File name: | SHIPPING DOCUMENTS 03 21 2019.PDF.Z |
Full analysis: | https://app.any.run/tasks/cc629681-abf7-46f2-b659-fd95a4855171 |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | March 21, 2019, 12:21:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 8C4A748B0179DB4D2FCE7393745ABC53 |
SHA1: | 806EFFFC4155285A1E418F59C171006F43C2D30F |
SHA256: | 43FC843B3960612E474AD0E9FD6270E4A298BD8820E1470763D0C8C54728CB1D |
SSDEEP: | 12288:dAbfuNhQ2+5B92dQBWd4JlvQbCEIwmSUktLe3ptHQJs1LJdR+eNr+XmhfKIt62Jr:ybfEO2+Z2dQBWdcvQeTnSUkepFQOR+eh |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1844 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SHIPPING DOCUMENTS 03 21 2019.PDF.Z.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
928 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1844.39425\SHIPPING DOCUMENTS 03 21 2019.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1844.39425\SHIPPING DOCUMENTS 03 21 2019.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
696 | "C:\Users\admin\AppData\Local\Temp\14404544\bns.exe" bfm=gse | C:\Users\admin\AppData\Local\Temp\14404544\bns.exe | — | SHIPPING DOCUMENTS 03 21 2019.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
4016 | C:\Users\admin\AppData\Local\Temp\14404544\bns.exe C:\Users\admin\AppData\Local\Temp\14404544\JJXOO | C:\Users\admin\AppData\Local\Temp\14404544\bns.exe | bns.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
2672 | "C:\Users\admin\AppData\Local\Temp\RegSvcs.exe" | C:\Users\admin\AppData\Local\Temp\RegSvcs.exe | bns.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.6.1055.0 built by: NETFXREL2 |
(PID) Process: | (1844) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (1844) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (1844) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1844) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\SHIPPING DOCUMENTS 03 21 2019.PDF.Z.rar | |||
(PID) Process: | (1844) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (1844) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (1844) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (1844) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (1844) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (1844) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
928 | SHIPPING DOCUMENTS 03 21 2019.exe | C:\Users\admin\AppData\Local\Temp\14404544\hnv.ico | text | |
MD5:0E137E9E74420C9213536BB01B622F52 | SHA256:86E38CCB549833203A0FDC15F4D6927BEBA40E61BBEDB01B24639C6402A70045 | |||
1844 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1844.39425\SHIPPING DOCUMENTS 03 21 2019.exe | executable | |
MD5:3FAA16F7BAD39637D5043164C51C7767 | SHA256:BAE50F3A5AB50CC8630900D9195D4867E0E45E9A1953842F67391DF7F9F224F7 | |||
928 | SHIPPING DOCUMENTS 03 21 2019.exe | C:\Users\admin\AppData\Local\Temp\14404544\hno.dat | text | |
MD5:EDB683F163C37C4FB561B55025CF1E41 | SHA256:88D2DF5C61D3AA9BA54269297C272B0B11070ED8226AB3F1B52D4B4A0CA473A8 | |||
928 | SHIPPING DOCUMENTS 03 21 2019.exe | C:\Users\admin\AppData\Local\Temp\14404544\nto.bmp | text | |
MD5:59B08B81EEC61CEF9F585737EA3FE59B | SHA256:07568E6C45A85D742258234C8721CFD929192E30C799209E33650DB04AAC3BCA | |||
928 | SHIPPING DOCUMENTS 03 21 2019.exe | C:\Users\admin\AppData\Local\Temp\14404544\img.icm | text | |
MD5:74D9419AF41063B37EBDD3EB99D09800 | SHA256:8B5186601DC65AE45D9F98AFAAB55395B602D0B6D6DEFE1CB703EDDAF3EDB061 | |||
928 | SHIPPING DOCUMENTS 03 21 2019.exe | C:\Users\admin\AppData\Local\Temp\14404544\FileConstants.txt | text | |
MD5:92C06A5A1E461DCA7C28C3FCD367013E | SHA256:058AAC410C89A3A09F6CBE49527DBFB15850E7A09E095C2A375F32BD41D42927 | |||
928 | SHIPPING DOCUMENTS 03 21 2019.exe | C:\Users\admin\AppData\Local\Temp\14404544\ihu.dat | text | |
MD5:A48EE88E587F18CDB87277287F40EAC6 | SHA256:81DFA93B883CB66958D005AB73EF16AA9B1A205D1835D3DB46323F5873FCFD57 | |||
928 | SHIPPING DOCUMENTS 03 21 2019.exe | C:\Users\admin\AppData\Local\Temp\14404544\rbu.txt | text | |
MD5:6745591DE6B413BE953369CD6700CAB4 | SHA256:ACE7D97C6A1DEBB58D449C0960CA3E40CF2F112C2D53B8B357D397C826A6179C | |||
928 | SHIPPING DOCUMENTS 03 21 2019.exe | C:\Users\admin\AppData\Local\Temp\14404544\phi.ppt | text | |
MD5:74C6017131ED4EC8AE8EF112436608A9 | SHA256:5506A805B498DC9680B4A4025184153AA1505E02DAFBEA718A7ADBB4793C15D5 | |||
928 | SHIPPING DOCUMENTS 03 21 2019.exe | C:\Users\admin\AppData\Local\Temp\14404544\wdu.txt | text | |
MD5:451CDB4079B639E26BEFFDAFDA6C2937 | SHA256:124E25BBB7C577683F5A988CA11E8104966B9C325FEEDD471945068FCFDBD4F0 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2672 | RegSvcs.exe | 105.112.33.61:2404 | plus11.duckdns.org | Celtel Nigeria Limited t.a ZAIN | NG | unknown |
2672 | RegSvcs.exe | 105.112.37.181:2404 | plus12.duckdns.org | Celtel Nigeria Limited t.a ZAIN | NG | malicious |
Domain | IP | Reputation |
---|---|---|
plus11.duckdns.org |
| malicious |
plus12.duckdns.org |
| malicious |
dns.msftncsi.com |
| shared |
plus11.ddns.net |
| malicious |
plus11.hopto.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |