MotionProSetup.exe.6.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: OEM.ini.6.dr String found in binary or memory: http://www.arraynetworks.net
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown HTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49743 version: TLS 1.2

System Summary

barindex
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File dump: C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Section loaded: 7z.dll Jump to behavior
Source: classification engine Classification label: sus23.win@22/15@4/4
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\56f01623-0cbf-4c0f-b639-a76b581c07a5.tmp Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03
Source: C:\Windows\SysWOW64\unarchiver.exe File created: C:\Users\user\AppData\Local\Temp\unarchiver.log Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,11780309818604107129,14762667450560493039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,11780309818604107129,14762667450560493039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip" Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe File written: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\motionpro_templete.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\MotionProSetup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\license.txt Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 1960000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 3640000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 5640000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\MotionProSetup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6272 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 5_2_0189B1D6 GetSystemInfo, 5_2_0189B1D6
Source: C:\Windows\SysWOW64\unarchiver.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MotionPro_Windows_1.2.25 (1).zip.crdownload.0.dr, MotionProSetup.exe.6.dr Binary or memory string: QEMUa
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior