File name: | Rose V3.rar |
Full analysis: | https://app.any.run/tasks/92d51f76-c447-49fe-8849-e29fd8781897 |
Verdict: | Malicious activity |
Analysis date: | May 21, 2022, 09:43:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 5AAEC23E117DFA0FDA911148420D46DE |
SHA1: | 9232BCF5ED0C4C000EDD9411ACDD6DF278B146D5 |
SHA256: | ADDED4300D3048BC827FD897CDF947692654FCD5D36EA18542D49F872DCB9831 |
SSDEEP: | 12288:+wInphGuQjVZI8JNRBkCTVochFP/AN/4gXCExdA25r3+a76M/0qgJF8bji3:DInvy88JNRLTVoyZAOgSwqGDVJ0FD |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2060 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rose V3.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
3596 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
2216 | "C:\Users\admin\Desktop\Rose V3\Rose.exe" | C:\Users\admin\Desktop\Rose V3\Rose.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Description: PRose Exit code: 2148734720 Version: 1.0.0.0 Modules
| |||||||||||||||
2836 | "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.6&processName=Rose.exe&platform=0000&osver=5&isServer=0&shimver=4.0.30319.34209 | C:\Program Files\Internet Explorer\iexplore.exe | — | Rose.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3828 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1780 | "C:\Users\admin\Desktop\Rose V3\ROSED.exe" | C:\Users\admin\Desktop\Rose V3\ROSED.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Description: Stub Exit code: 2148734720 Version: 1.0.0.0 Modules
| |||||||||||||||
344 | "C:\Users\admin\Desktop\Rose V3\Rose.exe" | C:\Users\admin\Desktop\Rose V3\Rose.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Description: PRose Exit code: 2148734720 Version: 1.0.0.0 Modules
| |||||||||||||||
1516 | "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.6&processName=Rose.exe&platform=0000&osver=5&isServer=0&shimver=4.0.30319.34209 | C:\Program Files\Internet Explorer\iexplore.exe | Rose.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1624 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1516 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
672 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ndp48-web.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\ndp48-web.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Framework 4.8 Setup Exit code: 3221226540 Version: 4.8.04115.00 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2060 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2060.36938\Rose V3\Rose.exe.config | xml | |
MD5:423D80A4E92D50BF40A558325D34ED61 | SHA256:4FDE45606EB6404095D43739B1ECCFD3780A1B27978A9C1B009CB8457FD7F617 | |||
2060 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2060.36938\Rose V3\Rose.exe | executable | |
MD5:8AA80A52596D11CCDDA254A6C3028681 | SHA256:005AB8F8ACBD505ECB2FBF5FE4376E616028965C035844A0835BAD75C1B4284A | |||
3828 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:8AB617616B3DDDA28276E8E2F5238AFD | SHA256:5D85930D336E786A1F83EFD14C03E5695F9533CB98F4CB077D7B5D4CFE0C7234 | |||
2836 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7FB1AC21-D8EA-11EC-BF60-12A9866C77DE}.dat | binary | |
MD5:304937010E684300B3142CA69F22E619 | SHA256:8391CE27296E9ECDC6379A91D8B9E9C42D05A76D89FE1E535AC21F36CBE1D282 | |||
2060 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2060.36938\Rose V3\snk.snk | snk | |
MD5:9A35B2E35E9ABC466F2393240AE2812B | SHA256:F2D2D5D6807609FBAA890504D439C0C78DB1A9B6C350BE8A776F296CE0BE7950 | |||
2836 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF9FB51C76084ECE2B.TMP | gmc | |
MD5:3C6407F523611F3687E8EAF4ED04D92D | SHA256:AE70439D3759F85AE42B9FAB561F31AFA04282B3168DFB04C1A2B5C0DD28F19B | |||
3828 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE | der | |
MD5:136BA521784A8CE47A3850452207B885 | SHA256:8FB5921945889E17A35D67A61A81A767323F57FE0EDD07A1FA6DADBD62669117 | |||
3828 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:AC4726FEE26B5D7F5BC731F03E7D7E34 | SHA256:990F044CAB696ED00BBC2CB11C62BA52EE6D61F33AAFD5F78CD35EA3513D9C01 | |||
2060 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2060.36938\Rose V3\dnlib.dll | executable | |
MD5:72B9C1848F3389A8755D0226F085B7A4 | SHA256:77C81BF7C861F4EB54996385F701183687A3BC7B966E68E8BB635449A0827ECB | |||
2060 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2060.36938\Rose V3\ROSED.exe | executable | |
MD5:232994CA1C5030F064FE0195BE541418 | SHA256:2CEEDBC2400CBFF16DF36F45089FAF4E132CCD93A4A06D8578C89568E00CD8C0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
880 | svchost.exe | GET | 302 | 104.90.179.99:80 | http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=03761.00&sar=x86&o1=netfx_Full.mzz | NL | — | — | whitelisted |
1624 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
1624 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
880 | svchost.exe | HEAD | 302 | 104.90.179.99:80 | http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=03761.00&sar=amd64&o1=netfx_Full_x86.msi | NL | — | — | whitelisted |
880 | svchost.exe | HEAD | 302 | 104.90.179.99:80 | http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net48Rel1&plcid=0x409&clcid=0x409&ar=03761.00&sar=x86&o1=netfx_Full.mzz | NL | — | — | whitelisted |
3828 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
1624 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3828 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D | US | der | 471 b | whitelisted |
1624 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
4048 | Setup.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl | US | der | 1.05 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3828 | iexplore.exe | 13.107.246.45:443 | dotnet.microsoft.com | Microsoft Corporation | US | suspicious |
1624 | iexplore.exe | 13.107.246.45:443 | dotnet.microsoft.com | Microsoft Corporation | US | suspicious |
3828 | iexplore.exe | 104.92.93.19:443 | go.microsoft.com | Akamai Technologies, Inc. | NL | unknown |
1624 | iexplore.exe | 184.30.21.171:443 | www.microsoft.com | GTT Communications Inc. | US | suspicious |
1624 | iexplore.exe | 152.199.19.161:443 | az416426.vo.msecnd.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3828 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1624 | iexplore.exe | 104.92.93.19:443 | go.microsoft.com | Akamai Technologies, Inc. | NL | unknown |
3828 | iexplore.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1624 | iexplore.exe | 92.123.224.11:443 | statics-marketingsites-wcus-ms-com.akamaized.net | Akamai International B.V. | — | suspicious |
1516 | iexplore.exe | 13.107.246.45:443 | dotnet.microsoft.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
go.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
dotnet.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
statics-marketingsites-wcus-ms-com.akamaized.net |
| whitelisted |
az416426.vo.msecnd.net |
| whitelisted |
img-prod-cms-rt-microsoft-com.akamaized.net |
| whitelisted |
wcpstatic.microsoft.com |
| whitelisted |
api.bing.com |
| whitelisted |