File name: | 7486336127.zip |
Full analysis: | https://app.any.run/tasks/6242ab7e-fd54-4e0b-a76f-16a056f2894d |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 20:59:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C3290C0664F13D0189196CBDF6EE9F0D |
SHA1: | C622BDDF49FB40ADAF5CD09C839A28B8EBE5AD4E |
SHA256: | 4A72C78CE228A67780FFA05E8F4BFA6307540C30B1E355D127F3FD9799E4590B |
SSDEEP: | 96:sI/RROU7oh9FWPA5GNxXjgo3JIqO3/KtAsj9NJhHhBGbWOxl89kHzIxp:s0Xz7qXpA/HhBGbWOxC9qzop |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 6c4397aa90e39b4017e97803aa3fe5cd33d4ed90fcf1b1b3dc46f069b1c1dcf3 |
---|---|
ZipUncompressedSize: | 12288 |
ZipCompressedSize: | 4138 |
ZipCRC: | 0x3db0c9bb |
ZipModifyDate: | 1980:00:00 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3120 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7486336127.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
2868 | "C:\Users\admin\Desktop\go.exe" | C:\Users\admin\Desktop\go.exe | Explorer.EXE | ||||||||||||
User: admin Company: CPUID Integrity Level: MEDIUM Description: HWMonitor Version: 1.3.4.0 Modules
|
(PID) Process: | (3120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3120) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (3120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\7486336127.zip | |||
(PID) Process: | (3120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3120) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3120.6254\6c4397aa90e39b4017e97803aa3fe5cd33d4ed90fcf1b1b3dc46f069b1c1dcf3 | executable | |
MD5:1259083B68C743DFDD95D78E9BC4CDCC | SHA256:6C4397AA90E39B4017E97803AA3FE5CD33D4ED90FCF1B1B3DC46F069B1C1DCF3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2868 | go.exe | GET | 200 | 103.20.234.247:80 | http://safeinthehandsofthegoodbois.com/cgi-sys/suspendedpage.cgi | AU | html | 13.4 Kb | suspicious |
2868 | go.exe | GET | 302 | 103.20.234.247:80 | http://safeinthehandsofthegoodbois.com/loader/uploads/MSBuildUpdate2.4.6_Asfzbwkl.jpg | AU | html | 683 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2868 | go.exe | 103.20.234.247:80 | safeinthehandsofthegoodbois.com | Over The Wire Pty Ltd | AU | suspicious |
Domain | IP | Reputation |
---|---|---|
safeinthehandsofthegoodbois.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2868 | go.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding |
2868 | go.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding |
2868 | go.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of document.write % Encoding |
2868 | go.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding |
2868 | go.exe | Potentially Bad Traffic | ET WEB_CLIENT Hex Obfuscation of unescape % Encoding |