File name: | 31a64261fcf59f1d93eb5662ff68eabc57eae1cbf26344c5eddeffc9c096d9cb.zip |
Full analysis: | https://app.any.run/tasks/ffb27502-fe95-4f8d-a68e-24f7822f86f8 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 16:41:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | DC08C67E8A986F1396BB979D710C8B72 |
SHA1: | CE4A6E8DA6EC91F5B01D08AA1C169462B609CF68 |
SHA256: | 2CDB2A0B0FC17209A9C1607189B2994186E7E0A25AACF2DDFE22429F3DB6C525 |
SSDEEP: | 3072:MIH3jjBYm8yZ8cz28QhUtNIy+CC9OUZOZBxv:LXBnZ8czrQoiy+3MFv |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2022:01:24 16:27:16 |
ZipCRC: | 0x75e8cdb3 |
ZipCompressedSize: | 119611 |
ZipUncompressedSize: | 119554 |
ZipFileName: | uuirsimpcs-ieentia-ucbpeootretbahlvipxatrcoe.zip |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1256 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\31a64261fcf59f1d93eb5662ff68eabc57eae1cbf26344c5eddeffc9c096d9cb.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
2872 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\uuirsimpcs-ieentia-ucbpeootretbahlvipxatrcoe.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
3764 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
700 | regsvr32 C:\Busta\teva.ocx | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2316 | regsvr32 C:\Busta\tevc.ocx | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3496 | regsvr32 C:\Busta\tevd.ocx | C:\Windows\system32\regsvr32.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3452 | "C:\Windows\system32\notepad.exe" | C:\Windows\system32\notepad.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3764 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRB1CA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3764 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:86E0813AB6B1CD1D86BE925655E2F626 | SHA256:72E28ADC6DB19B8B94E17B0EFBB17CAB0D929A5CD134866AF62941E3A88621D3 | |||
2872 | WinRAR.exe | C:\Users\admin\Desktop\THYH-1148073298.xlsb | document | |
MD5:109208FD2182E558B050AADD5CCA35C3 | SHA256:79A379F9FE8658371EA35E1254B070466F4C71FEB72D105EB7D4B8179C460335 | |||
1256 | WinRAR.exe | C:\Users\admin\Desktop\uuirsimpcs-ieentia-ucbpeootretbahlvipxatrcoe.zip | compressed | |
MD5:7BE03A8A0EE850CB81DA5E6D8738CD2F | SHA256:31A64261FCF59F1D93EB5662FF68EABC57EAE1CBF26344C5EDDEFFC9C096D9CB | |||
3764 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:DEB41FDE685B677627189445D54D518C | SHA256:2EA7CF05DE3E1393EE4F6FD7BD4BFE02355F5C19C2CE8AA2FA45773704DA0600 | |||
3764 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\377E6729DE07B96E9E4BCADBF4AF95C4 | binary | |
MD5:5AEF07A43C24BAF7C45ACCFBD1CEC6DB | SHA256:F906C250EF261E16E847C78448A04C92B3BBA3D5072726358FFCE967A7F0F79A | |||
3764 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | der | |
MD5:54E9306F95F32E50CCD58AF19753D929 | SHA256:45F94DCEB18A8F738A26DA09CE4558995A4FE02B971882E8116FC9B59813BB72 | |||
3764 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\THYH-1148073298.xlsb.LNK | lnk | |
MD5:74BFB29CD09014E2917940993D513113 | SHA256:F574CEEBC029A6C99B9D0C09F5FBD8FD328F37AD958C5F2A638BA2B66B1B1F4A | |||
3764 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0A419DBBA361754D896A8615DC53C0F | der | |
MD5:EC11942305108981AD0A00B38B24CF7B | SHA256:02A0611CAA48E162DBA95E2E07FFD1BF847CC03A4B825A17359D1C3526F47BC2 | |||
3764 | EXCEL.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:BD6C7BA40F4F12194C79863518F9161B | SHA256:B2E82365DD785C634E4082A8ADD8A9BAE6DFB76A03B0B10E6DEBE93635DF59D7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3764 | EXCEL.EXE | GET | 200 | 23.72.17.56:80 | http://x1.c.lencr.org/ | US | der | 717 b | whitelisted |
3764 | EXCEL.EXE | GET | 200 | 104.123.50.96:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSDX2OTu2fH9YvZC%2FO%2BSv8n2A%3D%3D | US | der | 503 b | shared |
3764 | EXCEL.EXE | GET | 200 | 104.123.50.96:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgPSYN4i4BqqFZgzp5reUehpbg%3D%3D | US | der | 503 b | shared |
3764 | EXCEL.EXE | GET | 200 | 13.107.4.50:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ed1be0439e5f8c30 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3764 | EXCEL.EXE | 23.72.17.56:80 | x1.c.lencr.org | Akamai International B.V. | US | unknown |
3764 | EXCEL.EXE | 192.185.141.13:443 | pakunolaschool.com | CyrusOne LLC | US | unknown |
3764 | EXCEL.EXE | 104.123.50.96:80 | r3.o.lencr.org | Akamai Technologies, Inc. | US | suspicious |
3764 | EXCEL.EXE | 13.107.4.50:80 | ctldl.windowsupdate.com | Microsoft Corporation | US | whitelisted |
3764 | EXCEL.EXE | 50.87.253.11:443 | elimatlacomulco.com | Unified Layer | US | suspicious |
Domain | IP | Reputation |
---|---|---|
pakunolaschool.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
r3.o.lencr.org |
| shared |
elimatlacomulco.com |
| unknown |
keltexfinancial.com |
| unknown |
dns.msftncsi.com |
| shared |