File name: | Order No.179989.zip |
Full analysis: | https://app.any.run/tasks/214a4e57-613b-40f9-b211-aa4bcc92da6a |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | September 30, 2020, 11:25:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | E3C0DB42AF6BBD5B7935281E542E1C4D |
SHA1: | D5F1545A674249A1616F86B3F2C5EDDF12DEB3BD |
SHA256: | 92B35206BEE9013D26927B885DA16E9DB7C89D91268BC9727AF2796FA79466D8 |
SSDEEP: | 6144:U8t2rj9msp8k0+VAfpEA8fP8Bo8lK1LGK4Dw9MsorLZwacOLOq3lIz+5DQ7QLf0u:oAmE2AfyNfLuDw9MXhwO13C9vMdE6 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Order No.179989.exe |
---|---|
ZipUncompressedSize: | 938496 |
ZipCompressedSize: | 401703 |
ZipCRC: | 0x137e6c80 |
ZipModifyDate: | 2020:09:30 09:01:02 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2756 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Order No.179989.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3828 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2756.1743\Order No.179989.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2756.1743\Order No.179989.exe | WinRAR.exe | |
User: admin Company: T__23839c0U Integrity Level: MEDIUM Description: T__23839c0U Exit code: 0 Version: 20.0.14.1085 | ||||
3416 | C:\Windows\System32\TapiUnattend.exe | C:\Windows\System32\TapiUnattend.exe | Order No.179989.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Windows(TM) Telephony Unattend Action Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2756) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2756) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2756) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2756) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Order No.179989.zip | |||
(PID) Process: | (2756) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2756) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2756) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2756) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2756) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2756) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3828 | Order No.179989.exe | C:\Users\admin\AppData\Local\wwyJ.url | text | |
MD5:D8C143A43C7BED65D5E12B7C1A6EC25D | SHA256:9668E0D709E7962704AC0B84909D9F173CA8E1A3CD3E9F93E1E12C24A15AB9B0 | |||
2756 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2756.1743\Order No.179989.exe | executable | |
MD5:A49FA085310219916988F86F3CE69957 | SHA256:6248E588A8555FA3F30478A577F16A2823C16277EF4E1D7EF7A4C44499F2B211 | |||
3828 | Order No.179989.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Jywwnek.exe | executable | |
MD5:A49FA085310219916988F86F3CE69957 | SHA256:6248E588A8555FA3F30478A577F16A2823C16277EF4E1D7EF7A4C44499F2B211 | |||
3416 | TapiUnattend.exe | C:\Users\admin\AppData\Roaming\remcos\logs.dat | text | |
MD5:8B9AB10461D9079FCF619714A4023632 | SHA256:D5C162083CD3C7E86240D7FBE47F32020059B074A3301941E81AE0B91083CC09 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3828 | Order No.179989.exe | 2.21.38.54:443 | www.microsoft.com | GTT Communications Inc. | FR | malicious |
3828 | Order No.179989.exe | 162.159.134.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
3416 | TapiUnattend.exe | 79.134.225.83:8638 | incidencias6645.ddns.net | Andreas Fink trading as Fink Telecom Services | CH | malicious |
— | — | 79.134.225.83:8638 | incidencias6645.ddns.net | Andreas Fink trading as Fink Telecom Services | CH | malicious |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
cdn.discordapp.com |
| shared |
incidencias6645.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |