Windows Analysis Report
NUtec_FS01_2024-04-19_07_41_35.191.zip

Overview

General Information

Sample name: NUtec_FS01_2024-04-19_07_41_35.191.zip
Analysis ID: 1428600
MD5: 096a94e8624bd59442405da29b2d0147
SHA1: cbe3554a694025f725032b7736c5049794d3fb59
SHA256: 85c489dc78c95b2f19a534ab593412a9f5f0a5fa22e207f33db7d047d7049779
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis

Classification

Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_00C8247C 0_2_00C8247C
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_00C8253D 0_2_00C8253D
Source: classification engine Classification label: clean2.winZIP@4/1@0/0
Source: C:\Windows\SysWOW64\unarchiver.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\SysWOW64\unarchiver.exe File created: C:\Users\user\AppData\Local\Temp\unarchiver.log Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\NUtec_FS01_2024-04-19_07_41_35.191.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ysvq5c1x.zkp" "C:\Users\user\Desktop\NUtec_FS01_2024-04-19_07_41_35.191.zip"
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ysvq5c1x.zkp" "C:\Users\user\Desktop\NUtec_FS01_2024-04-19_07_41_35.191.zip" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Section loaded: 7z.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: NUtec_FS01_2024-04-19_07_41_35.191.zip Static file information: File size 3515136 > 1048576
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 2DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: 1160000 memory commit | memory reserve | memory write watch Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\unarchiver.exe Window / User API: threadDelayed 495 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Window / User API: threadDelayed 9476 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3436 Thread sleep count: 495 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3436 Thread sleep time: -247500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3436 Thread sleep count: 9476 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3436 Thread sleep time: -4738000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 0_2_00C8B1D6 GetSystemInfo, 0_2_00C8B1D6
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ysvq5c1x.zkp" "C:\Users\user\Desktop\NUtec_FS01_2024-04-19_07_41_35.191.zip" Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428600 Sample: NUtec_FS01_2024-04-19_07_41... Startdate: 19/04/2024 Architecture: WINDOWS Score: 2 6 unarchiver.exe 4 2->6         started        process3 8 7za.exe 13 6->8         started        process4 10 conhost.exe 8->10         started       
No contacted IP infos