File name: | OpiumV4.zip |
Full analysis: | https://app.any.run/tasks/6116d905-6923-4863-be44-898c15005df8 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 16:20:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 8363875C33DBE92CDEB3AD03FD7F8638 |
SHA1: | AD5CF931EA527FF2F14AEE9E356F72642E2EA53A |
SHA256: | 358D4B79DAF1215B26FFAE1FF0D33E9C39EB5C7D2B5A06751EA826075260EC18 |
SSDEEP: | 393216:/AOtv1p0GF4uhP/yNwoWqXsC5ig8P4PyIiLYlh8YS/Z:YOtv34uhP/yxD9igGhJS8N |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Guna.UI2.dll |
---|---|
ZipUncompressedSize: | 2331592 |
ZipCompressedSize: | 982509 |
ZipCRC: | 0x3dadd446 |
ZipModifyDate: | 2022:01:07 18:25:18 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0800 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1940 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OpiumV4.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
3144 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\OpiumV4.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\OpiumV4.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
3644 | "C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE" | C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE | OpiumV4.exe | |
User: admin Integrity Level: MEDIUM Description: OpiumV4 Exit code: 3762504530 Version: 1.0.0.0 | ||||
2016 | "C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE" | C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE | OpiumV4.exe | |
User: admin Integrity Level: MEDIUM Description: OpiumV4Stub Exit code: 0 Version: 1.0.0.0 | ||||
3364 | C:\Windows\system32\WerFault.exe -u -p 3644 -s 544 | C:\Windows\system32\WerFault.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2032 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
1684 | "C:\Users\admin\Desktop\OpiumV4.exe" | C:\Users\admin\Desktop\OpiumV4.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
2568 | "C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE" | C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE | OpiumV4.exe | |
User: admin Integrity Level: MEDIUM Description: OpiumV4 Exit code: 3762504530 Version: 1.0.0.0 | ||||
4056 | "C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE" | C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE | OpiumV4.exe | |
User: admin Integrity Level: MEDIUM Description: OpiumV4Stub Exit code: 0 Version: 1.0.0.0 | ||||
2996 | C:\Windows\system32\WerFault.exe -u -p 2568 -s 548 | C:\Windows\system32\WerFault.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\frmMain.cs | text | |
MD5:9E53A359C4A365921E064A57109198A2 | SHA256:0E476CDD77D31F9770D8642429584162C34147C3E14E4712B72A24C0CFFB479D | |||
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\obf\Confuser.DynCipher.dll | executable | |
MD5:6EBC90E77623826E71DED623A296660B | SHA256:CDAD0A76F0D3F3E73FCDC6E5E6D98B0E88ADCC2353C54344375B80197A86FCF6 | |||
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\Binaries\whysosad | text | |
MD5:FC3C88C2080884D6C995D48E172FBC4F | SHA256:1637CE704A463BD3C91A38AA02D1030107670F91EE3F0DD4FA13D07A77BA2664 | |||
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\obf\Confuser.Runtime.dll | executable | |
MD5:42E45FA8BB26246ED3B3C2760E782912 | SHA256:C8BCBE8C706659824ED001CAF0BE23B8470A99C0391A23C419884AD93DF3CCE0 | |||
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa1940.40600\Newtonsoft.Json.dll | executable | |
MD5:5E02DDAF3B02E43E532FC6A52B04D14B | SHA256:78BEDD9FCE877A71A8D8FF9A813662D8248361E46705C4EF7AFC61D440FF2EEB | |||
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\obf\Teen.dll | executable | |
MD5:FB9D14387B89B30606D094AE8CD93EA0 | SHA256:68EAC14CA256F9871CC85FFC77C86B1D6378E6C900DFF34F8B697BE07B77446A | |||
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\README.txt | text | |
MD5:BC84297EE7083EA8F69099CC2F9BDD10 | SHA256:B4D5632511AF66EE90F370511AD97D2C0E7CC4E078FA172A8B99E79FB05251BA | |||
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\Binaries\config | binary | |
MD5:1BA367D0F9AAC0F650E65AB7401776C0 | SHA256:68C4EC552C98F3B5A4744E4EEFADD6364DC8075C2E718B7BCBFC76625AA60D03 | |||
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\Binaries\RtkBtManServ.exe | executable | |
MD5:88AB0BB59B0B20816A833BA91C1606D3 | SHA256:F4FB42C8312A6002A8783E2A1AB4571EB89E92CD192B1A21E8C4582205C37312 | |||
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.40858\bin\obf\Confuser.Renamer.dll | executable | |
MD5:E1656B7BFD3B7C9634F72C4F9085D226 | SHA256:4CE9A9F15724B17DA414C4AAD7B7BFBBA0FD1B80E3D0B8452551D5F79FD32B50 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2016 | OPIUMVNEP.EXE | GET | 200 | 52.217.8.110:80 | http://setup.roblox.com/version | US | text | 24 b | shared |
4056 | OPIUMVNEP.EXE | GET | 200 | 52.217.163.8:80 | http://setup.roblox.com/version | US | text | 24 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2016 | OPIUMVNEP.EXE | 52.217.8.110:80 | setup.roblox.com | Amazon.com, Inc. | US | shared |
2996 | WerFault.exe | 104.208.16.93:443 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
3364 | WerFault.exe | 52.168.117.173:443 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
4056 | OPIUMVNEP.EXE | 52.217.163.8:80 | setup.roblox.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
setup.roblox.com |
| shared |
watson.microsoft.com |
| whitelisted |
Process | Message |
---|---|
OpiumV4.exe | C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE |
OpiumV4.exe | C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE |
OpiumV4.exe | C:\Users\admin\AppData\Local\Temp\OPIUMV4.EXE |
OpiumV4.exe | C:\Users\admin\AppData\Local\Temp\OPIUMVNEP.EXE |