File name: | GalaxyFN [coazy].rar |
Full analysis: | https://app.any.run/tasks/7cd19bd1-f9b7-43d5-a103-7f0133ddebeb |
Verdict: | Malicious activity |
Analysis date: | May 30, 2020, 14:59:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 9B5C893A17D27EC7CB4B44669D873590 |
SHA1: | D5BD516C0B03518AD48EA2492EFCEF54C9CEEA44 |
SHA256: | A5C974123C4EE583FDDB561C22CECEBB54CA2093CBECBF52107C430C59A8623D |
SSDEEP: | 12288:OARuVTJQn4GA0IeKGIAWlBjsmEBZZRUYwOLcqr:OARuVTJW8oujRnE1RU/fqr |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1088 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GalaxyFN [coazy].rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2652 | "C:\Users\admin\Desktop\Mapper.exe" | C:\Users\admin\Desktop\Mapper.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3540 | "C:\Users\admin\Desktop\Mapper.exe" | C:\Users\admin\Desktop\Mapper.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3248 | C:\Windows\system32\cmd.exe /c cd C:\Windows\apppatch\Custom\Custom64 && mapper.exe gay.sys driver.sys | C:\Windows\system32\cmd.exe | — | Mapper.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
660 | "C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\inject.bat | C:\Windows\System32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1088 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1088.12554\GalaxyFN.dll | — | |
MD5:— | SHA256:— | |||
1088 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1088.12554\inject.bat | — | |
MD5:— | SHA256:— | |||
1088 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1088.12554\Mapper.exe | — | |
MD5:— | SHA256:— | |||
1088 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1088.12554\modmap.exe | — | |
MD5:— | SHA256:— | |||
3540 | Mapper.exe | C:\Users\admin\AppData\Local\Temp\CabE9C8.tmp | — | |
MD5:— | SHA256:— | |||
3540 | Mapper.exe | C:\Users\admin\AppData\Local\Temp\TarE9C9.tmp | — | |
MD5:— | SHA256:— | |||
3540 | Mapper.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F | der | |
MD5:3004632495C436646781AA6DE2F741E3 | SHA256:080F9AA444109CA863728A5C765ED0F37C9908BF39098472D0C17C678254C6B3 | |||
3540 | Mapper.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\8DTRLUGT.txt | text | |
MD5:9F588C934B64A2B1514582E662D65048 | SHA256:5E2AC5FEA63A5B56859A2D5B48CDD166F18F3C63C43FA60B485C917FCEC50449 | |||
3540 | Mapper.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4 | der | |
MD5:6102793C6007A506C66AF6CF1C60A0A8 | SHA256:44A129FC45C89CD13D2032E88977976111041419CC4A2F550104BCE5D54D3B18 | |||
3540 | Mapper.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64DCC9872C5635B1B7891B30665E0558_5552C20A2631357820903FD38A8C0F9F | binary | |
MD5:6B8ECAE90115260FD2B7A61366C17BC4 | SHA256:18DF191E85F86365DD9F29441D47E1D2C9003B3E2BF73DC497EC797776B78E19 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3540 | Mapper.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEDJAnJQUGG0bwuno3m2vDJ8%3D | US | der | 279 b | whitelisted |
3540 | Mapper.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEBblhnjgcJQ5S9%2FbTvymO98%3D | US | der | 471 b | whitelisted |
3540 | Mapper.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D | US | der | 312 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3540 | Mapper.exe | 151.139.128.14:80 | ocsp.comodoca.com | Highwinds Network Group, Inc. | US | suspicious |
3540 | Mapper.exe | 162.159.129.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
Domain | IP | Reputation |
---|---|---|
cdn.discordapp.com |
| shared |
ocsp.comodoca.com |
| whitelisted |
ocsp.comodoca4.com |
| whitelisted |