File name: | Документы 15е апреля.gz |
Full analysis: | https://app.any.run/tasks/8e75ed3c-b81a-4fad-b46b-2b418f03426d |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 09:14:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | CA734A85D3B9E6FB19C9074E7A301089 |
SHA1: | 7BFD71CC5BE2736A17B964B9260268751D1FE329 |
SHA256: | 50B8C34F3F7DAEF4333A776B53B0D47220B30BFFB2DC3905A630B87DA582C715 |
SSDEEP: | 6144:CCaoo/AqV3oM6eDB6RB4Nm+2uEO+ffhnkwkwyyU:CCDDqloABCx+9Enf5nk8yj |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2924 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Документы 15е апреля.gz.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2788 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.20530\Документы 15е апреля.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.20530\Документы 15е апреля.exe | WinRAR.exe | |
User: admin Company: Корпорация Майкрософт Integrity Level: MEDIUM Description: Самоизвлечение CAB-файлов Win32 Exit code: 0 Version: 6.00.2900.5512 (xpsp.080413-2105) | ||||
3608 | rundll32.exe 467.dll,DllGetClassObject root 000000000000 Post Install program: <None> | C:\Windows\system32\rundll32.exe | Документы 15е апреля.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3988 | rundll32.exe "C:\ProgramData\2401bf603c90\2702bc633f93.dat",DllGetClassObject root | C:\Windows\system32\rundll32.exe | taskeng.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2924) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Документы 15е апреля.gz.rar | |||
(PID) Process: | (2924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2924) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3608 | rundll32.exe | C:\ProgramData\2401bf603c90\2702bc633f93.dat | executable | |
MD5:A33B3C4565CC61ECC2771A0105A8B8B6 | SHA256:33CBA9145F53DC22C8F5CEE83C692B671FA088099BB5E592BC4F5A4543A4742E | |||
2788 | Документы 15е апреля.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\467.dll | executable | |
MD5:A33B3C4565CC61ECC2771A0105A8B8B6 | SHA256:33CBA9145F53DC22C8F5CEE83C692B671FA088099BB5E592BC4F5A4543A4742E | |||
2924 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.20530\Документы 15е апреля.exe | executable | |
MD5:B4847906E21457D8CF1CC78C819833A9 | SHA256:3AEF332D23FE5FF97B5E8DD47EAA2A02F97B8444D5F7DE839543BBD6F70008C8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3988 | rundll32.exe | POST | 200 | 185.203.119.104:80 | http://185.203.119.104/index.php | BG | binary | 9 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3988 | rundll32.exe | 52.36.204.116:443 | namecoin.cyphrs.com | Amazon.com, Inc. | US | unknown |
3988 | rundll32.exe | 188.165.200.156:53 | — | OVH SAS | FR | malicious |
3988 | rundll32.exe | 185.203.119.104:80 | — | BelCloud Hosting Corporation | BG | unknown |
Domain | IP | Reputation |
---|---|---|
namecoin.cyphrs.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3988 | rundll32.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |