File name: | AppNee.com.Office.2013-2021.C2R.Install.v7.3.9.Lite.Full.7z |
Full analysis: | https://app.any.run/tasks/1d8db937-9555-48e5-ac16-744f74e76d17 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 16:53:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | A0DDEE5E11429E74CE5FADD7AFEB7108 |
SHA1: | FEE7C64C98FC7133C6BDE7310BCBB5CA671B0A50 |
SHA256: | 0DBFDF325766C93565CA3AD87B31E51D0C0FEDD99022E740AFFD48E03F6A88B3 |
SSDEEP: | 393216:aAj81cvH39gwzff/RQoXeZQPjgEiGOvZRvr79:LSwTwmgFGY5R |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
4076 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\AppNee.com.Office.2013-2021.C2R.Install.v7.3.9.Lite.Full.7z" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
2356 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\OInstall.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\OInstall.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Office 2013-2021 C2R Install Exit code: 3221226540 Modules
| |||||||||||||||
2700 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\OInstall.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\OInstall.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Office 2013-2021 C2R Install Modules
| |||||||||||||||
2768 | "C:\Windows\System32\cmd.exe" /D /c files.dat -y -pkmsauto | C:\Windows\System32\cmd.exe | — | OInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2920 | files.dat -y -pkmsauto | C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\files\files.dat | cmd.exe | ||||||||||||
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7z Console SFX Exit code: 0 Version: 9.20 Modules
| |||||||||||||||
3068 | "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\admin\AppData\Local\Temp\over699146\v32.cab') }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | OInstall.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3416 | "expand" v32.cab -F:VersionDescriptor.xml C:\Users\admin\AppData\Local\Temp\over699146 | C:\Windows\system32\expand.exe | — | OInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: LZ Expansion Utility Exit code: 0 Version: 6.1.7601.24535 (win7sp1_ldr_escrow.191105-1059) Modules
| |||||||||||||||
3400 | "powershell" -command "& { Get-Content C:\Users\admin\AppData\Local\Temp\over699146\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt } | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | OInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
904 | "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\admin\AppData\Local\Temp\over373465\v32.cab') }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | OInstall.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3876 | "expand" v32.cab -F:VersionDescriptor.xml C:\Users\admin\AppData\Local\Temp\over373465 | C:\Windows\system32\expand.exe | — | OInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: LZ Expansion Utility Exit code: 0 Version: 6.1.7601.24535 (win7sp1_ldr_escrow.191105-1059) Modules
|
(PID) Process: | (4076) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (4076) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (4076) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (4076) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (4076) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (4076) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\AppNee.com.Office.2013-2021.C2R.Install.v7.3.9.Lite.Full.7z | |||
(PID) Process: | (4076) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (4076) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (4076) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (4076) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4076 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\OInstallLite.exe | executable | |
MD5:B70F0484C45C885DF6E0D13C5FE7151C | SHA256:4A81E8451C0A16B9A133CFF53D5AA739F032AE4D40F867130A55A4F6399CA464 | |||
4076 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\readme_en.txt | text | |
MD5:A5BE0491B4C835A53480C1E92F967941 | SHA256:3C10A3E490F18D27187866A862DA22C40C9B8FC47354F2CF0F7D8A79E9981AF0 | |||
4076 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\Latest version.url | url | |
MD5:37D4F0BD264ECC1B0AAACB3655FE3A90 | SHA256:7128DD31E4737A770F31E3CCB4FE0720FE24F38D9949E4DC540F332FDA621328 | |||
2920 | files.dat | C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\files\x86\cleanospp.exe | executable | |
MD5:5FD363D52D04AC200CD24F3BCC903200 | SHA256:3FDEFE2AD092A9A7FE0EDF0AC4DC2DE7E5B9CE6A0804F6511C06564194966CF9 | |||
2920 | files.dat | C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\files\x64\cleanospp.exe | executable | |
MD5:162AB955CB2F002A73C1530AA796477F | SHA256:5CE462E5F34065FC878362BA58617FAB28C22D631B9D836DDDCF43FB1AD4DE6E | |||
3416 | expand.exe | C:\Users\admin\AppData\Local\Temp\over699146\$dpx$.tmp\d954e76c9b75124b8331360160294bf9.tmp | xml | |
MD5:CD294F1AFF7E23273C11D7D920C12125 | SHA256:5535D833E22CF9739352A1B993B8DE897FFA9BF581072165C7EC11E848C22203 | |||
2700 | OInstall.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\files\files.dat | executable | |
MD5:55D21B2C272A5D6B9F54FA9ED82BF9EB | SHA256:7A1C82E264258470D14CA345EA1A9B6FC34FA19B393A92077A01BE5F1AD08F47 | |||
3068 | powershell.exe | C:\Users\admin\AppData\Local\Temp\over699146\v32.cab | compressed | |
MD5:B44CD1125DE1AFB75FC04062CCC8692A | SHA256:5DAE61383845D34146D24B14A0B981CDD595B13BFEADD2B805E2A18DCB5F6642 | |||
4076 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb4076.37965\Original source.url | url | |
MD5:0C7AF10C4FC6DCB6DED3F946B7D9F5F0 | SHA256:64CD7CD89F80AD52303AFCBBC028B0CE1022630C4F5E094F9D56F22BB1BEEE0E | |||
3416 | expand.exe | C:\Users\admin\AppData\Local\Temp\over699146\VersionDescriptor.xml | xml | |
MD5:CD294F1AFF7E23273C11D7D920C12125 | SHA256:5535D833E22CF9739352A1B993B8DE897FFA9BF581072165C7EC11E848C22203 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3504 | powershell.exe | GET | 301 | 104.107.160.60:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab | US | — | — | whitelisted |
904 | powershell.exe | GET | 301 | 104.107.160.60:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab | US | — | — | whitelisted |
528 | powershell.exe | GET | 301 | 104.107.160.60:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab | US | — | — | whitelisted |
528 | powershell.exe | GET | 200 | 23.32.238.208:80 | http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab | US | compressed | 10.8 Kb | whitelisted |
1312 | powershell.exe | GET | 301 | 104.107.160.60:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.14729.20260/i320.cab | US | — | — | whitelisted |
3068 | powershell.exe | GET | 301 | 104.107.160.60:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab | US | — | — | whitelisted |
904 | powershell.exe | GET | 200 | 23.32.238.209:80 | http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab | US | compressed | 10.8 Kb | whitelisted |
3332 | powershell.exe | GET | 301 | 23.53.168.85:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.14729.20260/i321033.cab | NL | — | — | whitelisted |
3504 | powershell.exe | GET | 200 | 23.32.238.209:80 | http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab | US | compressed | 10.8 Kb | whitelisted |
1312 | powershell.exe | GET | 200 | 23.32.238.208:80 | http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.14729.20260/i320.cab | US | compressed | 24.4 Mb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3068 | powershell.exe | 104.107.160.60:80 | officecdn.microsoft.com | GTT Communications Inc. | US | unknown |
1312 | powershell.exe | 23.32.238.208:80 | officecdn.microsoft.com.edgesuite.net | XO Communications | US | unknown |
528 | powershell.exe | 104.107.160.60:80 | officecdn.microsoft.com | GTT Communications Inc. | US | unknown |
3504 | powershell.exe | 104.107.160.60:80 | officecdn.microsoft.com | GTT Communications Inc. | US | unknown |
1312 | powershell.exe | 104.107.160.60:80 | officecdn.microsoft.com | GTT Communications Inc. | US | unknown |
528 | powershell.exe | 23.32.238.208:80 | officecdn.microsoft.com.edgesuite.net | XO Communications | US | unknown |
904 | powershell.exe | 104.107.160.60:80 | officecdn.microsoft.com | GTT Communications Inc. | US | unknown |
3332 | powershell.exe | 23.53.168.85:80 | officecdn.microsoft.com | Akamai Technologies, Inc. | NL | unknown |
3504 | powershell.exe | 23.32.238.209:80 | officecdn.microsoft.com.edgesuite.net | XO Communications | US | suspicious |
904 | powershell.exe | 23.32.238.209:80 | officecdn.microsoft.com.edgesuite.net | XO Communications | US | suspicious |
Domain | IP | Reputation |
---|---|---|
officecdn.microsoft.com |
| whitelisted |
officecdn.microsoft.com.edgesuite.net |
| whitelisted |
ecs.office.com |
| whitelisted |
vortex-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |