File name: | Illegal_Services-main.zip |
Full analysis: | https://app.any.run/tasks/0e16b94f-60f5-402b-a6dc-8118674a5e45 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 14:36:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 06F7BF547914ED645C007627D82789A7 |
SHA1: | 06D8260039B241A55E05520C341D35633FA2107E |
SHA256: | A18B78BD9BAD355929B666C5A2224EC74718BF4B3A897AF173B358A9028D1B97 |
SSDEEP: | 393216:tQaT7uZztcOKKMg+oSFkQRPtOHMmFqpA//3yUxMSLWO3qEv6eWxhl:L7W5cVKP+XFkQRPt8f/iUB6Ev6eWx/ |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2022:07:14 15:02:25 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | Illegal_Services-main/ |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3024 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Illegal_Services-main.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
3492 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\Illegal_Services.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\Illegal_Services.exe | — | WinRAR.exe | |||||||||||
User: admin Company: IB_U_Z_Z_A_R_Dl Integrity Level: MEDIUM Description: Illegal Services Exit code: 3221226540 Version: 6. 1. 7. 5 Modules
| |||||||||||||||
2888 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\Illegal_Services.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\Illegal_Services.exe | WinRAR.exe | ||||||||||||
User: admin Company: IB_U_Z_Z_A_R_Dl Integrity Level: HIGH Description: Illegal Services Exit code: 0 Version: 6. 1. 7. 5 Modules
| |||||||||||||||
1976 | cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\8OJSXJTU.bat" "C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\Illegal_Services.exe" " | C:\Windows\system32\cmd.exe | — | Illegal_Services.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2824 | attrib -s -h "C:\Users\admin\AppData\Local\Temp\8OJSXJTU.bat" | C:\Windows\system32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3088 | attrib +s +h +i "C:\Users\admin\AppData\Local\Temp\8OJSXJTU.bat" | C:\Windows\system32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3324 | findstr /v "f7f81a39-5f63-5b42-9efd-1f13b5431005quot; "C:\Users\admin\AppData\Local\Temp\8OJSXJTU.bat" | C:\Windows\system32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3444 | findstr /v "f7f81a39-5f63-5b42-9efd-1f13b5431005quot; "C:\Users\admin\AppData\Local\Temp\8OJSXJTU.bat" | C:\Windows\system32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2308 | chcp 65001 | C:\Windows\system32\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2408 | C:\Windows\system32\cmd.exe /c forfiles /m "Illegal_Services.exe" /c "cmd /c echo 0x1B" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Illegal_Services-main.zip | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\README.md | text | |
MD5:E515D27D5FCB15E78570A8AF4723F3D3 | SHA256:96FAA32058D5B9A97928964BA078DD3B6D205DEDA5D147BC980227FA067001A3 | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\Illegal_Services.exe | executable | |
MD5:66D0EA0833AB7B06621BD871CD68BD09 | SHA256:C1374A0F81E3B8C05CB8E47AA1241D09E9B840E2844366027DD9F6F686A3D56A | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\ChangeLog.txt | text | |
MD5:07D01D1E0B9ABF35FE03D07BD05C742F | SHA256:32643AE7BA508193FB24BC11447F7AE2EDAB3B6D46EF60CFC6CE610C13494E19 | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\EULA.rtf | text | |
MD5:D637221F9CF08906BFBFBDFB5077AD8C | SHA256:196FA5F8A3072D18CA9497BCBCA24F89F2B7C63C1B3D6E9B39C0F529443ED273 | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\lib\backgrounds\background-11.jpg | image | |
MD5:E5A334E8FE228678044EDC42639F02AF | SHA256:450EEB7971F122C5FBB13C2B0B04C75BAC926896C107CE72510F5F0BB200C1FA | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\lib\backgrounds\background-1.jpg | image | |
MD5:D156D6EAF931D4F2C8A93DAD8072BA88 | SHA256:7A87FE781EBB56EACAA7440AA97E070B4A7503360A0487AF6B3A0D549F6C0AE3 | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\lib\7za\x86\7za.dll | executable | |
MD5:3107CAECF7EC7A7CE12D05F9C3AB078F | SHA256:BD377BA96FF8D3CBAEA98190C8A60F32DC9D64DD44EED9AADE05D3A74D935701 | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\lib\7za\x64\7za.dll | executable | |
MD5:5E79330DFA8F102DA34A4AE39B181DA1 | SHA256:F306D5766040C252E312893B232CD985B5BF8C7BB1856DB78CCE9FB2D4A4FF58 | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\lib\OpenFileBox.exe | executable | |
MD5:867FF8BE4D59E321F40A5ADF1EBAFC87 | SHA256:E30EACC0079EEA5F32174FC258A717F5BD6671CA7D44911B7F06361590338793 | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.15063\Illegal_Services-main\lib\7za\x64\7zxa.dll | executable | |
MD5:275114D5C4EE6285991160671424E162 | SHA256:FC831C36755602B29B042E7E8079CEA4639489BD72FBACA0835CDE93AFF7885E |