File name: | 99303988488829.zip |
Full analysis: | https://app.any.run/tasks/72daf838-4f1f-4365-8aba-f4fe5b0175e0 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 11:04:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 8349B16B1AB602DBF015FF392FE66E12 |
SHA1: | 44E4A2153F7167AF4CCECB73189913AFA961C909 |
SHA256: | B8A98809822AC05179B8D891344F0165B10F37AE5EAB43034A50890F8F48124B |
SSDEEP: | 192:GnoieAqJ5MoMzNUWWi0rYHWX0sA12OkcnPdmrYLqT:GcAupWdNIh2BFnlmU6 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 99303988488829.vbs |
---|---|
ZipUncompressedSize: | 14003 |
ZipCompressedSize: | 6978 |
ZipCRC: | 0x1223f02a |
ZipModifyDate: | 2018:12:06 02:41:19 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2788 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\99303988488829.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2344 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2788.31281\99303988488829.vbs" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2344 | WScript.exe | C:\Users\admin\AppData\Local\Temp\CabB54C.tmp | — | |
MD5:— | SHA256:— | |||
2344 | WScript.exe | C:\Users\admin\AppData\Local\Temp\TarB54D.tmp | — | |
MD5:— | SHA256:— | |||
2344 | WScript.exe | C:\Users\admin\AppData\Local\Temp\CabB56D.tmp | — | |
MD5:— | SHA256:— | |||
2344 | WScript.exe | C:\Users\admin\AppData\Local\Temp\TarB56E.tmp | — | |
MD5:— | SHA256:— | |||
2344 | WScript.exe | C:\Users\admin\AppData\Local\Temp\CabB61B.tmp | — | |
MD5:— | SHA256:— | |||
2344 | WScript.exe | C:\Users\admin\AppData\Local\Temp\TarB61C.tmp | — | |
MD5:— | SHA256:— | |||
2788 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2788.31281\99303988488829.vbs | text | |
MD5:77D4699CAE309293012A81B062817A6A | SHA256:494D6D1814B6D7DABEC902BDB0D8D0A13985F8D215AE076CFAEF2ADCFDFCB269 | |||
2344 | WScript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | binary | |
MD5:1EA683A60EB18B9DA5866C7192061FF3 | SHA256:361C4C76D0F7C1870866BAB66ECDE417FA1CC99BC4A14C2A8583FAE797D988EC | |||
2344 | WScript.exe | C:\Users\admin\AppData\Local\Temp\Microsoft.url | text | |
MD5:F08AE01D196FED6458005372527366DF | SHA256:A74259DF7113E101CDA53FEF97F36F0927FA6FF963C0ED16261BCEDE6EE33C9E | |||
2344 | WScript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | compressed | |
MD5:A902CF373E02F7DC34F456ED7449279C | SHA256:EA0C12AEDEA644678014991A96534145E85AA12CD8955396DFDC98A4FC96F0D5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2344 | WScript.exe | GET | — | 46.47.98.128:80 | http://dns.spoolers.org/aVDNZbcfyI.php | BG | — | — | malicious |
2344 | WScript.exe | GET | 200 | 205.185.216.10:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.2 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2344 | WScript.exe | 205.185.216.10:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2344 | WScript.exe | 46.47.98.128:80 | dns.spoolers.org | Bulsatcom EAD | BG | malicious |
Domain | IP | Reputation |
---|---|---|
www.download.windowsupdate.com |
| whitelisted |
dns.spoolers.org |
| malicious |