Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh

Overview

General Information

Sample Name:	NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Analysis ID:	482886
MD5:	b71a9e479123528ba6f7b8642b924d0e
SHA1:	5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256:	1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found inlined nop instructions (likely shell or obfuscated code)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh	Virustotal: Detection: 14%			Perma Link
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh	ReversingLabs: Detection: 39%

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 055D099Bh		0_2_055D02A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 055D099Ah		0_2_055D02A8

System Summary:

Detected potential crypto function

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_055D02A8		0_2_055D02A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 0_2_055D0299		0_2_055D0299

Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh	Virustotal: Detection: 14%
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh	ReversingLabs: Detection: 39%

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\103b5ifs.cxq

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Jump to behavior

Source: classification engine

Classification label: mal48.winLZH@3/1@0/0

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\zdsmcxok.014' 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh'

Jump to behavior

Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: unarchiver.exe, 00000000.00000002.1332470511.0000000001B20000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	482886
Product:	CloudBasic
Start time:	09:50:53
Start date:	14.09.2021
Sample:	NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b71a9e479123528ba6f7b8642b924d0e
SHA1:	5aae421b9bc63d5982f5ef0e19abdfb85cb1688b
SHA256:	1908c35415f99b55e81ea5dd70da0ebbd3e341cd4d2cf77a418c09235be590d5
Filetype:	LHARC/LZARK compressed archive (6/4) 100.00%

Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE.lzh

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map