File name: | 844ac16506d5ed2c0290e1a1ef4a1459-sample.zip |
Full analysis: | https://app.any.run/tasks/f50a0c2f-2686-4afd-8849-1b4094782c41 |
Verdict: | Malicious activity |
Analysis date: | February 21, 2020, 20:27:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 5317C0F282E9DCB2CB72D1B6727771BE |
SHA1: | 08409024D439ED688B725874813559FDF60629E4 |
SHA256: | 22426830FA6B77934A68F893BC109060B204D8DADC8D5C1392042A9E5871B540 |
SSDEEP: | 384:Ux3+fHUeXvBktf1p+WuiS0kvSv6yQHnCF:UF+fO100kva0HCF |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:02:21 20:23:02 |
ZipCRC: | 0x66a91bdf |
ZipCompressedSize: | 13277 |
ZipUncompressedSize: | 31840 |
ZipFileName: | 7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2492 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\844ac16506d5ed2c0290e1a1ef4a1459-sample.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2992 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2492.38364\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3776 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Version: 7.51 | ||||
3260 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 | ||||
2780 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3588 | "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FMP30J2Z1KOR62F2W0UE.temp | — | |
MD5:— | SHA256:— | |||
2780 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R6WAESYILMSEFTQEENRI.temp | — | |
MD5:— | SHA256:— | |||
3588 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DE04Z09QLYQVD4JG7EIP.temp | — | |
MD5:— | SHA256:— | |||
2992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa6b510.TMP | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
2780 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
2780 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa7c9cb.TMP | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
2492 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2492.38364\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1 | text | |
MD5:5053CF06F049652057693628C66A80F5 | SHA256:C79169FB51DC09DB30463BB4578B5AD18AAFB848462C998B11643C73D0349CE7 | |||
2492 | WinRAR.exe | C:\Users\admin\Desktop\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1 | text | |
MD5:5053CF06F049652057693628C66A80F5 | SHA256:C79169FB51DC09DB30463BB4578B5AD18AAFB848462C998B11643C73D0349CE7 | |||
2992 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
3776 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml | xml | |
MD5:44982E1D48434C0AB3E8277E322DD1E4 | SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3260 | gup.exe | 104.31.88.28:443 | notepad-plus-plus.org | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
notepad-plus-plus.org |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabl |
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|