File name: | Electron.zip |
Full analysis: | https://app.any.run/tasks/5c160ca8-bc1b-4a75-8997-6e42a6aed6f2 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 19:33:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 607F027700DC670D72FF5F781CA0A562 |
SHA1: | 82742F9458871814CB666EB3DBE04B645AF49DC2 |
SHA256: | 17EA4D8A811BB37FB14F0508875A5EEC31AA7734C95E4BBE583FB256D7D1A6CB |
SSDEEP: | 384:IMdKzZ64j4N0vDxlbZmWwjN6767wUQwBgkNQELpqpkOCIw8uGa3GKB:zKIN4Zmhjw767wOBgUxx5Gq |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2484 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Electron.zip.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
3160 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2484.49997\JITStarter.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2484.49997\JITStarter.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 | ||||
1268 | "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "JITStarter" /tr "C:\Users\admin\AppData\Roaming\JITStarter.exe" | C:\Windows\System32\schtasks.exe | — | JITStarter.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3492 | C:\Users\admin\AppData\Roaming\JITStarter.exe | C:\Users\admin\AppData\Roaming\JITStarter.exe | — | taskeng.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
3544 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\tableknown.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2812 | C:\Users\admin\AppData\Roaming\JITStarter.exe | C:\Users\admin\AppData\Roaming\JITStarter.exe | — | taskeng.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
3224 | C:\Users\admin\AppData\Roaming\JITStarter.exe | C:\Users\admin\AppData\Roaming\JITStarter.exe | — | taskeng.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
3164 | C:\Users\admin\AppData\Roaming\JITStarter.exe | C:\Users\admin\AppData\Roaming\JITStarter.exe | — | taskeng.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
2120 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | Explorer.EXE | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6A80.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2484.49997\HowToUse.txt | text | |
MD5:BC2913849208143AF460D32BAB1B2F4A | SHA256:F76A0AAA981516A3FB2775F42DA4AFF351FD4BB5324C62FB465BE3E6DE0818E4 | |||
2484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2484.49997\JITStarter.exe | executable | |
MD5:F40A6224848E929A4F357F2A58F7DF1E | SHA256:82CD0FB2588B524316E72B8EACC02EBD28545BD18B2A82BE0B0FA0E7A35353C4 | |||
3544 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\tableknown.rtf.LNK | lnk | |
MD5:B79526C4704AB6748046D6C3D727AFDE | SHA256:8FE4FA4B990E227AA2A09F1CE83C1C6EE39D39503C667A58D117AEB601F418A0 | |||
3160 | JITStarter.exe | C:\Users\admin\AppData\Roaming\JITStarter.exe | executable | |
MD5:F40A6224848E929A4F357F2A58F7DF1E | SHA256:82CD0FB2588B524316E72B8EACC02EBD28545BD18B2A82BE0B0FA0E7A35353C4 | |||
3544 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:B955E5FED709F6556D633DC6AC12B3F9 | SHA256:F391D7D42F77F51ECA5A990248CE5351B1F12EE7BDD408B635E7F007CEB2EAAE | |||
2120 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:B05286C6E1349D2CECC7C16A8421FFE9 | SHA256:6AD95E607395E548786C120851BF6CC84CA66457D287DCD6737F797A3E390693 | |||
3160 | JITStarter.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JITStarter.exe | executable | |
MD5:F40A6224848E929A4F357F2A58F7DF1E | SHA256:82CD0FB2588B524316E72B8EACC02EBD28545BD18B2A82BE0B0FA0E7A35353C4 | |||
2120 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:2810B594F721D9C825955514652E1C1C | SHA256:BCEE3E54462D9669D1334F0BC3FE816CFAC5DABA5D5D0A2790D22DD1A82A87B3 | |||
3544 | WINWORD.EXE | C:\Users\admin\Desktop\~$bleknown.rtf | pgc | |
MD5:1FB27214665C5082BA979FC7A153CF97 | SHA256:4F2631B9AB61FAD27DCBEEDCF9EE3B3FF5EF3DF014AF69CF85478DC8D6123EE2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2120 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 592 b | whitelisted |
3160 | JITStarter.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/line/?fields=hosting | unknown | text | 6 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2120 | opera.exe | 93.184.220.29:80 | crl3.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3160 | JITStarter.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
2120 | opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
3160 | JITStarter.exe | 162.159.138.85:443 | sharetext.me | Cloudflare Inc | — | malicious |
3160 | JITStarter.exe | 3.138.180.119:13853 | 4.tcp.ngrok.io | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
sharetext.me |
| malicious |
4.tcp.ngrok.io |
| malicious |
certs.opera.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3160 | JITStarter.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3160 | JITStarter.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to a *.ngrok domain (ngrok.io) |
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to a *.ngrok domain (ngrok.io) |