File name: | cmd_20052019.zip |
Full analysis: | https://app.any.run/tasks/d259f79b-c3b2-480a-9d64-17cf66de183c |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 18:44:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C52DB13403D3E999B0CA495F13077CA4 |
SHA1: | E21AE2DCAD11CF377C885E04581F168F5AF575CD |
SHA256: | 63F530B6B916EC55BDD1515101D048955142CDD7340BE778027EC3F634EB80D1 |
SSDEEP: | 96:JBPlhsJBpbBwHH7RILDOSlPhdSwaYPM4AXSPaQjkU3Rzh9y:nPEJFEbSxBhdSDYPMq7AUBzh9y |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:05:24 09:36:00 |
ZipCRC: | 0x391d33e2 |
ZipCompressedSize: | 3852 |
ZipUncompressedSize: | 23633 |
ZipFileName: | cmd_21052019.cmd |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3300 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\cmd_20052019.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3332 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa3300.2118\cmd_21052019.cmd" " | C:\Windows\system32\cmd.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2692 | C:\Windows\system32\cmd.exe /c chcp | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3604 | chcp | C:\Windows\system32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2512 | chcp 708 | C:\Windows\system32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2336 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa3300.2118\cmd_21052019.cmd" " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2140 | ping 127.0.0.1 -n 1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2044 | wscript //Nologo "C:\Users\admin\admin.vbs" EQCJW6YlHHvx5vQ8SP2FtSBu4gcGjeJExuuEgYxbpAEAEJc | C:\Windows\system32\wscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2584 | chcp 437 | C:\Windows\system32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3300 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3300.2118\cmd_21052019.cmd | text | |
MD5:583F9E6C3CF3FEB2ABCD4D5FE464E099 | SHA256:EFF405CA5F5BFA7BD700D390181C13D97EBC70AA9A04834F2BBE19A5102B7426 | |||
2336 | cmd.exe | C:\Users\admin\admin.vbs | text | |
MD5:46809A49AABA04A4EE7CCCD1866C98F8 | SHA256:C59004E44B31DFE7A541AC21420798A27921E4D21B91D6F3277A641EA7E91CE4 | |||
2044 | wscript.exe | C:\Users\admin\admin\PZHE9G8EA81U1LP301H70BP9W9A9T | — | |
MD5:— | SHA256:— | |||
2044 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aCNbAFfU9KI50004a06H0M12aNHDK4F8NNFKD2.LNK | lnk | |
MD5:7AE55BEE6FB8BDC3920ECC363C86A070 | SHA256:9A2CF7A243A2A167ECC21B34057D60B3533A41EB7AFE13C00F279195698824A2 | |||
2044 | wscript.exe | C:\Users\admin\admin\iEfEVMmT_3592827.dll | executable | |
MD5:FF9C4D5C2F3CFB7349EF1E2FB1D7F1DF | SHA256:F3569179F00EFB89ACB253940B5D6652B18989ECF234BC9BC3994688F0C42C1C | |||
2044 | wscript.exe | C:\Users\admin\fhfj5nriop.zip | compressed | |
MD5:A9778EDF5A67D34F022641C22F5164F1 | SHA256:178F4D0ED9E760537284DBEB56AD71AEA8D54EE71E327B26EBDDE544BE7BA8BB | |||
2044 | wscript.exe | C:\Users\admin\admin\XUGDGKS020OUMV29FG06Q8WH9B63 | executable | |
MD5:B06E67F9767E5023892D9698703AD098 | SHA256:8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB | |||
2044 | wscript.exe | C:\Users\admin\admin\htHDBLx_357097 | a3x | |
MD5:C63F38578E33348353C6BC6DE2266558 | SHA256:782374DCA43F0B8EDDEC706CCB81473D48719497A9435B08A101300B0526F7F6 | |||
2044 | wscript.exe | C:\Users\admin\admin\MNNB86Q893QOBF4PGHMX9KA9H5WBN9WMOB | a3x | |
MD5:C63F38578E33348353C6BC6DE2266558 | SHA256:782374DCA43F0B8EDDEC706CCB81473D48719497A9435B08A101300B0526F7F6 | |||
2044 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\y213[1].zip | compressed | |
MD5:A9778EDF5A67D34F022641C22F5164F1 | SHA256:178F4D0ED9E760537284DBEB56AD71AEA8D54EE71E327B26EBDDE544BE7BA8BB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2044 | wscript.exe | POST | 200 | 192.99.34.204:80 | http://docseguridads.com/y213/ZCorpqhV432BJDA5Ca0JCE7BEaL5C3M5782H9a.txt | CA | text | 519 b | malicious |
2044 | wscript.exe | GET | 200 | 192.99.34.204:80 | http://docseguridads.com/y213/y213.zip | CA | compressed | 8.34 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2044 | wscript.exe | 192.99.34.204:80 | docseguridads.com | OVH SAS | CA | malicious |
Domain | IP | Reputation |
---|---|---|
docseguridads.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2044 | wscript.exe | A Network Trojan was detected | MALWARE [PTsecurity] Virus.vbs.qexvmc (N40/KLBanker) |