download: | newupdate_password_2227.zip |
Full analysis: | https://app.any.run/tasks/153cc750-89a1-45d9-9ff3-1b7ea857759e |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 15:34:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 902E6FEBB705BE9D5A81E80191C5256A |
SHA1: | 70097464419F45EDB280199E068B52158D724DCE |
SHA256: | C299E07C1A2FD29A21C075A5467F1AF42ECE26452B1607F76EA6E500D69B77E7 |
SSDEEP: | 98304:3fioND+IQgyWaU0bn3Phved6/MJdCLglwZ5l2wAjhK8O:qSfQbWaU43JevJdd42wA9c |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | icuin56.dll |
---|---|
ZipUncompressedSize: | 1786368 |
ZipCompressedSize: | 625601 |
ZipCRC: | 0x504a8449 |
ZipModifyDate: | 2022:01:24 02:15:04 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2512 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\newupdate_password_2227.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
2240 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
2544 | "C:\Users\admin\Desktop\version_v317.exe" | C:\Users\admin\Desktop\version_v317.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
1624 | "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | version_v317.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Exit code: 2148734499 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
3768 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1876 | "C:\Users\admin\Desktop\version_v317.exe" | C:\Users\admin\Desktop\version_v317.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2796 | "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | — | version_v317.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET ClickOnce Launch Utility Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
|
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2240) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2512 | WinRAR.exe | C:\Users\admin\Desktop\components\accessibility.xpt | xpt | |
MD5:1E178B64020F1CE4D8518C5B18B208A0 | SHA256:A560EC424A3CAED79CB93049DE888A3843BC34F352B6BB27F10724E10AB690DB | |||
2512 | WinRAR.exe | C:\Users\admin\Desktop\components\ActivityProxy.js | text | |
MD5:18B159534F17E4ECFE583D0D9BB5DC40 | SHA256:72D64C65530EA288072661271A0ABB3CFB56349CCC50B06C711641709D5581B7 | |||
2512 | WinRAR.exe | C:\Users\admin\Desktop\components\amContentHandler.js | text | |
MD5:24B4A2E9F7AEEC416ADCC5417B9E1D23 | SHA256:BCC9CFE21D5AFFB8F38AFF6DA5A8809AF1E5F0A0C4689224DF50E1FD849548ED | |||
2512 | WinRAR.exe | C:\Users\admin\Desktop\components\Activities.manifest | text | |
MD5:77983A71105B96C1D9C75E9DBB31AF26 | SHA256:BBD1545C49F1A456BCA62B0C0A684C8FB2F802B60EE448BC45EC22B24941BD7C | |||
2512 | WinRAR.exe | C:\Users\admin\Desktop\components\ActivityWrapper.js | text | |
MD5:5B7E48E5EBB0312591F7AC2843BA4E8E | SHA256:FE510D8FC2EA30C085010E158067A26ABB31A0616E2BC7D48FDF374AF8E66D3D | |||
2512 | WinRAR.exe | C:\Users\admin\Desktop\icuuc56.dll | executable | |
MD5:64B5B250BC5B84BCDEA9B48443D9B1B0 | SHA256:DE30C27E7BBF31B4BEE34F1FEBF5A71DC2318420C4E0FA52135FE85A27FCAE65 | |||
2512 | WinRAR.exe | C:\Users\admin\Desktop\components\addoncompat.manifest | text | |
MD5:5693979E6BD243F503621BD8A3E1076A | SHA256:414E9DB8B02035B3CDCE8C26D7360C5E92AFBE1D9588900B6E8DD1D141CCA258 | |||
2512 | WinRAR.exe | C:\Users\admin\Desktop\components\ActivityRequestHandler.js | text | |
MD5:7E6626AEF21B0DB6878A1AAFD28D3D7E | SHA256:95C59A66FBC28D9B13645B9B2CE656D4721272FF8D67E1177201504E059B41E4 | |||
2512 | WinRAR.exe | C:\Users\admin\Desktop\components\amWebInstallListener.js | text | |
MD5:A8281CCC8C3C6850709546D2E6AE733C | SHA256:C0D1A9D9DF3640080AC06D2F908A07FF29362A6B91C6989034EA6CCCDA708F2C | |||
2512 | WinRAR.exe | C:\Users\admin\Desktop\components\ActivityMessageConfigurator.js | text | |
MD5:AA156D59F227CCDB14D7E57610EA4E09 | SHA256:5EB82F1263629746E167ED91B3C12D51AAE1408F62F405170A8943759D15F525 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1624 | AppLaunch.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json | unknown | binary | 286 b | shared |
1624 | AppLaunch.exe | POST | 200 | 185.220.35.84:5002 | http://185.220.35.84:5002/uploadfile | RU | text | 7 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1624 | AppLaunch.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | malicious |
1624 | AppLaunch.exe | 185.220.35.84:5002 | — | LLC Vpsville | RU | malicious |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
1624 | AppLaunch.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
1624 | AppLaunch.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
1624 | AppLaunch.exe | A Network Trojan was detected | ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) |
1624 | AppLaunch.exe | A Network Trojan was detected | ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2 |
1624 | AppLaunch.exe | A Network Trojan was detected | ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2 |
1624 | AppLaunch.exe | A Network Trojan was detected | ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt) |
Process | Message |
---|---|
AppLaunch.exe | CLR: Managed code called FailFast without specifying a reason.
|
AppLaunch.exe | CLR: Managed code called FailFast without specifying a reason.
|