File name: | Payment Draft.cab |
Full analysis: | https://app.any.run/tasks/d15b0824-b57d-4606-9a1b-45186e28bea7 |
Verdict: | Malicious activity |
Threats: | Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS. |
Analysis date: | February 21, 2020, 16:13:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-cab-compressed |
File info: | Microsoft Cabinet archive data, 1228569 bytes, 1 file |
MD5: | 2EE7627EE56D2B11D10D7D780D235F92 |
SHA1: | CF3469D31AB8FAC7FCA9B6D4513E57455310B410 |
SHA256: | 6A80B05A4A59B8EE0E1985754F0FEA95D877E114C6B6BAE720CDDB57E8257874 |
SSDEEP: | 24576:FY9vvaLd7j3tz4fTWjv+gEURlWACSf3bNiCWAXz6h3Bo661d7c/1RMWaMP3af0on:y9vvI7zyfTuxEUQCWSmhxo661dw/XMxX |
.cab | | | Microsoft Cabinet Archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3620 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Payment Draft.cab" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3692 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3620.16773\Payment Draft.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3620.16773\Payment Draft.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2080 | "C:\Users\admin\AppData\Local\Temp\62474426\hkub.pif" porrql.ihc | C:\Users\admin\AppData\Local\Temp\62474426\hkub.pif | Payment Draft.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 8, 1 | ||||
2248 | "C:\Users\admin\AppData\Local\Temp\RegSvcs.exe" | C:\Users\admin\AppData\Local\Temp\RegSvcs.exe | hkub.pif | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.7.3062.0 built by: NET472REL1 |
(PID) Process: | (3620) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3620) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3620) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3620) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Payment Draft.cab | |||
(PID) Process: | (3620) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3620) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3620) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3620) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3620) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3620) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3692 | Payment Draft.exe | C:\Users\admin\AppData\Local\Temp\62474426\porrql.ihc | — | |
MD5:— | SHA256:— | |||
3692 | Payment Draft.exe | C:\Users\admin\AppData\Local\Temp\62474426\mfsrhdujp.txt | text | |
MD5:67C2B9917B1162B86D0704C0D33B1EE3 | SHA256:2771FFC6D14FC42189E7D96503FF76F1F25F3C3506726739BE18E1975F63EACF | |||
3692 | Payment Draft.exe | C:\Users\admin\AppData\Local\Temp\62474426\hlnhlf.exe | text | |
MD5:C92B19115CE190DF81249FA8C797FF38 | SHA256:3F1D9E8120BC82ADEBEC6CBBE8DA8B7D78A43577B0570A29A48F8455AB435F0C | |||
3620 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3620.16773\Payment Draft.exe | executable | |
MD5:A794516C77B3BB049C463C1BDC5D5D3E | SHA256:4CE5136B29D5792C2CE74226D80CEB122CE4FF76AA787BD16C1D333F4085D952 | |||
3692 | Payment Draft.exe | C:\Users\admin\AppData\Local\Temp\62474426\hahaiwpm.dat | text | |
MD5:20D2AB824AF251DA26C92AA22993B319 | SHA256:10B734A8F9E4212C98648D491FB6C6B8D0B664CCEBF064D56250ED8C2E9E4065 | |||
3692 | Payment Draft.exe | C:\Users\admin\AppData\Local\Temp\62474426\swco.icm | text | |
MD5:4C9D402C46A621FBA9D23B78E0BCB1A3 | SHA256:53517F381FA528F5122B930464E923FB0D9AD30C4775E61CDAA2C92B882EC231 | |||
3692 | Payment Draft.exe | C:\Users\admin\AppData\Local\Temp\62474426\ambh.icm | text | |
MD5:19A55CB62675833EECACCADBACFC67B4 | SHA256:5FF947E046BD2AD453FA3C5DBC6F7E4A0C25EC970EE9C535F0663C2DAB645AAA | |||
3692 | Payment Draft.exe | C:\Users\admin\AppData\Local\Temp\62474426\purc.ppt | text | |
MD5:178EAFDEDD97AA8576351417DB6F20E5 | SHA256:654D2F26E28088E37CDB36E71CEDE7C5F6708C6A1BE264ABF8A283F2E327CB2D | |||
3692 | Payment Draft.exe | C:\Users\admin\AppData\Local\Temp\62474426\tkes.xls | text | |
MD5:C5D12E596A14F7E91308CAE0AAD6CE1D | SHA256:2EB165F738B8B0F4BBC224B0CF0CCCDDC445F9BFD48E7F47E59040B0F3C995D3 | |||
3692 | Payment Draft.exe | C:\Users\admin\AppData\Local\Temp\62474426\qnkxatwlbc.pdf | text | |
MD5:507D1212094C6039ED8D92A624985BCD | SHA256:51109D894C44CDA77571EDACF830DD8B1BAD75A4538C8858B477EB56AF9F7517 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2248 | RegSvcs.exe | 91.189.180.213:3365 | — | ServeTheWorld AS | NO | malicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |