Windows Analysis Report
MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip

Overview

General Information

Sample name:	MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip
Analysis ID:	1428806
MD5:	d643c338c5433325d7eb951dcdbdd49e
SHA1:	ff9b656a93c29be4d27c5c7a84fbad6745bd645e
SHA256:	01dab660885e34c8ff340193ddbe08aedacf75e4636e2a794e32c860ca47a2c7
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

PE file has a writeable .text section

Drops PE files

Queries the volume information (name, serial number etc) of a device

Classification

Signatures

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

System Summary

PE file has a writeable .text section

Source: rhc.exe.20.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: rhc.exe.20.dr

Static PE information: Section .text

Source: classification engine

Classification label: sus21.winZIP@6/1@0/0

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\rhc.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap13122:172:7zEvent2168
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe "C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe"

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp2_MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip\rhc.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Program Files\7-Zip\7zG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Drops PE files

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\rhc.exe

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\cmd.exe

File Volume queried: C:\Users\user FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1428806
Product:	CloudBasic
Start time:	16:33:19
Start date:	19.04.2024
Sample:	MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d643c338c5433325d7eb951dcdbdd49e
SHA1:	ff9b656a93c29be4d27c5c7a84fbad6745bd645e
SHA256:	01dab660885e34c8ff340193ddbe08aedacf75e4636e2a794e32c860ca47a2c7
Filetype:	ZIP compressed archive (8000/1) 100.00%

Windows Analysis Report
MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Spreading

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Spreading

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
MDE_File_Sample_1ed7b1e965eab56f55efda975f9f7ade95337267.zip