File name: | wirus.zip |
Full analysis: | https://app.any.run/tasks/dbf8fb0d-d05b-47b8-8747-a2785eb1985f |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 11:55:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 9028E94885758EB087B4C2DBE18272B4 |
SHA1: | 10284E1FAB3FC670480E6611F81A441F129E366E |
SHA256: | 9DFABC6FFD041A6C71CBDCFB85D574ACF2A36CD6638D546A32E1BBB2D586FCDD |
SSDEEP: | 3072:BG8QIi1h5pG3rZNn9FmB0LFDg3DR99c+4+DypuA:BAIi9o9FmFbB4Cs |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:10:20 13:49:27 |
ZipCRC: | 0x239b33e5 |
ZipCompressedSize: | 137361 |
ZipUncompressedSize: | 344110 |
ZipFileName: | vziFjORGmRTm.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2532 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\wirus.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3512 | "C:\Users\admin\Desktop\vziFjORGmRTm.exe" | C:\Users\admin\Desktop\vziFjORGmRTm.exe | — | explorer.exe |
User: admin Company: Twenty Squares Integrity Level: MEDIUM Description: Addictedsarah chaturbate iree token Exit code: 0 Version: 1.00 | ||||
2492 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\vziFjORGmRTm.exe" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
612 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 | ||||
2052 | "C:\Users\admin\Desktop\vziFjORGmRTm.exe" | C:\Users\admin\Desktop\vziFjORGmRTm.exe | — | explorer.exe |
User: admin Company: Twenty Squares Integrity Level: MEDIUM Description: Addictedsarah chaturbate iree token Exit code: 0 Version: 1.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3512 | vziFjORGmRTm.exe | C:\Users\admin\AppData\Local\Temp\~DFBFDD8A4974737D37.TMP | — | |
MD5:— | SHA256:— | |||
2052 | vziFjORGmRTm.exe | C:\Users\admin\AppData\Local\Temp\~DF56C8DF4BA659A6C7.TMP | — | |
MD5:— | SHA256:— | |||
2492 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:F0FD4D7806C65E6AB9BBFE985F8346F1 | SHA256:96704EF4255C8F747DA4E45D23FDC9EFC4D93957285257FA3575C1B086B80F5F | |||
2532 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2532.31120\vziFjORGmRTm.exe | executable | |
MD5:976CE874A3E8D74B9E03AE9E634EFA56 | SHA256:44EBD974B670C78AE0DB7FFFAE2E4D6A971A069DB4E68E34B9F33C66A1F054BF | |||
2492 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:EBF087AC1CC677F3BA53F22C406FA43B | SHA256:DF73F889E7A6135DD06025390A2E59B080D06D0BAA0ACEB0FB65769C296B2E1C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
612 | gup.exe | 172.67.218.84:443 | notepad-plus-plus.org | — | US | malicious |
612 | gup.exe | 104.31.89.28:443 | notepad-plus-plus.org | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
notepad-plus-plus.org |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|