File name: | New_confrimation_doc.iso |
Full analysis: | https://app.any.run/tasks/c3896aed-17ff-4db5-ac9f-bf31a62390d8 |
Verdict: | Malicious activity |
Threats: | Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions. |
Analysis date: | February 19, 2019, 09:13:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | E6C798B5C04474ECDF008575DF9C2ADF |
SHA1: | 1364FA8BDEA5CB254059ED38D48EEAC2563A9741 |
SHA256: | 22C8A111A9B5DCE44012860E3512D8FD65CA628F00652542C89074286D78875A |
SSDEEP: | 12288:wXAmVv5wlSqSSwGmKuUYV65tnqqEtvJzDaoK2Mgaldvclp6q5h0fBs3J1Q1v7DAo:wXAmVvisJlGmK465tDEB5eqvepsMv7Uo |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
CompressedSize: | 752716 |
---|---|
UncompressedSize: | 843776 |
OperatingSystem: | Win32 |
ModifyDate: | 2019:02:17 22:17:08 |
PackingMethod: | Normal |
ArchivedFileName: | New_confrimation_doc.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3064 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\New_confrimation_doc.iso.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2528 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3064.15972\New_confrimation_doc.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3064.15972\New_confrimation_doc.exe | — | WinRAR.exe |
User: admin Company: NEON PRODUCT SRL Integrity Level: MEDIUM Description: The library provides an abstraction over IoC containers and service locators. Using the library allows an application to indirectly access the capabilities without relying on hard references. Exit code: 0 Version: 1.0.0.0 | ||||
992 | "C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\AppData\Local\Temp\Rar$EXa3064.15972\New_confrimation_doc.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe" | C:\Windows\System32\cmd.exe | New_confrimation_doc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1708 | "C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe" | C:\Windows\System32\cmd.exe | — | New_confrimation_doc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3452 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe | cmd.exe | |
User: admin Company: NEON PRODUCT SRL Integrity Level: MEDIUM Description: The library provides an abstraction over IoC containers and service locators. Using the library allows an application to indirectly access the capabilities without relying on hard references. Exit code: 0 Version: 1.0.0.0 | ||||
2408 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe | app.exe | |
User: admin Company: NEON PRODUCT SRL Integrity Level: MEDIUM Description: The library provides an abstraction over IoC containers and service locators. Using the library allows an application to indirectly access the capabilities without relying on hard references. Version: 1.0.0.0 | ||||
3520 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp7D0C.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | app.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
2460 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmpA9DA.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | app.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\New_confrimation_doc.iso.rar | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3064 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3064.15972\New_confrimation_doc.exe | executable | |
MD5:4A779EEBDD09408B21FE3AB47DDFCE4C | SHA256:03396140340A68D41C250CAD034ACF8FA441F4CA722A18D462D44B7D4C6C2ACD | |||
2408 | app.exe | C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904 | text | |
MD5:0E04E635A787DB2EF317B54827323AD5 | SHA256:00C22FD77F534993609B01871B55F58585EEEBCF2C4CFAEC120FB74477AE4177 | |||
992 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe | executable | |
MD5:4A779EEBDD09408B21FE3AB47DDFCE4C | SHA256:03396140340A68D41C250CAD034ACF8FA441F4CA722A18D462D44B7D4C6C2ACD | |||
3520 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmp7D0C.tmp | text | |
MD5:C48992AAE0E8FD5463A7B1617B2E0B88 | SHA256:04802C51A3EE5E9F7D48462C50B17ABC0E84D54F5525D70E4C904BCC0634C3CE | |||
2460 | vbc.exe | C:\Users\admin\AppData\Local\Temp\tmpA9DA.tmp | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2408 | app.exe | GET | 200 | 66.171.248.178:80 | http://bot.whatismyipaddress.com/ | US | text | 13 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2408 | app.exe | 66.171.248.178:80 | bot.whatismyipaddress.com | Alchemy Communications, Inc. | US | malicious |
2408 | app.exe | 185.80.129.226:25 | mail.iriaanlouw.co.za | UAB Esnet | LT | unknown |
Domain | IP | Reputation |
---|---|---|
bot.whatismyipaddress.com |
| shared |
mail.iriaanlouw.co.za |
| unknown |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2408 | app.exe | Misc activity | SUSPICIOUS [PTsecurity] External IP Request (HawkEye) |