File name: | d473b802-eb5f-11e7-8ccc-5944bc969a40 |
Full analysis: | https://app.any.run/tasks/2eefce09-516e-416b-8949-f6cd51d5638d |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 05:21:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C26A2C5F6154225E8D83C4000306F162 |
SHA1: | 67C586CEDBF0852AA52268311841CBAC5C96FDF8 |
SHA256: | 35A9481DDBED5177431A9EA4BD09468FE987797D7B1231D64942D17EB54EC269 |
SSDEEP: | 49152:cPEbpqUPr0OMPjmNgyV24OXxr2/NV0CA7QUmu4LnB:cPEbpPPrC4gWFOBr4Wfg |
.xpi | | | Mozilla Firefox browser extension (66.6) |
---|---|---|
.zip | | | ZIP compressed archive (33.3) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3172 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL "C:\Users\admin\AppData\Roaming\d473b802-eb5f-11e7-8ccc-5944bc969a40.xpi" | C:\Windows\system32\rundll32.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3808 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3576 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Roaming\d473b802-eb5f-11e7-8ccc-5944bc969a40.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
1340 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\install.bat" " | C:\Windows\system32\cmd.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2576 | "C:\Users\admin\Desktop\RDPWInst" -i -o | C:\Users\admin\Desktop\RDPWInst.exe | — | cmd.exe |
User: admin Company: Stas'M Corp. Integrity Level: MEDIUM Description: RDP Wrapper Library Installer Exit code: 3221226540 Version: 2.5.0.0 | ||||
3384 | "C:\Users\admin\Desktop\RDPWInst.exe" -i -o | C:\Users\admin\Desktop\RDPWInst.exe | — | cmd.exe |
User: admin Company: Stas'M Corp. Integrity Level: MEDIUM Description: RDP Wrapper Library Installer Exit code: 3221226540 Version: 2.5.0.0 | ||||
2800 | "C:\Users\admin\Desktop\RDPWInst.exe" -i -o | C:\Users\admin\Desktop\RDPWInst.exe | cmd.exe | |
User: admin Company: Stas'M Corp. Integrity Level: HIGH Description: RDP Wrapper Library Installer Exit code: 0 Version: 2.5.0.0 | ||||
2496 | C:\Windows\System32\svchost.exe -k NetworkService | C:\Windows\System32\svchost.exe | services.exe | |
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2524 | netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow | C:\Windows\system32\netsh.exe | — | RDPWInst.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2600 | DrvInst.exe "1" "200" "UMB\UMB\1&841921d&0&TERMINPUT_BUS" "" "" "6e3bed883" "00000000" "000003B8" "00000400" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2496 | svchost.exe | C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb | — | |
MD5:— | SHA256:— | |||
2496 | svchost.exe | C:\Windows\system32\CatRoot2\edb.chk | binary | |
MD5:939C57F136DE908E789BB88847609EBF | SHA256:9E84D625709F7B0E3B37625B17A03E8408BF2C6FD8113F88A07E0004A23A49F7 | |||
2496 | svchost.exe | C:\Windows\system32\CatRoot2\edb.log | binary | |
MD5:6F082DC727F3024B04017D2728D064C7 | SHA256:C3DE634CBED101225759505ABFA24DC7C3E649FEE46F07AB54E5B1F1E6476E7A | |||
2600 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:513DE822DB8FC992461C8C85211C9B28 | SHA256:A6C7D744A7A3D97E5C84E40525278EDBB718E2AAAF958A7173ABFF2C035EEAC8 | |||
2600 | DrvInst.exe | C:\Windows\INF\setupapi.ev2 | binary | |
MD5:E40A0CC8FB5B9375DB0606400586E0F8 | SHA256:9558168F193C3C3DAF1A4557A539D203D99542360F893E41ED8ADB1BAEADCF8B | |||
2496 | svchost.exe | C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb | edb | |
MD5:DB16B73848597CE4E48C1C9A1E9EA39B | SHA256:451AE86FB4B4330B5E393B889177F81FCA16AEAF88A17C43D72DFFE7B4145DD5 | |||
896 | spoolsv.exe | C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_x86_neutral_a8106f7f3af21d88\prnle003.PNF | pnf | |
MD5:3620D34CD2C5C747D4E4F712DAE7A658 | SHA256:D629C90481E1D69E26B69A3B39224D237CAA2E43A4B1E2F23A334912EF8EAD55 | |||
896 | spoolsv.exe | C:\Windows\System32\DriverStore\FileRepository\faxcn002.inf_x86_neutral_29a66691dd7a46a5\faxcn002.PNF | pnf | |
MD5:29B8A4A10F2952E89E1F7CA2A5B2DDE1 | SHA256:F0547FA5CE3EA243A02E5C17F166984F9E7D3CC7E42EA02B3B80540BB8F003D4 | |||
2600 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:B3A5D9AC6211BAF643A7C6417B8A1AD3 | SHA256:BDBB32228A51C3352F71B6F721A81332E5C2DE17AA8329FBE39745C411E958CF | |||
896 | spoolsv.exe | C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_x86_neutral_51cbe14e4cdde8c2\prnge001.PNF | pnf | |
MD5:AD6F4CF762E9EE7D6E68605B6DB1DB9D | SHA256:4E1F8780DDD35D642CDE8E33C56545FB7ECA8929EC13915743987323CB1B9E22 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2724 | sipnotify.exe | HEAD | 404 | 23.205.225.13:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133094245573670000 | NL | — | — | whitelisted |
2800 | RDPWInst.exe | GET | 404 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?db2ef270b67036c9 | US | xml | 341 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2800 | RDPWInst.exe | 185.199.108.133:443 | raw.githubusercontent.com | FASTLY | US | malicious |
2724 | sipnotify.exe | 23.205.225.13:80 | query.prod.cms.rt.microsoft.com | AKAMAI-AS | DE | unknown |
2800 | RDPWInst.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
raw.githubusercontent.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
query.prod.cms.rt.microsoft.com |
| whitelisted |