File name: | paranor.7z |
Full analysis: | https://app.any.run/tasks/85c60484-e163-4288-add9-ac00195e8acf |
Verdict: | Malicious activity |
Analysis date: | August 08, 2024, 08:43:14 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | 3D234118EACD7EC9FFEBED5B00827A5F |
SHA1: | 6272ABB9F0E7D391EBA4FE22A416EF8CEF77BAC9 |
SHA256: | 30F4561861E99D1B04D30395A4A671D9291EF1A2261FC22E7F8C80B1E9EA43B7 |
SSDEEP: | 98304:KVPflCFjd+dDxmo6kZVQ/BpEmi8ovZmbLHSJQTBRGBZxTmkJX7cPjEHncCR5rmK2:tSxqeQY72 |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6700 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\paranor.7z | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
4644 | "C:\Users\admin\Desktop\Client.exe" | C:\Users\admin\Desktop\Client.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
3372 | "C:\Users\admin\Desktop\Client.exe" | C:\Users\admin\Desktop\Client.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
3180 | "C:\Client.exe" | C:\Client.exe | Client.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Client Microsoft 基础类应用程序 Exit code: 2 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
2224 | "C:\install.exe" | C:\install.exe | Client.exe | ||||||||||||
User: admin Company: Anonymous Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
6216 | C:\WINDOWS\SysWOW64\xonvom.exe | C:\Windows\SysWOW64\xonvom.exe | services.exe | ||||||||||||
User: SYSTEM Company: Anonymous Integrity Level: SYSTEM Modules
| |||||||||||||||
6252 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6188 | "C:\Users\admin\Desktop\无情修改版\无情修改版.exe" | C:\Users\admin\Desktop\无情修改版\无情修改版.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
6384 | "C:\Users\admin\Desktop\无情修改版\无情修改版.exe" | C:\Users\admin\Desktop\无情修改版\无情修改版.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 2 Modules
| |||||||||||||||
3160 | "C:\Users\admin\Desktop\无情修改版\无情修改版.exe" | C:\Users\admin\Desktop\无情修改版\无情修改版.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 2 Modules
|
(PID) Process: | (6700) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (6700) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (6700) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
(PID) Process: | (6700) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\paranor.7z | |||
(PID) Process: | (6700) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (6700) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (6700) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (6700) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (6700) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000 | |||
(PID) Process: | (6700) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\General |
Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\Desktop |
PID | Process | Filename | Type | |
---|---|---|---|---|
6700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\2012 Gold Black FireFox DDoS VIP Ver Client\Server\Server.Dat | executable | |
MD5:9568F27B0C865FDF809E56461CE3E79A | SHA256:1D27CA678F1B2C29BDF208210D2507D2F020AEE251A23B47593B1E6522B3D27F | |||
6700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\2012 Gold Black FireFox DDoS VIP Ver Client\GBFF Builder.exe | executable | |
MD5:324085C69635BA459100210EB21D3453 | SHA256:2DD2829B35502D2E030272D09D430A8FEECEAB5C1C07B61F76ED156C62991F70 | |||
6700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\无情修改版\dat\Cache.dat | executable | |
MD5:61A2FE475E0EC4C19ACCBE268FDAA219 | SHA256:A3F99793B01ED4549C6973356F20697CEC5FDC1090C2B2826AC037350C5764FD | |||
6700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\카스툴패킷강화\카스툴패킷강화\소울찬양[참고].txt | text | |
MD5:FE7A96FA2F06B54CC01A8FFF54915A40 | SHA256:E6DB999163ADB8BE9403EC7B5DD6E3E9FD97D441C534C36503AA542D1CF3334B | |||
6700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\Client.exe | executable | |
MD5:1D384E50EC0A53B85B55D5DDED293103 | SHA256:14766A7201B0827932C85C2D6EB126A0E9D06C2F69104674C7413227F947BAEF | |||
6700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\고기툴 2.0 ver\gogi.dll | executable | |
MD5:75981EC1E63555A0AF71F72268D133CF | SHA256:4D1C67472BC1C788166732447E9AAC102486FD908CBC7E125D3878254BCE9D41 | |||
6700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\디도스+프로그램\제품설명.txt | text | |
MD5:6B60E61FDBCAC4CBAB187E429CCE3E18 | SHA256:2B7193DAAE6120BD0833977F29FB0B3330BE60D60A3FE83FF098A0D32A13D631 | |||
6700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\无情修改版\Setting.ini | text | |
MD5:64E5A53729D662DC9DD2F0B8F7044BCE | SHA256:3749EADDCF1C468C0B98B067B8BF800C8E6CC3FD273DB405899AD9E91DF8F131 | |||
6700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\2012 Gold Black FireFox DDoS VIP Ver Client\Server\Server2.rar | compressed | |
MD5:A7A854166EB85FB9A6C4A4599556546A | SHA256:DC596A1257E7723D409B60BE340468A4703B779790D90D13A741B917BDF16493 | |||
6700 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\2012 Gold Black FireFox DDoS VIP Ver Client\Client.ini | ini | |
MD5:FC5B5A6BBE21A3E2E141EF011BE7C9A6 | SHA256:F8A4D87F4D83F0800D5F747D5CFACCAF5FDC2792BE99FF0571191A781C54EBFE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
6388 | 히든 디도스 클라이언트.exe | GET | 302 | 23.206.208.172:80 | http://blog.naver.com/PostView.nhn?blogId=enoch_rvn&logNo=50129408978&parentCategoryNo=1&viewDate=¤tPage=1&listtype=0&userTopListOpen=false&userTopListCount=5&userTopListManageOpen=false&userTopListCurrentPage=undefined | unknown | — | — | unknown |
3180 | Client.exe | GET | 200 | 38.174.232.2:80 | http://www.okddos.cn/ | unknown | — | — | unknown |
6376 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | unknown |
3180 | Client.exe | GET | 200 | 38.174.232.2:80 | http://www.okddos.cn/tj.js | unknown | — | — | unknown |
5244 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
3180 | Client.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D | unknown | — | — | unknown |
5336 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | unknown |
6352 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | unknown |
3180 | Client.exe | GET | 200 | 104.18.21.226:80 | http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D | unknown | — | — | unknown |
3180 | Client.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDE5AA6ZetoH4f0vY6w%3D%3D | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2680 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
876 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5336 | SearchApp.exe | 92.123.104.66:443 | www.bing.com | Akamai International B.V. | DE | unknown |
5336 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
5244 | svchost.exe | 20.190.160.22:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3260 | svchost.exe | 40.115.3.253:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
th.bing.com |
| whitelisted |
arc.msn.com |
| whitelisted |
competitionkill.codns.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
6388 | 히든 디도스 클라이언트.exe | Malware Command and Control Activity Detected | ET MALWARE W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC |
6388 | 히든 디도스 클라이언트.exe | Potentially Bad Traffic | ET INFO Referrer-Policy set to unsafe-url |