File name: | 61873181727.zap |
Full analysis: | https://app.any.run/tasks/d78235d7-09f0-46c2-ad86-57affd8435dc |
Verdict: | Malicious activity |
Analysis date: | September 29, 2020, 22:43:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | A23BDFA1D956FCF9D5F7B6AE309F1B12 |
SHA1: | 0C06FD93B3CC958121EA7537D0688439FF06C81C |
SHA256: | 2AD4698C6AAE4361A160FAC6C9266B2924619B2E7DD6A3FB2588DAF3FD69C472 |
SSDEEP: | 1536:9UgUqrAInhyQncWVRhoxuSX+g2FhT2NYFjmDkzCua4XZFe:91eInhyQncWf2sKIjmCZ8 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:09:22 17:22:27 |
ZipCRC: | 0xbdb680c2 |
ZipCompressedSize: | 73321 |
ZipUncompressedSize: | 105472 |
ZipFileName: | 61873181727.xls |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2680 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\61873181727.zap.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2060 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2540 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2060 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR8BDF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2060 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Cab9517.tmp | — | |
MD5:— | SHA256:— | |||
2060 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Tar9518.tmp | — | |
MD5:— | SHA256:— | |||
2540 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs9601.tmp | — | |
MD5:— | SHA256:— | |||
2540 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs9602.tmp | — | |
MD5:— | SHA256:— | |||
2060 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\N72PHDQU.htm | html | |
MD5:0EC5E72DB0A5E1FA8E4F871B8D92D100 | SHA256:60E226CC6C716E34637AB1C800C9DB962040DF4E93AB589409400CABD5F38540 | |||
2060 | EXCEL.EXE | C:\Programdata\Golas.exe | html | |
MD5:0EC5E72DB0A5E1FA8E4F871B8D92D100 | SHA256:60E226CC6C716E34637AB1C800C9DB962040DF4E93AB589409400CABD5F38540 | |||
2060 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB | der | |
MD5:2E906248F0B9390373A7EBF0690DF247 | SHA256:1214240DF9655639A5AD02C19284B3D244F7AA397E0A1E85B5B9D623B658C0BB | |||
2680 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2680.23257\61873181727.xls | document | |
MD5:D508AE7954AEB07CDE86489A53DB6A1E | SHA256:58EE0891DFF5CB908BE9C7B0DE4186DDFDE2B6BBF58AC826669A68214BB3B0D5 | |||
2060 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB | binary | |
MD5:D524B3A08D6E8CFD4FEE4FEC83B119FB | SHA256:2EC83C9C80B3731709E294A43F0CC824B7074C8F281F56E8F588EDD804B7FB42 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2060 | EXCEL.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D | US | der | 471 b | whitelisted |
1052 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
2060 | EXCEL.EXE | GET | 302 | 93.188.2.53:80 | http://graffitiworkshop.se/livmmb/8888888.png | SE | html | 138 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2060 | EXCEL.EXE | 93.188.2.53:80 | graffitiworkshop.se | Loopia AB | SE | malicious |
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2060 | EXCEL.EXE | 93.188.1.220:443 | closed.loopia.com | Loopia AB | SE | suspicious |
Domain | IP | Reputation |
---|---|---|
graffitiworkshop.se |
| malicious |
closed.loopia.com |
| suspicious |
ocsp.digicert.com |
| whitelisted |