File name: | CV.zip |
Full analysis: | https://app.any.run/tasks/e638b895-f1ca-489c-ae02-a481bb19bc77 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 08:33:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 6A34DB2A3ADECEA4F6BE3C684DDD76CA |
SHA1: | 6D9F00AF4305E5456B030364B2781B5EEEDC0D05 |
SHA256: | 58C15C193099FB4E43FF25D5463E52C46951716F013AD80EB94F5FEE6D971140 |
SSDEEP: | 12288:uXYEjP5xpBF42cRL3/4zcE1crx3SBYSCpJycBbqAvIebu8XAf6qcaO3m0svFei:uoWxpr+RIcE1cl3m+poI6bcd3m0sR |
.pages | | | Pages document (83) |
---|---|---|
.zan | | | BlueEyes Animation (13) |
.zip | | | ZIP compressed archive (3.8) |
ZipFileName: | Data/PresetImageFill3-13.jpg |
---|---|
ZipUncompressedSize: | 103463 |
ZipCompressedSize: | 103463 |
ZipCRC: | 0x7cbd0982 |
ZipModifyDate: | 2019:04:05 11:02:08 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3540 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\CV.zip.pages | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
620 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CV.zip.pages" | C:\Program Files\WinRAR\WinRAR.exe | — | rundll32.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2480 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
900 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIa620.30155\Metadata.iwa | C:\Windows\system32\rundll32.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4076 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIa620.31397\DocumentIdentifier | C:\Windows\system32\rundll32.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2132 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIa620.31857\BuildVersionHistory.plist | C:\Windows\system32\rundll32.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
920 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3528 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\CV\Index\Document.iwa | C:\Windows\system32\rundll32.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2320 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\CV\Index\Document.iwa" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3912 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIa620.48279\BuildVersionHistory.plist | C:\Windows\system32\rundll32.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa620.30155\Metadata.iwa | binary | |
MD5:FE4186B85227F69348869859B3148CBD | SHA256:38CFB444AD220DC629E0646B08C93F858D1FE1A5306370236D29E221B6E316F7 | |||
620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa620.31857\BuildVersionHistory.plist | xml | |
MD5:BDC9DDEF9656930FF5E5694AADD47D8C | SHA256:3973DC7D80AE5BE4F46B648914D7E775B5924E84EF6DBEEA8A656BE3633E3421 | |||
620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\CV\Data\PresetImageFill3-13.jpg | image | |
MD5:D268E878320475EDB2D32C3739CEB66F | SHA256:758261189A7F9244D3D3916432A936952E973F95310E77F778423390EB12EFA6 | |||
620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\CV\Data\PresetImageFill4-14.jpg | image | |
MD5:87A75F47B7D08081D33E65BCEB7D58FF | SHA256:B33E6EAA796E51635B08E696F15AEB28D2C860DE98CB79A20ECB39729BA4F1FB | |||
620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa620.31397\DocumentIdentifier | text | |
MD5:1E8E949E9AA29E3C0692861971045278 | SHA256:3308C8F867DEC434BCE80D5F9CC53861C95D5BA1820B93625D822B8698B45CE4 | |||
620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa620.33188\PresetImageFill5-15.jpg | image | |
MD5:BB3F785D2B1F07115E7BB58E2682336C | SHA256:3F0016F1F04072939B121BD9B95387D3AD96EE8BDE0DC22AC1FD662AD7A22E9E | |||
620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\CV\Index\CalculationEngine.iwa | binary | |
MD5:110A962C87A3F43D4BBA020D9E519F3F | SHA256:748875B90DD7228B0A869A07A9230DA03F8DC26F92B95D9DADAE8B1A4B70948A | |||
620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\CV\Data\PresetImageFill0-10.jpg | image | |
MD5:F5FC4EF76C7B01F0754BC7C41A7A5157 | SHA256:AEA5CEF4072D497520B5A2411E72A326B38F7F1AC8FEFFAA6CC0DECB57915FB8 | |||
620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa620.28555\PresetImageFill1-11.jpg | image | |
MD5:E7C089092C1415595EE62CD29AF93A7B | SHA256:5338BA6C29B4A06CED68552D2C606017228FEFC14F5DB9B8FBF3717D21E16480 | |||
620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\CV.zip | compressed | |
MD5:6A34DB2A3ADECEA4F6BE3C684DDD76CA | SHA256:58C15C193099FB4E43FF25D5463E52C46951716F013AD80EB94F5FEE6D971140 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
408 | iexplore.exe | GET | 301 | 2.16.186.27:80 | http://shell.windows.com/fileassoc/fileassoc.asp?Ext=iwa | unknown | — | — | whitelisted |
408 | iexplore.exe | GET | 302 | 2.19.38.59:80 | http://go.microsoft.com/fwlink/?LinkId=57426&Ext=iwa | unknown | — | — | whitelisted |
2492 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
408 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2492 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2492 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
408 | iexplore.exe | 40.90.23.209:443 | login.live.com | Microsoft Corporation | US | unknown |
408 | iexplore.exe | 2.19.38.59:80 | go.microsoft.com | Akamai International B.V. | — | whitelisted |
408 | iexplore.exe | 2.16.186.27:80 | shell.windows.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
shell.windows.com |
| whitelisted |
login.live.com |
| whitelisted |