File name: | Main_2023-main.zip |
Full analysis: | https://app.any.run/tasks/377c80fb-153d-4012-83f4-3d079e448475 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2023, 22:37:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | B9CA33B6D5B444414794049ECAE60670 |
SHA1: | EE82F9A2D962D74B846E74F508E0745316FD3AE0 |
SHA256: | A58F9796AC977F489C9394DC38E967F7EAABFC98DF3A29569F65E2C8EF85A219 |
SSDEEP: | 98304:8/geo/CAoNuGIzMJiq1I9UYQOyirGNKjMaOS5znQ8UJ:8/geNmGgu1IHVrGNyMXWnS |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Main_2023-main/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2023:03:31 12:28:06 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2640 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Main_2023-main.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
3388 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa2640.22834\Newversionunlimited.zip | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
4080 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2640.23940\Readme.txt | C:\Windows\System32\notepad.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2816 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\Setup_x64.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\Setup_x64.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
2128 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\Setup_x64.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\Setup_x64.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 3221225477 Modules
| |||||||||||||||
3512 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Setup_x64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
|
(PID) Process: | (2640) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
(PID) Process: | (2640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2640 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2640.23940\Readme.txt | text | |
MD5:3EDC2685C67E1C93D018E7853D463DD1 | SHA256:EADC28D9084C25136E5CE0B65C6A230BFD09B601968308AEAF55ACE84A94F98B | |||
2640 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2640.22834\Newversionunlimited.zip | compressed | |
MD5:DE4B1E730828F90C64150A667B9051EF | SHA256:69CB6A8F0DE4B327752CB2FF710825E1E0C142A6F0E5263F7E3E62EE5C131155 | |||
3388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\res\cravats\broachOneill\shaleDashikiBajoire\ecuadorCapers.xml | xml | |
MD5:7411966BA263E7EBAA428C782FE9FC45 | SHA256:8C85E34D186C96A65990D7B2C0B47C261FD7DA381679C604A30937CAE07BE62F | |||
3388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\res\cravats\broachOneill\busto.xml | xml | |
MD5:A6440D04AA8B84A3F7B373142F46AEC8 | SHA256:774579308B68D19F8EA3252E3CB51067A816BBFCC6B7F7668993110DB438BE90 | |||
3388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\res\cravats\broachOneill\shaleDashikiBajoire\wabeno.xml | xml | |
MD5:F2D7A9F2F50A918A0CAAFB345FFAAE4E | SHA256:00259CFB0F798679FF11417E67EA145558E0A70918639F6A3B772F99A0C9A48C | |||
3388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\res\cravats\broachOneill\shaleDashikiBajoire\fungo.xml | xml | |
MD5:244DEA20FA36286413B32ECD871A571A | SHA256:0D4147559C86524890FA9948213AA184761C3F9F31B520197DFF96F22241F438 | |||
3388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\res\cravats\broachOneill\badju.xml | xml | |
MD5:3BF18759130B47393436CAD4C8260AA7 | SHA256:6847F8FC741480A253E5D94FFB0AF9821C5F97B8DCF1B1E37CC4E8EA4919DF25 | |||
3388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\res\cravats\broachOneill\gabblerTinderyBeaming.xml | xml | |
MD5:26484E50798901E7AA126B2964129325 | SHA256:4B3BAD92CDB31EBDAA0088EF4852859EE847220FFF0DA8B841C4C1A89E348555 | |||
3388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\res\cravats\broachOneill\shaleDashikiBajoire\humidorUnsealsUnbank.xml | xml | |
MD5:416DEF4CC90C4B083BBB37E05976B814 | SHA256:992EA798C938903B33ABBC2340FD185C7607C5D20FE008455E7026882E2584BB | |||
3388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3388.24618\res\cravats\broachOneill\solfegePumpageCityish.xml | xml | |
MD5:F14F9BB6C60E45BB0E1F843109848F73 | SHA256:11986840B99F41F688B04E03A968BC7C984369EFE0823A9873FCCDAC62683DB7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3512 | RegSvcs.exe | POST | 200 | 82.117.255.127:80 | http://82.117.255.127/c2sock | US | text | 5 b | malicious |
3512 | RegSvcs.exe | POST | 200 | 82.117.255.127:80 | http://82.117.255.127/c2sock | US | text | 5 b | malicious |
3512 | RegSvcs.exe | POST | 200 | 82.117.255.127:80 | http://82.117.255.127/c2sock | US | text | 5 b | malicious |
3512 | RegSvcs.exe | POST | 200 | 82.117.255.127:80 | http://82.117.255.127/c2sock | US | text | 5 b | malicious |
3512 | RegSvcs.exe | POST | 200 | 82.117.255.127:80 | http://82.117.255.127/c2sock | US | text | 5 b | malicious |
3512 | RegSvcs.exe | POST | 200 | 82.117.255.127:80 | http://82.117.255.127/c2sock | US | text | 5 b | malicious |
3512 | RegSvcs.exe | POST | 200 | 82.117.255.127:80 | http://82.117.255.127/c2sock | US | text | 5 b | malicious |
3512 | RegSvcs.exe | POST | 200 | 82.117.255.127:80 | http://82.117.255.127/c2sock | US | text | 5 b | malicious |
3512 | RegSvcs.exe | POST | 200 | 82.117.255.127:80 | http://82.117.255.127/c2sock | US | text | 5 b | malicious |
3512 | RegSvcs.exe | POST | 200 | 82.117.255.127:80 | http://82.117.255.127/c2sock | US | text | 5 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3512 | RegSvcs.exe | 82.117.255.127:80 | — | — | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
3512 | RegSvcs.exe | A Network Trojan was detected | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 |
3512 | RegSvcs.exe | A Network Trojan was detected | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 |
3512 | RegSvcs.exe | A Network Trojan was detected | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 |
3512 | RegSvcs.exe | A Network Trojan was detected | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 |
3512 | RegSvcs.exe | A Network Trojan was detected | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 |
3512 | RegSvcs.exe | A Network Trojan was detected | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 |
3512 | RegSvcs.exe | A Network Trojan was detected | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 |
3512 | RegSvcs.exe | A Network Trojan was detected | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 |
3512 | RegSvcs.exe | A Network Trojan was detected | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 |
3512 | RegSvcs.exe | A Network Trojan was detected | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 |