File name: | ursnif_dropper.zip |
Full analysis: | https://app.any.run/tasks/1f13bc29-e751-43dd-840a-d0c126ae9565 |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 10:27:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 48A0CA7B5B870ED694D9CD15B11E4E51 |
SHA1: | 763683091205D0365C0E82FC7178D081B1781C97 |
SHA256: | 824634C19BE6E14BD709BEEE590172E61F9EDE04756574422058CA78F6C1BEDE |
SSDEEP: | 1536:LRK321dRQ1vjAnTieUGbII1e9hSWOktapR2pMChqUF:LjdRGATiJI1yVOktoRahq4 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2045:10:05 06:01:08 |
ZipCRC: | 0x91f90767 |
ZipCompressedSize: | 1121 |
ZipUncompressedSize: | 2179 |
ZipFileName: | Italiano.bat |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
960 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ursnif_dropper.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1932 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa960.27202\Italiano.bat" " | C:\Windows\system32\cmd.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1856 | tzutil /s "W. Europe Standard Time" | C:\Windows\system32\tzutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Time Zone Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
392 | certutil /decode "C:\Users\admin\AppData\Local\Temp\b64" "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\system32\certutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2200 | regedit.exe /s "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2548 | "C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1336 | "C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\regedit.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2956 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
1480 | cmD /C " EchO/^^^&( $Env:COMSPec[4,15,25]-jOiN'') (NEw-oBJEct IO.COMpREsSION.DeflAtEsTREAm( [syStem.Io.MeMoRysTrEaM] [conVeRt]::FROMbasE64sTrINg( '' ), [SYsTeM.io.coMPReSsIoN.COmPreSsIOnModE]::deCOmPreSS )^^^| fOReAch-OBjECt{NEw-oBJEct iO.stREAmREADeR( $_,[TexT.eNCoDiNg]::aSCiI )}).readtOEnd() | pOwerShEll -exeCutioNp bypASs -nOprOFIle -NOnIntE -WinD hidDEN ${execUTIonCOnteXt}.InvokeCoMmAnd.InVokEsCripT( ${iNput} )" | C:\Windows\system32\cmD.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1360 | C:\Windows\system32\cmd.exe /S /D /c" EchO/^&( $Env:COMSPec[4,15,25]-jOiN'') (NEw-oBJEct IO.COMpREsSION.DeflAtEsTREAm( [syStem.Io.MeMoRysTrEaM] [conVeRt]::FROMbasE64sTrINg( '' ), [SYsTeM.io.coMPReSsIoN.COmPreSsIOnModE]::deCOmPreSS )^| fOReAch-OBjECt{NEw-oBJEct iO.stREAmREADeR( $_,[TexT.eNCoDiNg]::aSCiI )}).readtOEnd() " | C:\Windows\system32\cmd.exe | — | cmD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6FED.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1212 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4PKD8VSPH6FH6VOP4PKF.temp | — | |
MD5:— | SHA256:— | |||
2956 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF8B9FABFCD3F970C5.TMP | — | |
MD5:— | SHA256:— | |||
2956 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFB197FAD153FD3F8C.TMP | — | |
MD5:— | SHA256:— | |||
2816 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR20D5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
724 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B3QXO5MZQSO03ELPYD3I.temp | — | |
MD5:— | SHA256:— | |||
960 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa960.27202\Italiano.bat | text | |
MD5:6B1B621E862FC5D50E8CECD743723D3E | SHA256:83765A34DE189ED9BC830059678754A7BC80A82E37751117028EFEEE6516E69F | |||
724 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
724 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1427ca.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2956 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIa960.27845\ursnif_dropper_23_04_2019.xls | document | |
MD5:A34A98E39C669A6F11C6A17362F1F601 | SHA256:54AB2A14DFB12D062227113FFEB01D9E811D437BB07689AB8D246D5C1EE1E8FD |