File name: | 84f8b_dados68974942045.zip |
Full analysis: | https://app.any.run/tasks/076aa9da-67d8-494d-a046-a5249896af22 |
Verdict: | Malicious activity |
Threats: | Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil. |
Analysis date: | March 31, 2020, 09:45:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 84F8BB1AD60607C54EB6AD0C9BAA0404 |
SHA1: | D15A559494EB253671C33BB5613CE7134C30B442 |
SHA256: | 17EC2AC96AFF11AFCCBC5E2654EE47788C5D01A26BE231C88EC23447601A79A4 |
SSDEEP: | 3072:BXi47x7Emf2s7r3a9oSbUY1ZI4SsSwPawtYvUA7y5NUSb79:BXi4j2gpSbUY1Q3wPRtZsAeIp |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:03:26 23:15:18 |
ZipCRC: | 0x0aaa81e5 |
ZipCompressedSize: | 125856 |
ZipUncompressedSize: | 272896 |
ZipFileName: | dados3213.msi |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3924 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\84f8b_dados68974942045.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3592 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa3924.27522\dados3213.msi" | C:\Windows\System32\msiexec.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3176 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2408 | C:\Windows\system32\MsiExec.exe -Embedding 1B4EDF434749038C8EBAC9343BE9B663 | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
952 | "C:\Windows\System32\reg.exe" add "HKCU\software\Microsoft\Windows\CurrentVersion\RunOnce" /v NPIE /t reg_sz /d C:\Users\admin\Documents\NPIE\NPIE.EXE | C:\Windows\System32\reg.exe | MsiExec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3012 | "C:\Users\admin\Documents\NPIE\NPIE.EXE" | C:\Users\admin\Documents\NPIE\NPIE.EXE | MsiExec.exe | |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: MEDIUM Description: Avira Version: 1.2.144.30330 | ||||
3548 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3176 | msiexec.exe | C:\Windows\Installer\MSI8296.tmp | — | |
MD5:— | SHA256:— | |||
3176 | msiexec.exe | C:\Windows\Installer\MSI8314.tmp | — | |
MD5:— | SHA256:— | |||
3176 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF8A5F0D85B0ADA728.TMP | — | |
MD5:— | SHA256:— | |||
2408 | MsiExec.exe | C:\Users\admin\Documents\NPIE\Avira.OE.NativeCore.dll | — | |
MD5:— | SHA256:— | |||
3176 | msiexec.exe | C:\Windows\Installer\a681fa.msi | executable | |
MD5:A658DA0BF1A0EBD663044708CFCEA350 | SHA256:50F1F2F411B11A5529E7F7AC6590ED8FF8AB86ECC7F80F2CAF2EE2944DF07CBC | |||
2408 | MsiExec.exe | C:\Users\admin\Documents\NPIE_NPIE_NPIE.zip | compressed | |
MD5:8BD367E3E35A0EE2A2EF3DE33AE21214 | SHA256:9CF4C726E46022622BDB48772A88F061468D7DF5C1BB94C503D3119B83F5230B | |||
3924 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3924.27522\dados.txt | text | |
MD5:987EE5F625D99D31BF5C4EB1029C3E71 | SHA256:6F2082B077E6C9126A23843C170B9FDCF636BB4BDA61DCE231709C91FC2DC465 | |||
3176 | msiexec.exe | C:\Windows\Installer\a681fc.ipi | binary | |
MD5:693EDFB233013C918F73C3ABB89D6190 | SHA256:A16840F60030A0A281CBB955CAEAE4DC477404AFD6377E3C85CF3FE35DEE7010 | |||
2408 | MsiExec.exe | C:\Users\admin\Documents\NPIE\Birinb (3).ico | image | |
MD5:FE0A2332048DF13FCECBDB33837E15F4 | SHA256:04A226B46B1297AE467D2F98330DD8822CED7AA1707341A6C16E2FEF1DB65C65 | |||
3924 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3924.27522\dados3213.msi | executable | |
MD5:A658DA0BF1A0EBD663044708CFCEA350 | SHA256:50F1F2F411B11A5529E7F7AC6590ED8FF8AB86ECC7F80F2CAF2EE2944DF07CBC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2408 | MsiExec.exe | GET | 200 | 187.17.111.35:80 | http://moggiempilhadeiras.com.br/js/video2.Tar | BR | compressed | 13.0 Mb | malicious |
3012 | NPIE.EXE | POST | — | 5.57.226.202:80 | http://novamultimidea.webcindario.com/covid19/ | ES | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3012 | NPIE.EXE | 5.57.226.202:80 | novamultimidea.webcindario.com | ServiHosting Networks S.L. | ES | malicious |
2408 | MsiExec.exe | 187.17.111.35:80 | moggiempilhadeiras.com.br | Universo Online S.A. | BR | malicious |
Domain | IP | Reputation |
---|---|---|
moggiempilhadeiras.com.br |
| malicious |
novamultimidea.webcindario.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3012 | NPIE.EXE | Potentially Bad Traffic | ET INFO Suspicious POST Request with Possible COVID-19 URI M1 |