File name: | Spark.zip |
Full analysis: | https://app.any.run/tasks/61b13877-e919-4704-984e-821cb5a27315 |
Verdict: | Malicious activity |
Analysis date: | November 29, 2020, 15:40:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v5.1 to extract |
MD5: | 860168A14356BE3E65650B8A3CF6C3A0 |
SHA1: | EA99E29E119D88CAF9D38FB6AAC04A97E9C5AC63 |
SHA256: | 1AE2A53C8ADC94B1566EA6B3AA63CE7FE2A2B2FCBE4CEC3112F9EBE76E2E9BF9 |
SSDEEP: | 49152:p0iszfe7OgN0Fw6KDfcqm6YvBK1+bgHXFZn:4CN0FHMcTvu+E3FZn |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | [email protected] |
---|---|
ZipUncompressedSize: | 507392 |
ZipCompressedSize: | 385497 |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2018:09:14 23:54:10 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 51 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2364 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Spark.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2832 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2364.31169\[email protected]" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2364.31169\[email protected] | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 3221226540 Version: 0.0.0.0 | ||||
3204 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2364.31169\[email protected]" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2364.31169\[email protected] | WinRAR.exe | |
User: admin Integrity Level: HIGH Description: Exit code: 3762504530 Version: 0.0.0.0 | ||||
2400 | "C:\Users\admin\Desktop\NETFramework.exe" | C:\Users\admin\Desktop\NETFramework.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Framework 4.7.1 Setup Exit code: 3221226540 Version: 4.7.02558.00 | ||||
4032 | "C:\Users\admin\Desktop\NETFramework.exe" | C:\Users\admin\Desktop\NETFramework.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.7.1 Setup Exit code: 0 Version: 4.7.02558.00 | ||||
1732 | C:\cb5a6f3baae017cbbc4e12e4\\Setup.exe /x86 /x64 /web | C:\cb5a6f3baae017cbbc4e12e4\Setup.exe | NETFramework.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Setup Installer Exit code: 0 Version: 14.7.2558.0 built by: NET471REL1 | ||||
2492 | SetupUtility.exe /aupause | C:\cb5a6f3baae017cbbc4e12e4\SetupUtility.exe | — | Setup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.5 Setup Exit code: 0 Version: 14.7.2558.0 built by: NET471REL1 | ||||
3728 | SetupUtility.exe /screboot | C:\cb5a6f3baae017cbbc4e12e4\SetupUtility.exe | — | Setup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.5 Setup Exit code: 0 Version: 14.7.2558.0 built by: NET471REL1 | ||||
1332 | SetupUtility.exe /msureboot 461310 | C:\cb5a6f3baae017cbbc4e12e4\SetupUtility.exe | — | Setup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.5 Setup Exit code: 0 Version: 14.7.2558.0 built by: NET471REL1 | ||||
2808 | SetupUtility.exe /auresume | C:\cb5a6f3baae017cbbc4e12e4\SetupUtility.exe | — | Setup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.5 Setup Exit code: 0 Version: 14.7.2558.0 built by: NET471REL1 |
(PID) Process: | (2364) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2364) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2364) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2364) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Spark.zip | |||
(PID) Process: | (2364) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2364) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2364) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2364) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2364) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (2364) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2364 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2364.33183\[email protected] | — | |
MD5:— | SHA256:— | |||
2364 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2364.33183\NETFramework.exe | — | |
MD5:— | SHA256:— | |||
2364 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2364.31169\[email protected] | executable | |
MD5:181EE63003E5C3EC8C378030286ED7A2 | SHA256:55BFCB784904477EF62EF7E4994DEE42F03D69BFEC3591989513CCCBBA3FC8FE | |||
3204 | [email protected] | C:\Windows\File Cache\IFEO.exe | executable | |
MD5:4A741EE0A43E437B2F12D3CF355A0234 | SHA256:9E919B9D333E5084427C4AAF4C00D058D9E2955F0428962DCB87FD48E163E65D | |||
3204 | [email protected] | C:\Windows\File Cache\DLL.dll | executable | |
MD5:A61C26B360471C8258C7571037C4BCA0 | SHA256:E77316A1FD682E1AF8AF3CCD03C170F886B9EC8EDF7013E1BE6A6207CB5A6F16 | |||
4032 | NETFramework.exe | C:\cb5a6f3baae017cbbc4e12e4\Graphics\Rotate5.ico | image | |
MD5:25F0D572761CB610BDAD6DD980C46CC7 | SHA256:CE2AFC0AA52B3D459D6D8D7C551F7B8FBF323E2260326908C37A13F21FEE423E | |||
4032 | NETFramework.exe | C:\cb5a6f3baae017cbbc4e12e4\watermark.bmp | image | |
MD5:B0075CEE80173D764C0237E840BA5879 | SHA256:AB18374B3AAB10E5979E080D0410579F9771DB888BA1B80A5D81BA8896E2D33A | |||
4032 | NETFramework.exe | C:\cb5a6f3baae017cbbc4e12e4\header.bmp | image | |
MD5:41C22EFA84CA74F0CE7076EB9A482E38 | SHA256:255025A0D79EF2DAC04BD610363F966EF58328400BF31E1F8915E676478CD750 | |||
4032 | NETFramework.exe | C:\cb5a6f3baae017cbbc4e12e4\Graphics\Print.ico | image | |
MD5:D39BAD9DDA7B91613CB29B6BD55F0901 | SHA256:D80FFEB020927F047C11FC4D9F34F985E0C7E5DFEA9FB23F2BC134874070E4E6 | |||
4032 | NETFramework.exe | C:\cb5a6f3baae017cbbc4e12e4\Graphics\Rotate2.ico | image | |
MD5:F824905E5501603E6720B784ADD71BDD | SHA256:D15A6F1EEFEFE4F9CD51B7B22E9C7B07C7ACAD72FD53E5F277E6D4E0976036C3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1732 | Setup.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | unknown | der | 550 b | whitelisted |
1732 | Setup.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | unknown | der | 564 b | whitelisted |
1732 | Setup.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | unknown | der | 781 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1732 | Setup.exe | 2.16.186.120:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
crl.microsoft.com |
| whitelisted |
Process | Message |
---|---|
Setup.exe | The operation completed successfully.
|
Setup.exe | The operation completed successfully.
|