File name: | file_2f9df04568f140f5b8fe0986323a79a9_2019-10-14T15_29_53.000Z.zip |
Full analysis: | https://app.any.run/tasks/1c4d9097-30f0-459f-9858-ec6c8d7c4d8d |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 15:38:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 5C52AF16BDBD878074505B13766FB34D |
SHA1: | 8727751CA9313B8266E6CA61F5AFDF5170D1D81A |
SHA256: | 5178DF32344A6D4A55EAD894C6510658108E4C1681092EC7DC280BB7E9F76344 |
SSDEEP: | 1536:OOisPjsRnw61wvfZKkJZ5FxwVmihy6cW80q7X1/u80z9GPVlL4Pim+PbyijPjf:DisPiRvkJt6LDMX170JwVB46VysPT |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0800 |
ZipCompression: | None |
ZipModifyDate: | 2019:10:14 15:35:16 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | entry001/ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2152 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\file_2f9df04568f140f5b8fe0986323a79a9_2019-10-14T15_29_53.000Z.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3932 | "C:\Users\admin\Desktop\java.exe" | C:\Users\admin\Desktop\java.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 1 Version: 8.0.1710.11 | ||||
3792 | "C:\Users\admin\Desktop\java.exe" | C:\Users\admin\Desktop\java.exe | explorer.exe | |
User: admin Company: Oracle Corporation Integrity Level: HIGH Description: Java(TM) Platform SE binary Exit code: 1 Version: 8.0.1710.11 | ||||
2708 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\java.exe" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
252 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 | ||||
3672 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225786 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3996 | C:\Users\admin\Desktop\java.exe | C:\Users\admin\Desktop\java.exe | — | cmd.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 1 Version: 8.0.1710.11 | ||||
1748 | "C:\Users\admin\Desktop\java.exe" | C:\Users\admin\Desktop\java.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 1 Version: 8.0.1710.11 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2152 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2152.5001\entry001\java.exe | — | |
MD5:— | SHA256:— | |||
1748 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:43422B521F36A95DD0D1DEBE6A5F7B69 | SHA256:88FF1AC22C5319E47C6AC4CB41E5EF4658A75BE5C95BDFDF403573AAFFE39A0F | |||
2708 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:A49B81574B8340303AAEE81C6DE27B9D | SHA256:BDCD5858EF143FDCAD7A4E62ABB6FFB42936B8A8BCB55FC68DCEAC590731F868 | |||
2708 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:06DDADD0440D1200035A4E31BCACC9A5 | SHA256:60DF8253EFB92B83648E8B91B241F1AE1E230448A0846707222E1B3E6A95FA8F | |||
2708 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml | text | |
MD5:AD21A64014891793DD9B21D835278F36 | SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F | |||
3996 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:E2746E0F3DDD41C550293126574FFD48 | SHA256:579E551D584AAC3BBD6D2626CEED569B66E21D2625B1D065046840836252F26A | |||
3932 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:2304CAE8AC4C04D6F93444F3D5D7EDE7 | SHA256:55B09C58E78EA7B26539BE2FFFFCEB633A5E363D6BC56EC6858D39261D54F6F4 | |||
3792 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:B03C509A7F50ADF28DDA5996B690AFAA | SHA256:A75C1733A75AD66DCB3999844AFFA009C1CA1628F616B779F0939C199A34037D | |||
2708 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\langs.xml | xml | |
MD5:E792264BEC29005B9044A435FBA185AB | SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624 | |||
2708 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini | text | |
MD5:F70F579156C93B097E656CABA577A5C9 | SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 195.138.255.24:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | DE | der | 1.37 Kb | whitelisted |
— | — | GET | 200 | 195.138.255.16:80 | http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMpeSsuddjFyk25ZqSQ83ahjg%3D%3D | DE | der | 527 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 195.138.255.16:80 | isrg.trustid.ocsp.identrust.com | AS33891 Netzbetrieb GmbH | DE | suspicious |
— | — | 195.138.255.24:80 | isrg.trustid.ocsp.identrust.com | AS33891 Netzbetrieb GmbH | DE | whitelisted |
252 | gup.exe | 2.57.89.199:443 | notepad-plus-plus.org | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
notepad-plus-plus.org |
| whitelisted |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabl |
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|