File name: | Tower.rar |
Full analysis: | https://app.any.run/tasks/ba5f1fb1-6fff-4a40-b9df-2c8ed5945ca9 |
Verdict: | Malicious activity |
Analysis date: | November 16, 2019, 21:38:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | E5D722BA8D843228BDE659795F7BAFB7 |
SHA1: | 354A5D94E5A0199DCDC1F6649AE12B49CE6DABC5 |
SHA256: | 85A405C82BAAD65258E506FC5F99D32B50D74B1B2083BE7B5D186377F6D647CF |
SSDEEP: | 49152:R9KHfNyEokwjhwWW4v0XqjVvBGwThP04zRqgwrZ:a8EokqMvXqj9BGkp04oZ |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2300 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Tower.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3852 | "C:\Users\admin\Desktop\Tower.exe" | C:\Users\admin\Desktop\Tower.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: Tower Exit code: 3221225547 Version: 0.0.6.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3852 | Tower.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\check[1].htm | — | |
MD5:— | SHA256:— | |||
3852 | Tower.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019111620191117\index.dat | dat | |
MD5:EA76C795A12D8E78EE7CA5907A84ECF5 | SHA256:A7B00B42AF9C89FB20EF08E467820F40F04AADAA782EB61B9F90CBFB22739D44 | |||
3852 | Tower.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\check[1].php | text | |
MD5:7DD4C3CFC87249A8827A9A25A161F55B | SHA256:892C17310AF17DDDC73D8F321FD67C243F823C3073246DB98EF6CF48CEFF2132 | |||
3852 | Tower.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt | text | |
MD5:05AD5CC3FF704373150BAEC524B2DCC0 | SHA256:FD17FB94E7FB00232BF432ECC6275BEBC18580561C77B219375F7068CF2D45B2 | |||
3852 | Tower.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\check[1].php | text | |
MD5:7DD4C3CFC87249A8827A9A25A161F55B | SHA256:892C17310AF17DDDC73D8F321FD67C243F823C3073246DB98EF6CF48CEFF2132 | |||
3852 | Tower.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\check[2].php | text | |
MD5:B35F1928252CCF7A3F6A1C956F343A71 | SHA256:6A5BC097101485A28D22BB8E6903E7E7EB49D08CD9D1B0640A54D97F79772DA5 | |||
3852 | Tower.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\check[1].php | text | |
MD5:7DD4C3CFC87249A8827A9A25A161F55B | SHA256:892C17310AF17DDDC73D8F321FD67C243F823C3073246DB98EF6CF48CEFF2132 | |||
2300 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2300.32595\Tower.exe | executable | |
MD5:DE8E04E49070A04B8363ED9F31EB13CD | SHA256:B21C9F73095B243C652DB9F76A4A6A5C90914D7524A9DA8859981ADD05FBB28C | |||
3852 | Tower.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\aes[1].js | text | |
MD5:78A66859739B0C9E18BC5B4538C03BF9 | SHA256:D2701C86A2A31A641520E72121749DBBABEED4B1A59AECE20BBF14F9C9DE82BC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3852 | Tower.exe | GET | 200 | 185.27.134.129:80 | http://towerclub.epizy.com/check.php?username=sad%20cloud%20&%20password=azerty44&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f&i=1 | GB | text | 31 b | malicious |
3852 | Tower.exe | GET | 200 | 185.27.134.129:80 | http://towerclub.epizy.com/check.php?username=sad%20cloud%20&%20password=Azerty44&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f | GB | text | 31 b | malicious |
3852 | Tower.exe | GET | 200 | 185.27.134.129:80 | http://towerclub.epizy.com/check.php?username=sadcloud%20&%20password=azerty44&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f | GB | compressed | 31 b | malicious |
3852 | Tower.exe | GET | 200 | 185.27.134.129:80 | http://towerclub.epizy.com/check.php?username=sad%20cloud%20&%20password=azerty44&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f | GB | html | 626 b | malicious |
3852 | Tower.exe | GET | 200 | 185.27.134.129:80 | http://towerclub.epizy.com/aes.js | GB | text | 30.4 Kb | malicious |
3852 | Tower.exe | GET | 200 | 185.27.134.129:80 | http://towerclub.epizy.com/check.php?username=skotaiz%20&%20password=zob&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f | GB | text | 31 b | malicious |
3852 | Tower.exe | GET | 200 | 185.27.134.129:80 | http://towerclub.epizy.com/check.php?username=sad%20cloud%20&%20password=azerty44&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f | GB | text | 31 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3852 | Tower.exe | 185.27.134.129:80 | towerclub.epizy.com | Wildcard UK Limited | GB | malicious |
Domain | IP | Reputation |
---|---|---|
towerclub.epizy.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3852 | Tower.exe | Misc activity | SUSPICIOUS [PTsecurity] Encryptor aes.js script (seen PedCont ransomware) |