File name: | CVE-2018-4878_#PoC#(1).zip |
Full analysis: | https://app.any.run/tasks/2fc4c7b8-7e75-4204-a87f-174e61ee55da |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 09:26:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 1D169B52BF39D8D11485A6A101464143 |
SHA1: | 0CCF143889A3E52B03BE3596E6C054C95D0BF81B |
SHA256: | 89019BFC86E39D91C685782280DFDDD0C9647B7EF97666B938ACE65ABC48AC19 |
SSDEEP: | 384:M4sxpoIGuEsmzUv96hcA6Yv5GTm3Q19f1Lyouii7KDJ:M4sboIVNV6qAVsZuii7aJ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | CVE-2018-4878_#PoC#/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2018:02:13 14:02:16 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\CVE-2018-4878_#PoC#(1).zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
4016 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2892 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3036 | C:\Windows\System32\cmd.exe | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1278912021 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3556 | calc | C:\Windows\System32\calc.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Calculator Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Downloads\CVE-2018-4878_#PoC#(1).zip | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (2956) WinRAR.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | EXCELFiles |
Value: 1300627473 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2892 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA9DD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2892 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx | — | |
MD5:— | SHA256:— | |||
2892 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Excel8.0\ShockwaveFlashObjects.exd | tlb | |
MD5:5B96E97E87AA464CAF49981A7A12E358 | SHA256:B3479C751C6A54742EF98FD9D0A4E32CE43BCD2D3A00C9B6F8464DF58D28C8C0 | |||
2892 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol | sol | |
MD5:AE8529F70D4AD6F2BAEA7712F6B59B47 | SHA256:31FC441B11B10316C1827E9099E93EF2E77526399CC9A06FF4DBF975768FB46D | |||
2892 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Adobe\Flash Player\APSPrivateData2\0\drm-ax-win-x86\CertStore.dat | cat | |
MD5:25E2F963E7A72DAACA46C4A46220391F | SHA256:7A4BF3A3E68A16F8601E59B7A8D11C6E4FAEA68C085162FD433D41D021BE2248 | |||
2892 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Adobe\Flash Player\APSPrivateData2\0\drm-ax-win-x86\CertStore.dat.lkg | cat | |
MD5:25E2F963E7A72DAACA46C4A46220391F | SHA256:7A4BF3A3E68A16F8601E59B7A8D11C6E4FAEA68C085162FD433D41D021BE2248 | |||
2956 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2956.40107\CVE-2018-4878_PoC.xlsx | document | |
MD5:B847F8AA180D975688AE870D207C47B2 | SHA256:533AC371B995230540509C809E6FBDC3D3D39D2C950783CFAD5CB872243986FA | |||
2892 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Adobe\Flash Player\APSPrivateData2\0\drm-ax-win-x86\MiscGlobalDataStore.mgd.lkg | der | |
MD5:2F66AEACF2462C8EAB9E6EF8F7DBF4DF | SHA256:53102A91D014CF8CAACCA45E272DAB33A8550C587EF0D49F8D5CB291B8DA812B | |||
2892 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\crossdomain[1].xml | xml | |
MD5:D6857C0A71E33470BD1374FCB55321A2 | SHA256:9D18E552EA3988EA9CBF9F34A69C969D2E1434E19D6BDC7DE8814E0FF6E1E308 | |||
2892 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45D5C8D5.emf | emf | |
MD5:C2F7FB587C905FF2A96967F68B4E7DFF | SHA256:E2611521F0693EB4C078174EDC3BE74E9494C905241DCF09A2BF8946F149FE70 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2892 | EXCEL.EXE | POST | 200 | 52.4.148.166:80 | http://individualization.adobe.com/flashaccess/i15n/v5 | US | cat | 9.54 Kb | whitelisted |
2892 | EXCEL.EXE | GET | 200 | 52.4.148.166:80 | http://individualization.adobe.com/crossdomain.xml | US | xml | 286 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2892 | EXCEL.EXE | 52.4.148.166:80 | individualization.adobe.com | Amazon.com, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
individualization.adobe.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2892 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY Outdated Flash Version M1 |