File name: | RFQ Add-on Combined Cycle Power Plant for Unit 2yr.zip |
Full analysis: | https://app.any.run/tasks/bb223b99-f3f4-421b-bd78-3938b8db8f5c |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | May 15, 2019, 10:13:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 5A2FCB629402680352EB836C9FE6F92A |
SHA1: | 964514996346061A2E40AE3A6C38EC4438521734 |
SHA256: | 1B68E1106D0E08A789D2312F6B944306129B53B21678FDCF9B710BD4FA5B89EC |
SSDEEP: | 12288:vrxYpquinjZHFgh6RLrqM/V6XUTKS+0OvUkGyqlHW9Fy36x5HPpo4rNsjuaAw7ug:jxVjY6rqCVRv39Ag3W5HPpVoGw7u1sK0 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | RFQ Add-on Combined Cycle Power Plant for Unit 2yr.exe |
---|---|
ZipUncompressedSize: | 840192 |
ZipCompressedSize: | 766880 |
ZipCRC: | 0xdea9d3d9 |
ZipModifyDate: | 2019:05:14 06:22:07 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
584 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RFQ Add-on Combined Cycle Power Plant for Unit 2yr.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3252 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa584.26240\RFQ Add-on Combined Cycle Power Plant for Unit 2yr.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa584.26240\RFQ Add-on Combined Cycle Power Plant for Unit 2yr.exe | WinRAR.exe | |
User: admin Company: igfxEM Integrity Level: MEDIUM Description: SystemPropertiesHardware Exit code: 0 Version: 730.880.489.513 | ||||
2096 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | RFQ Add-on Combined Cycle Power Plant for Unit 2yr.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
1576 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp7325.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
1260 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp9D14.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
(PID) Process: | (584) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (584) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (584) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (584) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\RFQ Add-on Combined Cycle Power Plant for Unit 2yr.zip | |||
(PID) Process: | (584) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (584) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (584) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (584) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (584) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (584) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
584 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa584.26240\RFQ Add-on Combined Cycle Power Plant for Unit 2yr.exe | executable | |
MD5:8501CFFD725560D8C18D7F91C4F9190C | SHA256:A94958A20D00F384F286061E5FFF446D750F4F38CD94388895FD617B265AE735 | |||
3252 | RFQ Add-on Combined Cycle Power Plant for Unit 2yr.exe | C:\Users\admin\DataStoreCacheDumpTool\bcdedit.exe | executable | |
MD5:D38A2D877C9B956E4BF63722D9254E36 | SHA256:22B7866143081A76D8763EC7158B4B8CF126E60AE0B978331249CD88C855F532 | |||
2096 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904 | text | |
MD5:454353131947D1483FF5470107478978 | SHA256:2DF94DC1C58E952A1EBD1AE1185A291A8A573982CA90EC1BBB87B81126002668 | |||
1576 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp7325.tmp | text | |
MD5:3E1E093DCCE32C716267A28292E0EE27 | SHA256:56285445424AD06DC043154819B5BDABAA7C26F5779CA3E37E08424ED9926CB8 | |||
1260 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp9D14.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2096 | RegAsm.exe | POST | — | 157.230.228.185:80 | http://adityatimpack.us/second/Panel/api | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2096 | RegAsm.exe | 157.230.228.185:80 | adityatimpack.us | Joao Carlos de Almeida Silveira trading as Bitcanal | US | malicious |
Domain | IP | Reputation |
---|---|---|
adityatimpack.us |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2096 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blaknight/HawkEye Win32.Backdoor.bc Check-in |