File name: | 31a64261fcf59f1d93eb5662ff68eabc57eae1cbf26344c5eddeffc9c096d9cb.zip |
Full analysis: | https://app.any.run/tasks/b091177f-c401-4cf2-b11e-ce2782ae9b28 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 16:28:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | DC08C67E8A986F1396BB979D710C8B72 |
SHA1: | CE4A6E8DA6EC91F5B01D08AA1C169462B609CF68 |
SHA256: | 2CDB2A0B0FC17209A9C1607189B2994186E7E0A25AACF2DDFE22429F3DB6C525 |
SSDEEP: | 3072:MIH3jjBYm8yZ8cz28QhUtNIy+CC9OUZOZBxv:LXBnZ8czrQoiy+3MFv |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2022:01:24 16:27:16 |
ZipCRC: | 0x75e8cdb3 |
ZipCompressedSize: | 119611 |
ZipUncompressedSize: | 119554 |
ZipFileName: | uuirsimpcs-ieentia-ucbpeootretbahlvipxatrcoe.zip |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3760 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\31a64261fcf59f1d93eb5662ff68eabc57eae1cbf26344c5eddeffc9c096d9cb.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
2916 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\uuirsimpcs-ieentia-ucbpeootretbahlvipxatrcoe.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
2480 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1992 | regsvr32 C:\Busta\teva.ocx | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1488 | regsvr32 C:\Busta\tevc.ocx | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3508 | regsvr32 C:\Busta\tevd.ocx | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2064 | "C:\Windows\system32\notepad.exe" | C:\Windows\system32\notepad.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2480 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRB8C7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2916 | WinRAR.exe | C:\Users\admin\Desktop\uuirsimpcs-ieentia-ucbpeootretbahlvipxatrcoe\THYH-1148073298.xlsb | document | |
MD5:109208FD2182E558B050AADD5CCA35C3 | SHA256:79A379F9FE8658371EA35E1254B070466F4C71FEB72D105EB7D4B8179C460335 | |||
2480 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\377E6729DE07B96E9E4BCADBF4AF95C4 | binary | |
MD5:C762253869C9B5AB463A977B367B4B50 | SHA256:4856EB2F1230F12F34A609525E6866B0ECF9C076ACF8CEB1AE9EEAA7B9BC0A24 | |||
2480 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\016041D287FF4A0891BC95A872570616 | binary | |
MD5:F36E0F86CFCC0427C2DDE49B534411A5 | SHA256:8CCB3BA2E647DD94D7DD3A9CA13B809F5E86C0ABAEFE2778E4D9DEADE1F63F53 | |||
2480 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:8EDEDB76EA971CB16FE41F45240F2AFD | SHA256:781BF24E9101B82227574662A6D944ED628A99D9D42BFD2B40F5BA1065E147AB | |||
2480 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:DEB41FDE685B677627189445D54D518C | SHA256:2EA7CF05DE3E1393EE4F6FD7BD4BFE02355F5C19C2CE8AA2FA45773704DA0600 | |||
3760 | WinRAR.exe | C:\Users\admin\Desktop\uuirsimpcs-ieentia-ucbpeootretbahlvipxatrcoe.zip | compressed | |
MD5:7BE03A8A0EE850CB81DA5E6D8738CD2F | SHA256:31A64261FCF59F1D93EB5662FF68EABC57EAE1CBF26344C5EDDEFFC9C096D9CB | |||
2480 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0A419DBBA361754D896A8615DC53C0F | binary | |
MD5:8B9F20F8E2567A3686D6982D6BBBC724 | SHA256:D0DADF183CC666CED1CFF96A5D614BF27EA3A2D516D6FFA20BEDF812D34A411B | |||
2064 | notepad.exe | C:\Users\admin\Documents\a.txt | text | |
MD5:2742FA20EF38D7D047C1EE513A522053 | SHA256:4410F3F9A7A4E376A031D512FFC4658407CD2F405FAE39810ABF033B1BBE6A62 | |||
2480 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:A5997CA7832FFF74142A14F9734822D1 | SHA256:CDCB22AA80D32A3D10B186DD4CE8CDA587A6AB2825453C75E582BCECC7EF54C4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2480 | EXCEL.EXE | GET | 200 | 23.45.105.185:80 | http://x1.c.lencr.org/ | NL | der | 717 b | whitelisted |
2480 | EXCEL.EXE | GET | 200 | 2.16.186.24:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgPSYN4i4BqqFZgzp5reUehpbg%3D%3D | unknown | der | 503 b | shared |
2480 | EXCEL.EXE | GET | 200 | 2.16.186.24:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSDX2OTu2fH9YvZC%2FO%2BSv8n2A%3D%3D | unknown | der | 503 b | shared |
2480 | EXCEL.EXE | GET | 200 | 2.16.186.24:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMEewGPViU8xx8lvh0jhiJ%2BuA%3D%3D | unknown | der | 503 b | shared |
2480 | EXCEL.EXE | GET | 200 | 23.32.238.178:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e039534de738a775 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2480 | EXCEL.EXE | 23.32.238.178:80 | ctldl.windowsupdate.com | XO Communications | US | suspicious |
2480 | EXCEL.EXE | 50.87.253.11:443 | elimatlacomulco.com | Unified Layer | US | suspicious |
2480 | EXCEL.EXE | 192.185.141.13:443 | pakunolaschool.com | CyrusOne LLC | US | unknown |
2480 | EXCEL.EXE | 2.16.186.24:80 | r3.o.lencr.org | Akamai International B.V. | — | whitelisted |
2480 | EXCEL.EXE | 23.45.105.185:80 | x1.c.lencr.org | Akamai International B.V. | NL | unknown |
2480 | EXCEL.EXE | 192.254.234.248:443 | keltexfinancial.com | Unified Layer | US | unknown |
Domain | IP | Reputation |
---|---|---|
pakunolaschool.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
r3.o.lencr.org |
| shared |
elimatlacomulco.com |
| unknown |
keltexfinancial.com |
| unknown |
dns.msftncsi.com |
| shared |