File name: | infected.zip |
Full analysis: | https://app.any.run/tasks/93228488-85e7-4725-87b6-eb9677b1d0f2 |
Verdict: | Malicious activity |
Analysis date: | February 11, 2019, 10:10:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 0176354AFD84A1F7EB1653A1528C25BE |
SHA1: | 753CED9CFB88385A32F38552DD4C475B11DBD3AF |
SHA256: | 92582E3305FBDC2FB9E0F261118D47DE269484D122538CB9F9E5E387ACA94842 |
SSDEEP: | 49152:RAGGJoL9xgvLdRrKxZE93Ig7NXg8l2ouetiOrz/tcF:RUJU9xgzdRrKxZYv7NQ8lOehtM |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | JavaSetup_0896841932.exe |
---|---|
ZipUncompressedSize: | 2478622 |
ZipCompressedSize: | 2453001 |
ZipCRC: | 0x0b4ac002 |
ZipModifyDate: | 2019:02:11 10:07:24 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0003 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2984 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\infected.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2476 | "C:\Users\admin\Desktop\JavaSetup_0896841932.exe" | C:\Users\admin\Desktop\JavaSetup_0896841932.exe | — | explorer.exe |
User: admin Company: Rosot Integrity Level: MEDIUM Description: Hefefedele Setup Exit code: 0 Version: | ||||
3728 | "C:\Users\admin\Desktop\JavaSetup_0896841932.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnl | C:\Users\admin\Desktop\JavaSetup_0896841932.exe | JavaSetup_0896841932.exe | |
User: admin Company: Rosot Integrity Level: HIGH Description: Hefefedele Setup Version: |
(PID) Process: | (2984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2984) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\infected.zip | |||
(PID) Process: | (2984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
(PID) Process: | (2984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3728 | JavaSetup_0896841932.exe | C:\Users\admin\AppData\Local\Temp\0024B43D.log | — | |
MD5:— | SHA256:— | |||
2984 | WinRAR.exe | C:\Users\admin\Desktop\JavaSetup_0896841932.exe | executable | |
MD5:8D293B2903F23C149FBE02DAD15009BC | SHA256:5DC087DB22AE1EBADCB5B65675F2132691353471CC17A6CF94102DB4D0CBF75A | |||
3728 | JavaSetup_0896841932.exe | C:\Users\admin\AppData\Local\Temp\inH240543762259\css\main.css | text | |
MD5:2DBA8638120788C9E3AF6D447181B2F1 | SHA256:8089C6915B14118C19498CBCE306220CF009EAFFFADB6818FA130DFE6128F8A8 | |||
3728 | JavaSetup_0896841932.exe | C:\Users\admin\AppData\Local\Temp\inH240543762259\css\main.scss | text | |
MD5:809FF7028B1952FDAEDE53E407A7DF93 | SHA256:DE6C3DD2BE22340B3E95E14AE7FF6611CFACD7B9A7B134F536254C48FD3C5DF6 | |||
3728 | JavaSetup_0896841932.exe | C:\Users\admin\AppData\Local\Temp\inH240543762259\css\swAgent.css | text | |
MD5:2543E3AF757C7D7C8A26C7CF57795F60 | SHA256:C38892A06C8F50C6386ED794AF4F1EA3E1897AD5F0C7E19594D9EA7B20CFB3F1 | |||
3728 | JavaSetup_0896841932.exe | C:\Users\admin\AppData\Local\Temp\inH240543762259\csshover3.htc | html | |
MD5:52FA0DA50BF4B27EE625C80D36C67941 | SHA256:E37E99DDFC73AC7BA774E23736B2EF429D9A0CB8C906453C75B14C029BDD5493 | |||
3728 | JavaSetup_0896841932.exe | C:\Users\admin\AppData\Local\Temp\inH240543762259\css\ie6_main.scss | text | |
MD5:D10348D17ADF8A90670696728F54562D | SHA256:E8A3D15CF32009B01B9145B6E62FF6CAA9C2981F81CE063578C73C7ADFF08DFC | |||
3728 | JavaSetup_0896841932.exe | C:\Users\admin\AppData\Local\Temp\inH240543762259\form.bmp.Mask | binary | |
MD5:D2FC989F9C2043CD32332EC0FAD69C70 | SHA256:27DD029405CBFB0C3BF8BAC517BE5DB9AA83E981B1DC2BD5C5D6C549FA514101 | |||
3728 | JavaSetup_0896841932.exe | C:\Users\admin\AppData\Local\Temp\inH240543762259\css\helpers\_backgrounds.scss | text | |
MD5:6092A3768F84CFBC6E5C52301F5B63EA | SHA256:8A22A3285F3C7D82AA1A4273BDD62729DA241723507C1ECD5D2FD0A24C12E23B | |||
3728 | JavaSetup_0896841932.exe | C:\Users\admin\AppData\Local\Temp\inH240543762259\css\helpers\_lists.scss | text | |
MD5:BDA575F11636073D71B86B89C94C6E42 | SHA256:B15B8DB0368E31991FBE43C121409484562E20FB9599B5B3828E3093217DE163 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3728 | JavaSetup_0896841932.exe | POST | 200 | 52.214.73.247:80 | http://www2.tepat-teku.com/ | IE | — | — | malicious |
3728 | JavaSetup_0896841932.exe | GET | 200 | 95.211.184.67:80 | http://cdn.tepat-teku.com/app/softjug/java_32.png | NL | image | 1.83 Kb | malicious |
3728 | JavaSetup_0896841932.exe | POST | 200 | 52.214.73.247:80 | http://www2.tepat-teku.com/ | IE | — | — | malicious |
3728 | JavaSetup_0896841932.exe | GET | — | 209.95.37.242:80 | http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe | US | — | — | malicious |
3728 | JavaSetup_0896841932.exe | GET | — | 209.95.37.242:80 | http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe | US | — | — | malicious |
3728 | JavaSetup_0896841932.exe | HEAD | — | 209.95.37.242:80 | http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe | US | — | — | malicious |
3728 | JavaSetup_0896841932.exe | POST | 200 | 52.212.157.66:80 | http://cloud.tepat-teku.com/?nocowo=0 | IE | text | 2.17 Kb | malicious |
3728 | JavaSetup_0896841932.exe | POST | — | 52.214.236.246:80 | http://server.tepat-teku.com/ | IE | — | — | malicious |
3728 | JavaSetup_0896841932.exe | POST | 200 | 52.214.236.246:80 | http://secure.tepat-teku.com/ | IE | binary | 513 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3728 | JavaSetup_0896841932.exe | 52.214.73.247:80 | www2.tepat-teku.com | Amazon.com, Inc. | IE | malicious |
3728 | JavaSetup_0896841932.exe | 209.95.37.242:80 | cdnus.laboratoryconecpttoday.com | WestHost, Inc. | US | suspicious |
3728 | JavaSetup_0896841932.exe | 95.211.184.67:80 | cdn.tepat-teku.com | LeaseWeb Netherlands B.V. | NL | malicious |
3728 | JavaSetup_0896841932.exe | 52.214.236.246:80 | server.tepat-teku.com | Amazon.com, Inc. | IE | malicious |
3728 | JavaSetup_0896841932.exe | 52.212.157.66:80 | cloud.tepat-teku.com | Amazon.com, Inc. | IE | malicious |
Domain | IP | Reputation |
---|---|---|
www2.tepat-teku.com |
| malicious |
cloud.tepat-teku.com |
| malicious |
cdn.tepat-teku.com |
| malicious |
server.tepat-teku.com |
| malicious |
cdnus.laboratoryconecpttoday.com |
| malicious |
secure.tepat-teku.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3728 | JavaSetup_0896841932.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2 |
3728 | JavaSetup_0896841932.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1 |
3728 | JavaSetup_0896841932.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4 |
3728 | JavaSetup_0896841932.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3728 | JavaSetup_0896841932.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3 |