File name: | XML002118xc949263487_.zip |
Full analysis: | https://app.any.run/tasks/872a75da-73dd-4255-937f-d39ed60395bb |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 21:15:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | 9FB11EC2684BAA26E90364DA39CD1338 |
SHA1: | A6FE888516255B0C988ED121FB66ED83DD1666E9 |
SHA256: | 693EEEFB55F29F985BA3C1A18AE8E5D96F907F79AF2BEC4F450777F987FB3A2D |
SSDEEP: | 48:yKA/Ro5+9uffYfCHpkbtFgqv67U3praSi3EJw1Z8Jn3htl:Gpo5/fQfukbtaDg3prHi3O08JRX |
.txt | | | Text - UTF-8 encoded (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2884 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\XML002118xc949263487_.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2756 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2884.25222\XML002118xc.cmd" " | C:\Windows\system32\cmd.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3476 | ping 127.0.0.1 -n 1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3932 | wscript //Nologo "C:\Users\Public\admin\admin.vbs" ssaA0YSiDNV67mGTIzvcw3uDu168BmoDZdamYPcvCkX | C:\Windows\system32\wscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3644 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2884.26136\XML002118xc.cmd" " | C:\Windows\system32\cmd.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2680 | cmd /c ""C:\Users\admin\Desktop\XML002118xc.cmd" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3976 | "C:\ProgramData\sNC_553\sNC_553.exe" | C:\ProgramData\sNC_553\sNC_553.exe | wscript.exe | |
User: admin Company: VMware, Inc. Integrity Level: MEDIUM Description: VMware NAT Service Version: 12.5.6 build-5528349 | ||||
3392 | "C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\XML002118xc.cmd | C:\Windows\System32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2884 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2884.25222\XML002118xc.cmd | text | |
MD5:12765980C91B01873AE163DC6CD42BCE | SHA256:B78AF30898B5DD984C3FA640507099C6E69B7EB5485F642A6A22A6806B885239 | |||
2756 | cmd.exe | C:\Users\Public\admin\admin.vbs | text | |
MD5:D7918BE083296817531F08AB125F9F75 | SHA256:F9B592CEBD16D83074C23B3A887694096FB8D0568A7BFA6DAB05A78A95723528 | |||
2884 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2884.26618\XML002118xc.cmd | — | |
MD5:— | SHA256:— | |||
3932 | wscript.exe | C:\ProgramData\sNC_553\CPSTV3NH4KUWET74KJZ09RO1MMXCTBCST | — | |
MD5:— | SHA256:— | |||
3932 | wscript.exe | C:\ProgramData\sNC_553\IKOQEKTO25RDTT0QZ4PMHUDZLBHF1 | — | |
MD5:— | SHA256:— | |||
3932 | wscript.exe | C:\ProgramData\MfzZCcpf8JF62LN0CL | text | |
MD5:3FE701A02320A9888828B76821445BD5 | SHA256:F58BED8AFCF718A4220C6313BEDCC97106DB24E9B596FE33C600830E14181C9B | |||
2884 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2884.26136\XML002118xc.cmd | text | |
MD5:12765980C91B01873AE163DC6CD42BCE | SHA256:B78AF30898B5DD984C3FA640507099C6E69B7EB5485F642A6A22A6806B885239 | |||
3932 | wscript.exe | C:\ProgramData\software.zip | compressed | |
MD5:B856FC33AE899118A22BFD7BD785670F | SHA256:7DE1F9F31668C38004BBAA305CD854DC5CF0366B62CF11D1417B567C60246AAC | |||
3932 | wscript.exe | C:\ProgramData\sNC_553\shfolder.dll | executable | |
MD5:7C40E849B2BA20E84D89CD765F0A631E | SHA256:7C493322A3A614C059EFA7BC988E2562F05E52C6613564F918B742522F748EC7 | |||
3932 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\2301[1].zip | compressed | |
MD5:B856FC33AE899118A22BFD7BD785670F | SHA256:7DE1F9F31668C38004BBAA305CD854DC5CF0366B62CF11D1417B567C60246AAC |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3932 | wscript.exe | 180.250.19.130:443 | www.psim.ipb.ac.id | PT Telekomunikasi Indonesia | ID | unknown |
Domain | IP | Reputation |
---|---|---|
www.psim.ipb.ac.id |
| unknown |
Process | Message |
---|---|
sNC_553.exe | CodeSet_Init: no ICU
|