File name: | Sample1.zip |
Full analysis: | https://app.any.run/tasks/b7ff5b0d-4179-47c7-a3cc-ee41cbec3312 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 06:49:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 3118D28F4443A48859D2C7217727469F |
SHA1: | D21A90A5DD5893E894D9EAE4F85B636654BF4C88 |
SHA256: | A2CD7AF78EB987CC515284A26E11AD4DC59E68E6C428B1A8589E922914CE6371 |
SSDEEP: | 196608:9nElW6eG9BtROqu7lI3OxBkxTyruntiPcZrHQFXN7zKAl:9daBtR7aI+mtiACXRJl |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2019:06:18 16:04:13 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | known malisious/ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3508 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2484 | "C:\Windows\system32\wermgr.exe" "-outproc" "2036" "3192" | C:\Windows\system32\wermgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3404 | "C:\Users\admin\Desktop\unins000.exe" | C:\Users\admin\Desktop\unins000.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Uninstaller Exit code: 3221226540 Version: 51.15.0.0 | ||||
3400 | "C:\Users\admin\Desktop\unins000.exe" | C:\Users\admin\Desktop\unins000.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: Uninstaller Exit code: 1 Version: 51.15.0.0 | ||||
760 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\unknown\VeritasQuickAssist.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\unknown\VeritasQuickAssist.exe | WinRAR.exe | |
User: admin Company: Veritas Technologies LLC Integrity Level: MEDIUM Description: Veritas Quick Assist self-extractor Exit code: 0 Version: 2.2.141.81 | ||||
3556 | "C:\Users\admin\AppData\Local\Temp\STSFX1B3E\VeritasQuickAssist.exe" | C:\Users\admin\AppData\Local\Temp\STSFX1B3E\VeritasQuickAssist.exe | VeritasQuickAssist.exe | |
User: admin Company: Veritas Technologies LLC Integrity Level: MEDIUM Description: Veritas Quick Assist self-extractor Exit code: 0 Version: 2.3.152.211 | ||||
968 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\unknown\VeritasQuickAssist.exe" isup | C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\unknown\VeritasQuickAssist.exe | VeritasQuickAssist.exe | |
User: admin Company: Veritas Technologies LLC Integrity Level: MEDIUM Description: Veritas Quick Assist self-extractor Version: 2.3.152.211 | ||||
3800 | "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 3 & del C:\Users\admin\AppData\Local\Temp\STSFX1~2\VERITA~1.EXE & rmdir C:\Users\admin\AppData\Local\Temp\STSFX1~2 | C:\Windows\system32\cmd.exe | — | VeritasQuickAssist.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1944 | ping 127.0.0.1 -n 3 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2268 | "C:\Users\admin\AppData\Local\Temp\STSFX1B5B\SymDiag.exe" -iso en -vqapath "C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\unknown\VeritasQuickAssist.exe" isup | C:\Users\admin\AppData\Local\Temp\STSFX1B5B\SymDiag.exe | — | VeritasQuickAssist.exe |
User: admin Company: Veritas Technologies LLC Integrity Level: MEDIUM Description: Veritas Quick Assist Exit code: 3221226540 Version: 2.3.152.211 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3508.5899\unknown\blat.exe | — | |
MD5:— | SHA256:— | |||
3508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3508.14495\unknown\unins000.exe | — | |
MD5:— | SHA256:— | |||
3508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\known malisious\ps2htm.exe | executable | |
MD5:37147CD5F4B2752A7A9DD028A739F681 | SHA256:67A02B4EFA2CBFDA45C9662D9C105183B862401CB8FBD846EE52D29BABBDBD04 | |||
2484 | wermgr.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_blat.exe_e180c86c7bb8cbbe20c64097ca9f5b38892d2b5_cab_09a7ab95\appcompat.txt | xml | |
MD5:F2F5873A0B395DB9468CF9D1F8A771BE | SHA256:437774D68CAC028B4CBA8BC12C8E5993591E419E7990CEE6D81A435AB0364000 | |||
3508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\unknown\blat.exe | executable | |
MD5:5C189B05A0E803FA0B771281D9D9E1FD | SHA256:6397D4670119B287338AD617BA2238BD7FA3F5CD5C5510849A13CBBF5731AC99 | |||
3508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\known malisious\module.sfx | executable | |
MD5:B30EB8F5FDFDE64C3BF087502E96DD96 | SHA256:4F74A25BE621038FA20CA0BBC18A060A180E10936682D0155D3D818925772360 | |||
3508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\unknown\eventlog.wlx | executable | |
MD5:EB9096E1C5396F27450A027A0DEC76AD | SHA256:1614D002A13792508C6B680FB52C2104273E2C081AA43883F68D3FCB14BCCB3A | |||
3508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\known malisious\1module.sfx | executable | |
MD5:A6B126B3BEB03F813F4F7AA2D52C8D52 | SHA256:CF812D72058870884D53F7D7A6D0D2B1A633D2F73B7148245A985632B56A2CC1 | |||
3508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\unknown\3dm.wlx | executable | |
MD5:AC2BE5E17FA26DEDF260C9E6776E7B5E | SHA256:8CD6760CC9C3E5C02056D3DA2A832B5FE8627BA14C04BBDB7499521529577837 | |||
3508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3508.21133\unknown\dfctrl.ocx | executable | |
MD5:1EBCEBA9F9A19232B9F1BFF2402C673B | SHA256:40BA4D96EE4428BB758DF37B2A82BCF0761B31BC1982735EECCDEAE8C0546513 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
760 | VeritasQuickAssist.exe | GET | 301 | 2.19.45.226:80 | http://www.veritas.com/content/dam/VQA/VeritasQuickAssist.exe | unknown | — | — | whitelisted |
760 | VeritasQuickAssist.exe | GET | 301 | 2.19.45.226:80 | http://www.veritas.com/content/dam/VQA/QuickAssistVer.txt | unknown | — | — | whitelisted |
760 | VeritasQuickAssist.exe | GET | 200 | 23.37.43.27:80 | http://ts-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQd11mpyHEqFCSocj4SCu93CBydHAQUr2PWyqNOhXLgp7xB8ymiOH%2BAdWICEHvU5a%2B6zAc%2FoQEjBCJBTRI%3D | NL | der | 1.55 Kb | whitelisted |
2324 | SymDiagUi3.exe | POST | 200 | 52.5.213.152:80 | http://telemetry.community.veritas.com/entt | US | text | 3 b | unknown |
760 | VeritasQuickAssist.exe | GET | 200 | 23.37.43.27:80 | http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D | NL | der | 1.71 Kb | whitelisted |
968 | VeritasQuickAssist.exe | GET | 301 | 2.19.45.226:80 | http://www.veritas.com/content/dam/VQA/sdupdate.dat | unknown | — | — | whitelisted |
760 | VeritasQuickAssist.exe | GET | 200 | 23.37.43.27:80 | http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FYHKj6JjF6UBieQioTYpFsuEriQQUtnf6aUhHn1MS1cLqBzJ2B9GXBxkCEHsFsdRJaFFE98mJ0pwZnRI%3D | NL | der | 1.68 Kb | shared |
760 | VeritasQuickAssist.exe | GET | 200 | 23.37.43.27:80 | http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEGaUcG%2FGFesgVls9jILcdXA%3D | NL | der | 1.57 Kb | shared |
3556 | VeritasQuickAssist.exe | POST | 200 | 52.5.213.152:80 | http://telemetry.community.veritas.com/entt | US | text | 3 b | unknown |
2324 | SymDiagUi3.exe | POST | 200 | 52.5.213.152:80 | http://telemetry.community.veritas.com/entt | US | text | 3 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3556 | VeritasQuickAssist.exe | 52.5.213.152:80 | telemetry.community.veritas.com | Amazon.com, Inc. | US | unknown |
760 | VeritasQuickAssist.exe | 23.37.43.27:80 | s2.symcb.com | Akamai Technologies, Inc. | NL | whitelisted |
760 | VeritasQuickAssist.exe | 2.19.45.226:80 | www.veritas.com | Akamai International B.V. | — | whitelisted |
— | — | 23.37.43.27:80 | s2.symcb.com | Akamai Technologies, Inc. | NL | whitelisted |
760 | VeritasQuickAssist.exe | 2.19.45.226:443 | www.veritas.com | Akamai International B.V. | — | whitelisted |
968 | VeritasQuickAssist.exe | 2.19.45.226:80 | www.veritas.com | Akamai International B.V. | — | whitelisted |
2324 | SymDiagUi3.exe | 52.5.213.152:80 | telemetry.community.veritas.com | Amazon.com, Inc. | US | unknown |
968 | VeritasQuickAssist.exe | 2.19.45.226:443 | www.veritas.com | Akamai International B.V. | — | whitelisted |
— | — | 52.5.213.152:80 | telemetry.community.veritas.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.veritas.com |
| unknown |
aemqa.veritas.com |
| unknown |
s2.symcb.com |
| whitelisted |
sv.symcd.com |
| shared |
s.symcd.com |
| shared |
ts-ocsp.ws.symantec.com |
| whitelisted |
telemetry.community.veritas.com |
| unknown |