File name: | DOC0014541ENTEL1599521346.zip |
Full analysis: | https://app.any.run/tasks/0b5114c8-86bd-48c7-ae7c-f5e785f93ffd |
Verdict: | Malicious activity |
Analysis date: | January 10, 2019, 20:23:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | D1365FA05AFAF4FAA1ECA1E5D56B0210 |
SHA1: | BBDBC9F2441E4E604536FD1E33D1BFC4D608226D |
SHA256: | 8FC4B8C40A6108C69191711BE2C295CAB1ADEABE2F37D9B2FB87C4DD218876F3 |
SSDEEP: | 48:NS5/NtJXZhbw7UxxWXqvNSs+1pa9gjZkrfTmVIgXiX9AsHSPz:05/NDbw3XqvN9ea9gjaeVwexb |
.txt | | | Text - UTF-8 encoded (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2952 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DOC0014541ENTEL1599521346.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2484 | "C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\DOC0014541ENTEL.cmd" | C:\Windows\System32\cmd.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3176 | ping 127.0.0.1 -n 1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3684 | wscript //Nologo "C:\Users\Public\admin\admin.vbs" MwR9TOC5YPMHAWKfNDA0xgNNYbPqiDhSXRwirvtLL8nhm4TN | C:\Windows\system32\wscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3768 | cmd /c ""C:\Users\admin\Desktop\DOC0014541ENTEL.cmd" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3948 | "C:\ProgramData\DLY_755\DLY_755.exe" | C:\ProgramData\DLY_755\DLY_755.exe | wscript.exe | |
User: admin Company: VMware, Inc. Integrity Level: HIGH Description: VMware NAT Service Version: 12.5.6 build-5528349 | ||||
3456 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\DOC0014541ENTEL.cmd" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Version: 7.51 | ||||
2692 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 | ||||
2452 | TASKKILL /F /IM chrome.exe | C:\Windows\system32\TASKKILL.exe | — | DLY_755.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2572 | TASKKILL /F /IM firefox.exe | C:\Windows\system32\TASKKILL.exe | — | DLY_755.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35724\DOC0014541ENTEL.cmd | — | |
MD5:— | SHA256:— | |||
2484 | cmd.exe | C:\Users\Public\admin\admin.vbs | text | |
MD5:56CDD5A9E1EDBCD94C5EA92B8F0A3161 | SHA256:45D97820C6C4A789D7A9EC6D9E8CED0C2EE3F9145A3BAD96577566006CF496D4 | |||
3684 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\Archivo[1].txt | — | |
MD5:— | SHA256:— | |||
3684 | wscript.exe | C:\ProgramData\DLY_755\O007VLVNH1OCH0NU3WM6K3VBN9GCC95N | — | |
MD5:— | SHA256:— | |||
3684 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\y121[1].zip | compressed | |
MD5:9CA18555F80A801CC605A6A020EC4C72 | SHA256:C041F5C03CEDEE735F65C1DA25A60258D696A3AAA6BECEE20CA725609FB2FED2 | |||
3684 | wscript.exe | C:\ProgramData\md.zip | compressed | |
MD5:9CA18555F80A801CC605A6A020EC4C72 | SHA256:C041F5C03CEDEE735F65C1DA25A60258D696A3AAA6BECEE20CA725609FB2FED2 | |||
3684 | wscript.exe | C:\ProgramData\i.dat | text | |
MD5:3B27312CB44FE3AB5785BF01142890D8 | SHA256:FDB5840EED18F6B885FAC4B2DE118731A145721B3BFE8C00FD2CD594934A0F6D | |||
3684 | wscript.exe | C:\ProgramData\DLY_755\shfolder.dll | executable | |
MD5:ECE36DF929FC2C263C2357EF4EB8CD80 | SHA256:C0B519ADA091002CA73018084724F7617D79B86D4968C699E0F8E922FEE8627A | |||
3456 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\langs.xml | xml | |
MD5:E792264BEC29005B9044A435FBA185AB | SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624 | |||
3456 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml | text | |
MD5:AD21A64014891793DD9B21D835278F36 | SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 104.107.210.17:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D | NL | der | 727 b | whitelisted |
— | — | GET | 200 | 104.107.210.17:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D | NL | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2692 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
3684 | wscript.exe | 162.241.2.223:443 | securesdocs.com | CyrusOne LLC | US | unknown |
3948 | DLY_755.exe | 162.241.3.14:443 | cadsecuredoc.com | CyrusOne LLC | US | suspicious |
— | — | 104.107.210.17:80 | ocsp.usertrust.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
securesdocs.com |
| unknown |
notepad-plus-plus.org |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
cadsecuredoc.com |
| suspicious |
Process | Message |
---|---|
DLY_755.exe | CodeSet_Init: no ICU
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|