File name: | Sample1.zip |
Full analysis: | https://app.any.run/tasks/8348cc6b-ab16-49aa-a90f-5322bbac61c7 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 05:34:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 3118D28F4443A48859D2C7217727469F |
SHA1: | D21A90A5DD5893E894D9EAE4F85B636654BF4C88 |
SHA256: | A2CD7AF78EB987CC515284A26E11AD4DC59E68E6C428B1A8589E922914CE6371 |
SSDEEP: | 196608:9nElW6eG9BtROqu7lI3OxBkxTyruntiPcZrHQFXN7zKAl:9daBtR7aI+mtiACXRJl |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2019:06:18 16:04:13 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | known malisious/ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2176 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1736 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\known malisious\mscontrol.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\known malisious\mscontrol.exe | — | WinRAR.exe |
User: admin Company: SCHM-Soft Integrity Level: MEDIUM Exit code: 0 Version: 0.1.1.0 | ||||
1096 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
324 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.14541\known malisious\upxg.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.14541\known malisious\upxg.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM | ||||
3116 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.17155\known malisious\upxg.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.17155\known malisious\upxg.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2976 | "C:\Users\admin\AppData\Local\Temp\upx.exe" -d mscontrol.exe | C:\Users\admin\AppData\Local\Temp\upx.exe | — | upxg.exe |
User: admin Company: The UPX Team http://upx.sf.net Integrity Level: MEDIUM Description: UPX executable packer Exit code: 2 Version: 2.02 (2006-08-13) | ||||
2788 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.23483\unknown\VeritasQuickAssist.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.23483\unknown\VeritasQuickAssist.exe | WinRAR.exe | |
User: admin Company: Veritas Technologies LLC Integrity Level: MEDIUM Description: Veritas Quick Assist self-extractor Exit code: 0 Version: 2.2.141.81 | ||||
2820 | "C:\Users\admin\AppData\Local\Temp\STSFX6228\VeritasQuickAssist.exe" | C:\Users\admin\AppData\Local\Temp\STSFX6228\VeritasQuickAssist.exe | VeritasQuickAssist.exe | |
User: admin Company: Veritas Technologies LLC Integrity Level: MEDIUM Description: Veritas Quick Assist self-extractor Exit code: 0 Version: 2.3.152.211 | ||||
2636 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.23483\unknown\VeritasQuickAssist.exe" isup | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.23483\unknown\VeritasQuickAssist.exe | VeritasQuickAssist.exe | |
User: admin Company: Veritas Technologies LLC Integrity Level: MEDIUM Description: Veritas Quick Assist self-extractor Version: 2.3.152.211 | ||||
864 | "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 3 & del C:\Users\admin\AppData\Local\Temp\STSFX6~2\VERITA~1.EXE & rmdir C:\Users\admin\AppData\Local\Temp\STSFX6~2 | C:\Windows\system32\cmd.exe | — | VeritasQuickAssist.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\known malisious\1module.sfx | executable | |
MD5:A6B126B3BEB03F813F4F7AA2D52C8D52 | SHA256:CF812D72058870884D53F7D7A6D0D2B1A633D2F73B7148245A985632B56A2CC1 | |||
2176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\known malisious\ps2htm.exe | executable | |
MD5:37147CD5F4B2752A7A9DD028A739F681 | SHA256:67A02B4EFA2CBFDA45C9662D9C105183B862401CB8FBD846EE52D29BABBDBD04 | |||
2176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\known malisious\upxg.exe | executable | |
MD5:E58DACD3AA99CCECF12C070710EEF91B | SHA256:4677FD6685308C26B9A134116875D50546EA3E652F83FBDB984E9AC966279539 | |||
2176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\unknown\blat.exe | executable | |
MD5:5C189B05A0E803FA0B771281D9D9E1FD | SHA256:6397D4670119B287338AD617BA2238BD7FA3F5CD5C5510849A13CBBF5731AC99 | |||
2176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\known malisious\module.sfx | executable | |
MD5:B30EB8F5FDFDE64C3BF087502E96DD96 | SHA256:4F74A25BE621038FA20CA0BBC18A060A180E10936682D0155D3D818925772360 | |||
2176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\unknown\lameacm.acm | executable | |
MD5:8664145C840875D3A10E81AFA9359B75 | SHA256:4C4AC6118BF15F8BD47CCFE1C05DBB063F2A6729CFF734A5658DFDFDB83B7202 | |||
2176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\unknown\sldpreview.wlx | executable | |
MD5:5F4C685B3294A33C95074C3AEC993634 | SHA256:3C8C6C2B1FC6A077CF028A85FAF146CE819B892EA43F588A519BE2E3B7F89273 | |||
2176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\unknown\dfctrl.ocx | executable | |
MD5:1EBCEBA9F9A19232B9F1BFF2402C673B | SHA256:40BA4D96EE4428BB758DF37B2A82BCF0761B31BC1982735EECCDEAE8C0546513 | |||
2176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\unknown\unins000.exe | executable | |
MD5:AFC596C2CFF8033AD9CD7146EF7A9E18 | SHA256:3658A313C4BC6DDD6BAA62B6B02B05719063645BE39159FED4B9DB11C47AAF0B | |||
2176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2176.2005\unknown\eventlog.wlx | executable | |
MD5:EB9096E1C5396F27450A027A0DEC76AD | SHA256:1614D002A13792508C6B680FB52C2104273E2C081AA43883F68D3FCB14BCCB3A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2788 | VeritasQuickAssist.exe | GET | 301 | 2.19.45.226:80 | http://www.veritas.com/content/dam/VQA/VeritasQuickAssist.exe | unknown | — | — | whitelisted |
2788 | VeritasQuickAssist.exe | GET | 301 | 2.19.45.226:80 | http://www.veritas.com/content/dam/VQA/QuickAssistVer.txt | unknown | — | — | whitelisted |
2788 | VeritasQuickAssist.exe | GET | 200 | 23.37.43.27:80 | http://ts-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQd11mpyHEqFCSocj4SCu93CBydHAQUr2PWyqNOhXLgp7xB8ymiOH%2BAdWICEHvU5a%2B6zAc%2FoQEjBCJBTRI%3D | NL | der | 1.55 Kb | whitelisted |
2788 | VeritasQuickAssist.exe | GET | 200 | 23.37.43.27:80 | http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FYHKj6JjF6UBieQioTYpFsuEriQQUtnf6aUhHn1MS1cLqBzJ2B9GXBxkCEHsFsdRJaFFE98mJ0pwZnRI%3D | NL | der | 1.68 Kb | shared |
2788 | VeritasQuickAssist.exe | GET | 200 | 23.37.43.27:80 | http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D | NL | der | 1.71 Kb | whitelisted |
2636 | VeritasQuickAssist.exe | GET | 301 | 2.19.45.226:80 | http://www.veritas.com/content/dam/VQA/sdupdate.dat | unknown | — | — | whitelisted |
2788 | VeritasQuickAssist.exe | GET | 200 | 23.37.43.27:80 | http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEGaUcG%2FGFesgVls9jILcdXA%3D | NL | der | 1.57 Kb | shared |
1380 | SymDiagUi3.exe | POST | 200 | 52.5.213.152:80 | http://telemetry.community.veritas.com/entt | US | text | 3 b | unknown |
1380 | SymDiagUi3.exe | POST | 200 | 52.5.213.152:80 | http://telemetry.community.veritas.com/entt | US | text | 3 b | unknown |
1380 | SymDiagUi3.exe | POST | 200 | 52.5.213.152:80 | http://telemetry.community.veritas.com/entt | US | text | 3 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2820 | VeritasQuickAssist.exe | 52.5.213.152:80 | telemetry.community.veritas.com | Amazon.com, Inc. | US | unknown |
— | — | 52.5.213.152:80 | telemetry.community.veritas.com | Amazon.com, Inc. | US | unknown |
2636 | VeritasQuickAssist.exe | 2.19.45.226:80 | www.veritas.com | Akamai International B.V. | — | whitelisted |
2788 | VeritasQuickAssist.exe | 23.37.43.27:80 | s2.symcb.com | Akamai Technologies, Inc. | NL | whitelisted |
2788 | VeritasQuickAssist.exe | 2.19.45.226:80 | www.veritas.com | Akamai International B.V. | — | whitelisted |
2788 | VeritasQuickAssist.exe | 2.19.45.226:443 | www.veritas.com | Akamai International B.V. | — | whitelisted |
1380 | SymDiagUi3.exe | 52.5.213.152:80 | telemetry.community.veritas.com | Amazon.com, Inc. | US | unknown |
2636 | VeritasQuickAssist.exe | 2.19.45.226:443 | www.veritas.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.veritas.com |
| unknown |
aemqa.veritas.com |
| unknown |
s2.symcb.com |
| whitelisted |
sv.symcd.com |
| shared |
s.symcd.com |
| shared |
ts-ocsp.ws.symantec.com |
| whitelisted |
telemetry.community.veritas.com |
| unknown |