URL: | https://gvou7g.by.files.1drv.com/y4mXPAhz4vKUQwuVP4QQfciMaYSEVhvIZlLSsI0nORnVbpoUvXms2nkvt1ooYzE8gedfUtKShS5_C1tgsixVvvjeK1mA1WVCIfZ8OWFS8vflmCeSxCa9908Qk5lOSJ815K6F52upiWDH65hpCcT8BBNm5xtdzJkSs1FcOmTTBvYDtFlZyIhjlIDUTI5fRI2yM0dXPtOLud9arsqQU24BKwo1Q/RFQ%2318122018%23REF-MCC-PD%20PROJECT.rar?download&psid=1 |
Full analysis: | https://app.any.run/tasks/09836d85-fa4a-4c2d-be10-1764339a3bb1 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | December 18, 2018, 12:33:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 548FAC0FA7B3FA0B588F653D0E2892B4 |
SHA1: | 4205DB837A8B51452560CB6338F99DD11930B85F |
SHA256: | 6CD5C3DEE426F9AB686CF33AB17214C88372537726827365CCF90400EEF07067 |
SSDEEP: | 6:2yaYX25lKaMGzlwFAFz4OKlv3evJ+x8PuBqj+WkbIuWDge1kjHXv9n:2hYX25nuAFUNlv3eegpkUnDgqk7/9 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2804 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3092 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2804 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2296 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\RFQ#18122018#REF-MCC-PD%20PROJECT[1].rar" | C:\Program Files\WinRAR\WinRAR.exe | iexplore.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3200 | "C:\Program Files\WinRAR\WinRAR.exe" -elevate2296 | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | |
User: admin Company: Alexander Roshal Integrity Level: HIGH Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3764 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2296.47777\RFQ#18122018#REF-MCC-PD PROJECT.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2296.47777\RFQ#18122018#REF-MCC-PD PROJECT.exe | — | WinRAR.exe |
User: admin Company: adod inc Integrity Level: MEDIUM Description: adod document Exit code: 0 Version: 1.0.2.7 | ||||
2184 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3556 | "C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\AppData\Local\Temp\Rar$EXa2296.47777\RFQ#18122018#REF-MCC-PD PROJECT.exe" "C:\Users\admin\AppData\Local\winupdate.exe" | C:\Windows\System32\cmd.exe | RFQ#18122018#REF-MCC-PD PROJECT.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3788 | "C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Local\winupdate.exe" | C:\Windows\System32\cmd.exe | — | RFQ#18122018#REF-MCC-PD PROJECT.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2436 | "C:\Users\admin\AppData\Local\winupdate.exe" | C:\Users\admin\AppData\Local\winupdate.exe | cmd.exe | |
User: admin Company: adod inc Integrity Level: MEDIUM Description: adod document Exit code: 0 Version: 1.0.2.7 | ||||
3484 | "C:\Users\admin\AppData\Local\winupdate.exe" | C:\Users\admin\AppData\Local\winupdate.exe | winupdate.exe | |
User: admin Company: adod inc Integrity Level: MEDIUM Description: adod document Version: 1.0.2.7 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2804 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2804 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2804 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4DB4C6D6DBD61A30.TMP | — | |
MD5:— | SHA256:— | |||
2804 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF0B4C56AA0F9010A3.TMP | — | |
MD5:— | SHA256:— | |||
2804 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{37746C55-02C1-11E9-BAD8-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3092 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018121820181219\index.dat | dat | |
MD5:B47F6B1659B1ADA2A2521A24439250BB | SHA256:42ADB2FFBEDB8141AB4652673F4678CE6D16A67E16BC7983935DE3DA1914F45B | |||
2804 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018121820181219\index.dat | dat | |
MD5:25355914E69D9C19872F17B4A835681F | SHA256:145F86DCF7787ED027A65F04D6A50D4C8EFDFD136D030C855347C43822A633B6 | |||
3556 | cmd.exe | C:\Users\admin\AppData\Local\winupdate.exe | executable | |
MD5:3F1DEA9837C033E057596BA2C8ABF776 | SHA256:81AFE7082186F7A7B9B7E90906A7E99BFF12E02BA3EB9FE5082FBBEE88AC6B3B | |||
3092 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log | text | |
MD5:BCF94C03420CC33FC20BEC17F79A1738 | SHA256:DA6DE13102708580C825328210D3D5A8D91690A14D931F9F09FA94C5EDC0FD01 | |||
2296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2296.47777\RFQ#18122018#REF-MCC-PD PROJECT.exe | executable | |
MD5:3F1DEA9837C033E057596BA2C8ABF776 | SHA256:81AFE7082186F7A7B9B7E90906A7E99BFF12E02BA3EB9FE5082FBBEE88AC6B3B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2804 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3484 | winupdate.exe | GET | 200 | 216.146.43.71:80 | http://checkip.dyndns.org/ | US | html | 104 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3092 | iexplore.exe | 13.107.42.12:443 | gvou7g.by.files.1drv.com | Microsoft Corporation | US | suspicious |
2804 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3484 | winupdate.exe | 217.70.178.9:587 | mail.gandi.net | GANDI SAS | FR | malicious |
3484 | winupdate.exe | 216.146.43.71:80 | checkip.dyndns.org | Dynamic Network Services, Inc. | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
gvou7g.by.files.1drv.com |
| whitelisted |
checkip.dyndns.org |
| shared |
mail.gandi.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.dyndns. Domain |
3484 | winupdate.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup - checkip.dyndns.org |
3484 | winupdate.exe | Potentially Bad Traffic | ET POLICY DynDNS CheckIp External IP Address Server Response |