File name: | soft.zip |
Full analysis: | https://app.any.run/tasks/71dd49d3-2024-4854-88ae-ee4de2a2ae52 |
Verdict: | Malicious activity |
Analysis date: | November 30, 2020, 00:42:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 46BCD115D5CD7DDF16E110D98C412B8F |
SHA1: | A7D40C473130F7D382130C8BF8E90BDD6331A5EF |
SHA256: | 984CEA30B2B4885258E9BE925283A0E4665A8D454992EB8655465E3929B38154 |
SSDEEP: | 6144:1nVr9TELeBVT/a7FHHrN5HueRQ0hG6jCjBLqLnlReL4jiUKsahNqZLV:1l9TELSKtrN5OeRQF1jMlReLqiUKsaab |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Leaf.xNet.dll |
---|---|
ZipUncompressedSize: | 132608 |
ZipCompressedSize: | 53026 |
ZipCRC: | 0x837a1795 |
ZipModifyDate: | 2020:05:28 17:46:02 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2476 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\soft.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
3664 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1564 | "C:\Users\admin\Desktop\soft.exe" | C:\Users\admin\Desktop\soft.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Youtube-Viewers Version: 1.0.0.0 Modules
|
(PID) Process: | (2476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2476) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\soft.zip | |||
(PID) Process: | (2476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2476) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2476) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\msxml3r.dll,-1 |
Value: XML Document | |||
(PID) Process: | (3664) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
2476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2476.33225\Leaf.xNet.dll | — | |
MD5:— | SHA256:— | |||
2476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2476.33225\Leaf.xNet.xml | — | |
MD5:— | SHA256:— | |||
2476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2476.33225\MyProxy_44300 HTTPS.txt | — | |
MD5:— | SHA256:— | |||
2476 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2476.33225\soft.exe | — | |
MD5:— | SHA256:— | |||
1564 | soft.exe | C:\Users\admin\AppData\Local\Temp\Cab6C9E.tmp | — | |
MD5:— | SHA256:— | |||
1564 | soft.exe | C:\Users\admin\AppData\Local\Temp\Tar6C9F.tmp | — | |
MD5:— | SHA256:— | |||
1564 | soft.exe | C:\Users\admin\AppData\Local\Temp\Cab6CBF.tmp | — | |
MD5:— | SHA256:— | |||
1564 | soft.exe | C:\Users\admin\AppData\Local\Temp\Tar6CC0.tmp | — | |
MD5:— | SHA256:— | |||
1564 | soft.exe | C:\Users\admin\AppData\Local\Temp\Cab6EB5.tmp | — | |
MD5:— | SHA256:— | |||
1564 | soft.exe | C:\Users\admin\AppData\Local\Temp\Tar6EB6.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1564 | soft.exe | CONNECT | — | 103.123.246.66:8080 | http://m.youtube.com:8080m.youtube.com:443 | unknown | — | — | suspicious |
1564 | soft.exe | CONNECT | — | 185.117.9.210:8080 | http://m.youtube.com:8080m.youtube.com:443 | IQ | — | — | unknown |
1564 | soft.exe | CONNECT | — | 140.238.17.59:80 | http://m.youtube.comm.youtube.com:443 | US | — | — | suspicious |
1564 | soft.exe | CONNECT | — | 182.71.146.148:8080 | http://m.youtube.com:8080m.youtube.com:443 | IN | — | — | suspicious |
1564 | soft.exe | CONNECT | — | 103.112.163.245:8080 | http://m.youtube.com:8080m.youtube.com:443 | unknown | — | — | unknown |
1564 | soft.exe | CONNECT | — | 163.43.108.114:8080 | http://m.youtube.com:8080m.youtube.com:443 | JP | — | — | unknown |
1564 | soft.exe | CONNECT | — | 159.192.138.170:8080 | http://m.youtube.com:8080m.youtube.com:443 | TH | — | — | suspicious |
1564 | soft.exe | CONNECT | — | 103.111.29.253:8080 | http://m.youtube.com:8080m.youtube.com:443 | unknown | — | — | suspicious |
1564 | soft.exe | CONNECT | — | 103.4.145.237:8080 | http://m.youtube.com:8080m.youtube.com:443 | BD | — | — | suspicious |
1564 | soft.exe | CONNECT | — | 103.134.213.50:8080 | http://m.youtube.com:8080m.youtube.com:443 | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1564 | soft.exe | 182.53.206.26:45336 | — | TOT Public Company Limited | TH | suspicious |
1564 | soft.exe | 103.134.213.50:8080 | — | — | — | unknown |
1564 | soft.exe | 117.204.253.137:8080 | — | National Internet Backbone | IN | suspicious |
1564 | soft.exe | 159.192.138.170:8080 | — | CAT TELECOM Public Company Ltd,CAT | TH | suspicious |
1564 | soft.exe | 167.99.154.98:3128 | — | — | US | unknown |
1564 | soft.exe | 183.89.64.243:8080 | — | Triple T Internet/Triple T Broadband | TH | unknown |
1564 | soft.exe | 103.89.159.5:8080 | — | P.D.S. Server Network Pvt. Ltd. | NP | unknown |
1564 | soft.exe | 140.238.17.59:80 | — | Oracle Corporation | US | suspicious |
1564 | soft.exe | 178.238.41.103:5836 | — | Master Internet s.r.o. | CZ | unknown |
1564 | soft.exe | 121.101.191.190:63141 | — | PT. BORNEO BROADBAND TECHNOLOGY | ID | unknown |
Domain | IP | Reputation |
---|---|---|
www.download.windowsupdate.com |
| whitelisted |
pki-sha2-adc.averydennison.net |
| unknown |
pki-sha2-euc.averydennison.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1564 | soft.exe | Generic Protocol Command Decode | SURICATA STREAM suspected RST injection |
1564 | soft.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (CONNECT) |
1564 | soft.exe | Generic Protocol Command Decode | SURICATA STREAM suspected RST injection |
1564 | soft.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
1564 | soft.exe | Generic Protocol Command Decode | SURICATA STREAM suspected RST injection |
1564 | soft.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (CONNECT) |
1564 | soft.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (CONNECT) |
1564 | soft.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (CONNECT) |
1564 | soft.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (CONNECT) |
1564 | soft.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (CONNECT) |