File name: | 1c3c9_CVJesssika7060627999.zip |
Full analysis: | https://app.any.run/tasks/38da815d-0840-4039-8ebb-7984747bbec7 |
Verdict: | Malicious activity |
Threats: | Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil. |
Analysis date: | March 31, 2020, 10:50:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 1C3C904EF8CE6021F1F2E06D5AD3A00B |
SHA1: | 4D00E5463AEE0B1D972108B5C3FEEE783D8F9BC0 |
SHA256: | 136D99EA17307B10C34997D605F7EB746A6FD50C2DDDB4576337B8DAAE3A83C6 |
SSDEEP: | 3072:bSB+EiHORS29FAUUx5ziaN1T98ehPPO6zYrnmejVMp+:+B+JHORT0H98eh1zCnmeBMI |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:03:26 23:16:02 |
ZipCRC: | 0xd947b9fa |
ZipCompressedSize: | 127582 |
ZipUncompressedSize: | 272896 |
ZipFileName: | VCJESSIKA097878.msi |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2864 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1c3c9_CVJesssika7060627999.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2492 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.18880\VCJESSIKA097878.msi" | C:\Windows\System32\msiexec.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2936 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2704 | C:\Windows\system32\MsiExec.exe -Embedding 0527538C5457464D9DBB5FD922AEE1A4 | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2860 | "C:\Windows\System32\reg.exe" add "HKCU\software\Microsoft\Windows\CurrentVersion\RunOnce" /v NPIE /t reg_sz /d C:\Users\admin\Documents\NPIE\NPIE.EXE | C:\Windows\System32\reg.exe | MsiExec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3456 | "C:\Users\admin\Documents\NPIE\NPIE.EXE" | C:\Users\admin\Documents\NPIE\NPIE.EXE | MsiExec.exe | |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: MEDIUM Description: Avira Version: 1.2.144.30330 | ||||
3548 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2936 | msiexec.exe | C:\Windows\Installer\MSI8CC7.tmp | — | |
MD5:— | SHA256:— | |||
2936 | msiexec.exe | C:\Windows\Installer\MSI8D36.tmp | — | |
MD5:— | SHA256:— | |||
2936 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF46BF722D02CC1BD6.TMP | — | |
MD5:— | SHA256:— | |||
2704 | MsiExec.exe | C:\Users\admin\Documents\NPIE\Avira.OE.NativeCore.dll | — | |
MD5:— | SHA256:— | |||
2704 | MsiExec.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\video2[1].tar | compressed | |
MD5:8BD367E3E35A0EE2A2EF3DE33AE21214 | SHA256:9CF4C726E46022622BDB48772A88F061468D7DF5C1BB94C503D3119B83F5230B | |||
2864 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.18880\dados.txt | text | |
MD5:987EE5F625D99D31BF5C4EB1029C3E71 | SHA256:6F2082B077E6C9126A23843C170B9FDCF636BB4BDA61DCE231709C91FC2DC465 | |||
2936 | msiexec.exe | C:\Windows\Installer\a68c2b.msi | executable | |
MD5:2CE4024BBE907D2C299666A9DB3E6130 | SHA256:654DC1C45EB3DCA16464AADBBDAC074DA93A9E8B2473A253A07F5F4D242F8116 | |||
2704 | MsiExec.exe | C:\Users\admin\Documents\NPIE\Birinb (3).ico | image | |
MD5:FE0A2332048DF13FCECBDB33837E15F4 | SHA256:04A226B46B1297AE467D2F98330DD8822CED7AA1707341A6C16E2FEF1DB65C65 | |||
2704 | MsiExec.exe | C:\Users\admin\Documents\NPIE_NPIE_NPIE.zip | compressed | |
MD5:8BD367E3E35A0EE2A2EF3DE33AE21214 | SHA256:9CF4C726E46022622BDB48772A88F061468D7DF5C1BB94C503D3119B83F5230B | |||
2864 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2864.18880\VCJESSIKA097878.msi | executable | |
MD5:2CE4024BBE907D2C299666A9DB3E6130 | SHA256:654DC1C45EB3DCA16464AADBBDAC074DA93A9E8B2473A253A07F5F4D242F8116 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3456 | NPIE.EXE | POST | — | 5.57.226.202:80 | http://novamultimidea.webcindario.com/covid19/ | ES | — | — | malicious |
2704 | MsiExec.exe | GET | 200 | 187.17.111.35:80 | http://moggiempilhadeiras.com.br/js/video2.Tar | BR | compressed | 13.0 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2704 | MsiExec.exe | 187.17.111.35:80 | moggiempilhadeiras.com.br | Universo Online S.A. | BR | malicious |
3456 | NPIE.EXE | 5.57.226.202:80 | novamultimidea.webcindario.com | ServiHosting Networks S.L. | ES | malicious |
Domain | IP | Reputation |
---|---|---|
moggiempilhadeiras.com.br |
| malicious |
novamultimidea.webcindario.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3456 | NPIE.EXE | Potentially Bad Traffic | ET INFO Suspicious POST Request with Possible COVID-19 URI M1 |