File name: | setup_nx1OhGbZ_MALICIOUS.zip |
Full analysis: | https://app.any.run/tasks/6a1b7f3c-0de7-44e2-ac97-1fbfd99b5cce |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 00:38:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 7EAE0F42B76EA57FB7EA8F0DF7F0051A |
SHA1: | 051C0F3B0FDDD2AE8519A9C1E45055509F074CBB |
SHA256: | 4F85978A0B19F386CE2B1A4555C811A05BFC41101E06A76EC7F407E952AA9D68 |
SSDEEP: | 196608:pKM5aUpAI6rSLKSu9gqUd09yHwP9ITXFiFA50ycJFhWwGZJhHEx:gWP8eBuCHI9CYyOcwybkx |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | .............exe |
---|---|
ZipUncompressedSize: | 6120168 |
ZipCompressedSize: | 5638711 |
ZipCRC: | 0x2246b6f2 |
ZipModifyDate: | 2019:11:07 00:30:48 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2064 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\setup_nx1OhGbZ_MALICIOUS.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
3496 | "C:\Users\admin\Desktop\setup_nx1OhGbZ.exe" | C:\Users\admin\Desktop\setup_nx1OhGbZ.exe | — | explorer.exe | |||||||||||
User: admin Company: Ride Software Integrity Level: MEDIUM Description: Image Comparer Exit code: 3221226540 Version: 0.0.3.29 Modules
| |||||||||||||||
660 | "C:\Users\admin\Desktop\setup_nx1OhGbZ.exe" | C:\Users\admin\Desktop\setup_nx1OhGbZ.exe | explorer.exe | ||||||||||||
User: admin Company: Ride Software Integrity Level: HIGH Description: Image Comparer Version: 0.0.3.29 Modules
| |||||||||||||||
1592 | "C:\Users\admin\AppData\Local\Temp\is-EU987.tmp\is-M8M6N.tmp" /SL4 $60128 "C:\Users\admin\Desktop\setup_nx1OhGbZ.exe" 4598089 53248 | C:\Users\admin\AppData\Local\Temp\is-EU987.tmp\is-M8M6N.tmp | setup_nx1OhGbZ.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Version: 51.47.0.0 Modules
| |||||||||||||||
1236 | "C:\Windows\system32\net.exe" helpmsg 25 | C:\Windows\System32\net.exe | — | is-M8M6N.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2452 | "C:\Program Files\ImageComparer\IC331.exe" | C:\Program Files\ImageComparer\IC331.exe | is-M8M6N.tmp | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0.3.30 Modules
| |||||||||||||||
2936 | C:\Windows\system32\net1 helpmsg 25 | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3552 | "C:\Windows\system32\net.exe" pause ImageComparer331 | C:\Windows\System32\net.exe | — | is-M8M6N.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3592 | "C:\Program Files\ImageComparer\IC331.exe" b63ae5a0ee4717297ebfa1fdb7f3c490 | C:\Program Files\ImageComparer\IC331.exe | is-M8M6N.tmp | ||||||||||||
User: admin Integrity Level: HIGH Version: 1.0.3.30 Modules
| |||||||||||||||
3864 | C:\Windows\system32\net1 pause ImageComparer331 | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
(PID) Process: | (2064) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
(PID) Process: | (2064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
(PID) Process: | (2064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\Desktop |
PID | Process | Filename | Type | |
---|---|---|---|---|
1592 | is-M8M6N.tmp | C:\Program Files\ImageComparer\is-F24JV.tmp | — | |
MD5:— | SHA256:— | |||
1592 | is-M8M6N.tmp | C:\Program Files\ImageComparer\IC331.exe | — | |
MD5:— | SHA256:— | |||
1592 | is-M8M6N.tmp | C:\Program Files\ImageComparer\unins000.exe | executable | |
MD5:96849FA92EF62435996A9D9C408A89EC | SHA256:645FBB9E61D046DE381D93184CCEC4217FB73798A8E49FDF0C7541158DFF0436 | |||
660 | setup_nx1OhGbZ.exe | C:\Users\admin\AppData\Local\Temp\is-EU987.tmp\is-M8M6N.tmp | executable | |
MD5:F27688E08D7E37A05550CB5F54638CEB | SHA256:D1E139D7B26CFE14880626639A10CAB84B75F88DBD276D0D60CBD7BF6B97D068 | |||
1592 | is-M8M6N.tmp | C:\Program Files\ImageComparer\is-LT8IA.tmp | executable | |
MD5:96849FA92EF62435996A9D9C408A89EC | SHA256:645FBB9E61D046DE381D93184CCEC4217FB73798A8E49FDF0C7541158DFF0436 | |||
2064 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2064.49842\setup_nx1OhGbZ.exe | executable | |
MD5:DA7AC3A3E4E984577909C5E851E09B1E | SHA256:7D675185BA56CD703153D3DAB94D6CA44BD364BD72322771C3963ED592ED0E92 | |||
1592 | is-M8M6N.tmp | C:\Program Files\ImageComparer\bolide.url | text | |
MD5:B21E0D429B97AB92EDE6E27D983703B8 | SHA256:96EF4DBBA4E8149D6A8B1B29C8627ABDDD218AC1526A7825353303CB3EEBF9FF | |||
1592 | is-M8M6N.tmp | C:\Program Files\ImageComparer\license.rtf | text | |
MD5:1B3506E8F4793058B3317508F9D6BC4E | SHA256:65F715CA5830E3D7604749A4E037F475D9A25E6CE88729D6083ADEB8E67C99EE | |||
1592 | is-M8M6N.tmp | C:\Program Files\ImageComparer\is-LTE6H.tmp | text | |
MD5:B21E0D429B97AB92EDE6E27D983703B8 | SHA256:96EF4DBBA4E8149D6A8B1B29C8627ABDDD218AC1526A7825353303CB3EEBF9FF | |||
1592 | is-M8M6N.tmp | C:\Users\admin\AppData\Local\Temp\is-DAPFQ.tmp\_isetup\_iscrypt.dll | executable | |
MD5:A69559718AB506675E907FE49DEB71E9 | SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3592 | IC331.exe | POST | — | 104.21.86.39:80 | http://jorjfordmust.sbs/new/net_api | US | — | — | suspicious |
2452 | IC331.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6456533434 | US | compressed | 61.1 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2452 | IC331.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
— | — | 104.21.86.39:80 | jorjfordmust.sbs | CLOUDFLARENET | — | suspicious |
Domain | IP | Reputation |
---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
jorjfordmust.sbs |
| unknown |