download: | zip_by_token_key |
Full analysis: | https://app.any.run/tasks/57eea2af-a43f-457b-92e9-4f3150d21562 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 15:05:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 3DE8C0E50EC029B5853274EC645CCBBE |
SHA1: | 6E70FF7E308ED0296ECD171B539406BAD9718174 |
SHA256: | 1EF2B809B6753374C709EF9F6E8DB273A43841EB2A640E0CAD22690D75BD4DF7 |
SSDEEP: | 49152:RhRHp6jITkn5M0/II4etSN03BIosuhDUwR2P7pIEQrdM:RhZp6Hn5M0/II4sSkOo5h4u29IED |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | / |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2019:04:23 11:20:25 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2524 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\zip_by_token_key.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1796 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa2524.24202\ORD-30950340-34054990-43094594043-459540-2019-PDF.zip | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2776 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.24812\ORD-30950340-34054990-43094594043-459540-2019-PDF.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.24812\ORD-30950340-34054990-43094594043-459540-2019-PDF.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1640 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | ORD-30950340-34054990-43094594043-459540-2019-PDF.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3156 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1640 | RegAsm.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\json[1] | text | |
MD5:2507040AEF2E8ECEBA2B59A369EAF5EF | SHA256:3156F0F7DD3175191DE6C88A02E888C14506C939FC0C9904D79F5F38D54B7FC9 | |||
2776 | ORD-30950340-34054990-43094594043-459540-2019-PDF.exe | C:\Users\admin\SystemPropertiesAdvanced\ie4ushowIE.vbs | text | |
MD5:B20E2E49D6E599C8617944272B6068B9 | SHA256:C0A0A202616CCD593BA07ACF765C272E18A2F0F86BEA7B69B59F940832B02B23 | |||
2776 | ORD-30950340-34054990-43094594043-459540-2019-PDF.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ie4ushowIE.url | text | |
MD5:93EE249A2BF8FA6E3C25EB750AFA8F29 | SHA256:86B8E2847E257FF9A410DB832401E3FA9E994249F94776BD5149698C102FE409 | |||
2524 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2524.24202\ORD-30950340-34054990-43094594043-459540-2019-PDF.zip | compressed | |
MD5:4878FFA5C182EB8409C850AA5DD7E043 | SHA256:AB73FA3DCB465B5D0B031B098F77C03337E9FF5015D4E5184AFE8240A2C05081 | |||
1640 | RegAsm.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@ipapi[1].txt | text | |
MD5:B829E5B1B9F174CB1D3E2F3D0A8910FD | SHA256:D42D59BE74AE3EA752C69C70A018540F587E196AA426D37ADE5F2141D8557E73 | |||
3156 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:AB5F02C907FC68B494B8064595D4183D | SHA256:C7D05103FCB0173306944F9E7B4321E016FD0B04F634AA95331497C50117976C | |||
1796 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1796.24812\ORD-30950340-34054990-43094594043-459540-2019-PDF.exe | executable | |
MD5:D6524EB5EEB1BC3B54A6CFD89452BF36 | SHA256:DEB61313A081B78A264FB6F0237EF2A8173E224D28D2508F32C620F8C7D7A6F4 | |||
2776 | ORD-30950340-34054990-43094594043-459540-2019-PDF.exe | C:\Users\admin\SystemPropertiesAdvanced\BarcodeProvisioningPlugin.exe | executable | |
MD5:DCC66BD72055A4C2C75A9379BAAB8D19 | SHA256:E27530B0EC8F708F5445558FD7F4796E28D2AF1865507896AFE02B4C3D68596E | |||
3156 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PI4HXAW7\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3156 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1640 | RegAsm.exe | 192.253.242.196:6000 | monopak.dns-cloud.net | SoftLayer Technologies Inc. | AU | malicious |
1640 | RegAsm.exe | 104.25.209.99:443 | ipapi.co | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
ipapi.co |
| shared |
monopak.dns-cloud.net |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup) |