File name: | paranor.7z |
Full analysis: | https://app.any.run/tasks/3e5e2181-002e-4232-9479-afccfc4705a8 |
Verdict: | Malicious activity |
Analysis date: | August 08, 2024, 09:11:05 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | 3D234118EACD7EC9FFEBED5B00827A5F |
SHA1: | 6272ABB9F0E7D391EBA4FE22A416EF8CEF77BAC9 |
SHA256: | 30F4561861E99D1B04D30395A4A671D9291EF1A2261FC22E7F8C80B1E9EA43B7 |
SSDEEP: | 98304:KVPflCFjd+dDxmo6kZVQ/BpEmi8ovZmbLHSJQTBRGBZxTmkJX7cPjEHncCR5rmK2:tSxqeQY72 |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6380 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\paranor.7z | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
6672 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
876 | "C:\Users\admin\Desktop\Client.exe" | C:\Users\admin\Desktop\Client.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
6688 | "C:\Users\admin\Desktop\Client.exe" | C:\Users\admin\Desktop\Client.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
6856 | "C:\Client.exe" | C:\Client.exe | — | Client.exe | |||||||||||
User: admin Company: Black Eyes Group (C) 1995~2011 Integrity Level: HIGH Description: UDP Pck Data/UDP Trapic/ICMP/TCP/SYN Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
6844 | "C:\123.exe" | C:\123.exe | Client.exe | ||||||||||||
User: admin Company: Microsoft Integrity Level: HIGH Description: Server Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
6288 | C:\WINDOWS\SysWOW64\imgmmy.exe | C:\Windows\SysWOW64\imgmmy.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Integrity Level: SYSTEM Description: Server Version: 1, 0, 0, 1 Modules
| |||||||||||||||
6672 | "C:\Users\admin\Desktop\Client.exe" | C:\Users\admin\Desktop\Client.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
5244 | "C:\Users\admin\Desktop\Client.exe" | C:\Users\admin\Desktop\Client.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
5064 | "C:\Client.exe" | C:\Client.exe | — | Client.exe | |||||||||||
User: admin Company: 2011火狐DDOS改进版 Integrity Level: HIGH Description: QQ:528988114 Exit code: 2 Version: 3, 0, 0, 1 Modules
|
(PID) Process: | (6380) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (6380) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (6380) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
(PID) Process: | (6380) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\paranor.7z | |||
(PID) Process: | (6380) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (6380) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (6380) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (6380) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (6688) Client.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (6688) Client.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
6192 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_123.exe_4372bed4a7a799395bdccaa16bada5f78e264a19_62d46436_40892e3b-4851-43f4-84f6-4afa788fab08\Report.wer | — | |
MD5:— | SHA256:— | |||
6380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6380.9077\디도스+프로그램\Client.exe | executable | |
MD5:C4C009CDCE24A619519E668D734BCF73 | SHA256:3F4A0C0938A23DD5EC7D81246C645609749D1DC3DF8260957002633D623C58B4 | |||
6380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6380.8494\고기툴 2.0 ver\gogi.dll | executable | |
MD5:75981EC1E63555A0AF71F72268D133CF | SHA256:4D1C67472BC1C788166732447E9AAC102486FD908CBC7E125D3878254BCE9D41 | |||
6688 | Client.exe | C:\123.exe | executable | |
MD5:FEC169E05B7AD3EBACB6CD66D4E57100 | SHA256:685D384CEB439C018AA259345F75E5A28CB3CCCE61772E4AB556967519F083D2 | |||
6856 | Client.exe | C:\Users\admin\AppData\Local\Temp\~DF359C2DED60F45FFE.TMP | binary | |
MD5:81EF5D2C0D6C26336B8A2E68F74E3D74 | SHA256:E74B5795288BF7006CCC08AD4BCBA7F4B7A4FACF55405C93653F2F331AF6184E | |||
6380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6380.9077\디도스+프로그램\인덱스 아리아.txt | text | |
MD5:0C1EEAEC031EFD80ED5D7429BDE5F9E4 | SHA256:F5C2C798E6859362A47BB352C10EBD2896AE9E9BBDCDC71FC5A81C6F5EE500CC | |||
6380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6380.10886\카스툴패킷강화\카스툴패킷강화\Server\Server.Dat | executable | |
MD5:94FEE570220BAF8B735E96E0FAB910C3 | SHA256:F089590C57F095058D2DDE975428D47BBC3A655A599D3AE1F3EBF779F369DF70 | |||
6380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6380.10886\카스툴패킷강화\카스툴패킷강화\소울찬양[참고].txt | text | |
MD5:FE7A96FA2F06B54CC01A8FFF54915A40 | SHA256:E6DB999163ADB8BE9403EC7B5DD6E3E9FD97D441C534C36503AA542D1CF3334B | |||
6380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6380.10886\카스툴패킷강화\카스툴패킷강화\Client.exe | executable | |
MD5:78583152F138D90B7EF1D5AAC902AFE5 | SHA256:179C5E0CAAAB0ED1E87DFCA4759B1043B51A784E633E98A0465CF913FC07C615 | |||
6380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6380.9077\디도스+프로그램\제품설명.txt | text | |
MD5:6B60E61FDBCAC4CBAB187E429CCE3E18 | SHA256:2B7193DAAE6120BD0833977F29FB0B3330BE60D60A3FE83FF098A0D32A13D631 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
6140 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | unknown | — | — | unknown |
4920 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
6140 | firefox.exe | POST | 200 | 95.101.54.106:80 | http://r10.o.lencr.org/ | unknown | — | — | unknown |
6140 | firefox.exe | POST | 200 | 95.101.54.112:80 | http://r11.o.lencr.org/ | unknown | — | — | unknown |
6140 | firefox.exe | POST | 200 | 95.101.54.112:80 | http://r11.o.lencr.org/ | unknown | — | — | unknown |
6896 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | unknown |
4920 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
6140 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | unknown |
6140 | firefox.exe | POST | 200 | 95.101.54.106:80 | http://r10.o.lencr.org/ | unknown | — | — | unknown |
6776 | OneDrive.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4040 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5116 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5336 | SearchApp.exe | 92.123.104.36:443 | www.bing.com | Akamai International B.V. | DE | unknown |
5336 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
3260 | svchost.exe | 40.115.3.253:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4920 | svchost.exe | 20.190.159.0:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
th.bing.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
mp662002.codns.com |
| unknown |