File name: | part_4831af0d4b5ac97791dc294e89ee6decd3e382810a86ebf982721a4d2221faf1.zip |
Full analysis: | https://app.any.run/tasks/0049a367-f0fd-48eb-9537-e0bef137bdf2 |
Verdict: | Malicious activity |
Analysis date: | November 08, 2019, 14:51:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | AFC7DD6C49254F9AEA4E44B4EBAC8478 |
SHA1: | 68AC9D23D7A4BB7882F25DB5EA2F90D5D0990361 |
SHA256: | 46CE3F4B2F3F3230702844DA3A9ED494760775A43B436CC480410085DB9269FD |
SSDEEP: | 24576:n2UTKb24mVej7Ej0oqdm7nfxbbgyauM+T3xsc68RmN:n2o+2ZVkEH4IfhnFeh3 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Sales Order.xlsx |
---|---|
ZipUncompressedSize: | 923136 |
ZipCompressedSize: | 915115 |
ZipCRC: | 0x64a7a881 |
ZipModifyDate: | 2019:11:08 14:50:13 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1556 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\part_4831af0d4b5ac97791dc294e89ee6decd3e382810a86ebf982721a4d2221faf1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3532 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3000 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3532 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRDFCB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1556 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb1556.19643\Sales Order.xlsx | binary | |
MD5:90A80C6B7FF859189B6373667859D3AD | SHA256:4831AF0D4B5AC97791DC294E89EE6DECD3E382810A86EBF982721A4D2221FAF1 | |||
3000 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3000 | EQNEDT32.EXE | GET | — | 151.80.8.7:80 | http://windows.firewall-gateway.de/mtr..........................m/vbc.exe | FR | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3000 | EQNEDT32.EXE | 151.80.8.7:80 | windows.firewall-gateway.de | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
windows.firewall-gateway.de |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3000 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |