File name: | any run.zip |
Full analysis: | https://app.any.run/tasks/d5112b62-e515-4eeb-8dc2-578a0a2c80d1 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 22:25:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | D5580C9560F5FF87A09FC6100654D4E4 |
SHA1: | 5F42337E5F30A7D73546BFBB399453D2328E5A8D |
SHA256: | C33C4CC5639886BFF516F52872C773EC9D7D15B6CAAE3530753A0458B334C60B |
SSDEEP: | 196608:XH/djrRJhxwSAGm7eGfp4mFWjsa0e1y8ky+q:XVvfH2lpbafT+q |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | aramaware.exe |
---|---|
ZipUncompressedSize: | 616717 |
ZipCompressedSize: | 186036 |
ZipCRC: | 0x75455c4d |
ZipModifyDate: | 2022:05:12 13:09:21 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2972 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\any run.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
2392 | "C:\Windows\system32\taskmgr.exe" | C:\Windows\system32\taskmgr.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3096 | "C:\Windows\system32\taskmgr.exe" /1 | C:\Windows\system32\taskmgr.exe | taskmgr.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1728 | "taskhost.exe" | C:\Windows\system32\taskhost.exe | — | services.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Host Process for Windows Tasks Version: 6.1.7600.16385 (win7_rtm.090713-1255) | |||||||||||||||
1732 | "C:\Windows\System32\ie4uinit.exe" -UserConfig | C:\Windows\System32\ie4uinit.exe | — | Explorer.EXE | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: IE Per-User Initialization Utility Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | |||||||||||||||
3452 | C:\Windows\System32\ie4uinit.exe -ClearIconCache | C:\Windows\System32\ie4uinit.exe | — | ie4uinit.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: IE Per-User Initialization Utility Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | |||||||||||||||
3556 | C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36 | C:\Windows\System32\rundll32.exe | — | ie4uinit.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | |||||||||||||||
3632 | C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m | C:\Windows\System32\rundll32.exe | — | ie4uinit.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | |||||||||||||||
3180 | C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 | C:\Windows\system32\RunDll32.exe | — | rundll32.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | |||||||||||||||
3720 | C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 | C:\Windows\system32\RunDll32.exe | — | rundll32.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2972) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\any run.zip | |||
(PID) Process: | (2972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2972) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1732 | ie4uinit.exe | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk | lnk | |
MD5:44902E96F024930A503F3D00251DED1D | SHA256:DDC4FC419AB290D2A6440256E43D63ED2BC86AC8C446DF666C1D9F3B74C01387 | |||
1732 | ie4uinit.exe | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk | lnk | |
MD5:478F8CFFC181F23A4A56263BE97EB452 | SHA256:F960EAA56BD65D0C7BAFFDE9B2E1A8EA8421CA6EF1B4CE8CA28518328B34D1C5 | |||
1732 | ie4uinit.exe | C:\Windows\INF\setupapi.app.log | ini | |
MD5:E5BD0082A90348393855756968428F8E | SHA256:D07BCB76CCDA2B80AF4E6ACDDC23D1B9B2F9F8E24ED1286F6C7871BEA2918032 | |||
2332 | WinMail.exe | C:\Users\Administrator\Contacts\Administrator (1).contact | xml | |
MD5:676E2FD18F3ABF9CC915B33352991FE6 | SHA256:1DED9B1F88A08F37371F679540E74E69986FECCDF3F75CA265BCB11C95F7B901 | |||
1732 | ie4uinit.exe | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\msapplication.xml | xml | |
MD5:962BBE34A999201A0807065887923B75 | SHA256:6C7C129E86E677A7FC712FB59F3863405DAEB0EEC1C352B3751C925DD7F73328 | |||
2332 | WinMail.exe | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edbtmp.log | binary | |
MD5:D239AD5AA8198644DF51448FC47A80C9 | SHA256:067B2A9F4D0B4BBCE05CBE597A9F6393EF61E216CEF94E17F1B881246E8D9A9E | |||
2332 | WinMail.exe | C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edb.log | binary | |
MD5:D239AD5AA8198644DF51448FC47A80C9 | SHA256:067B2A9F4D0B4BBCE05CBE597A9F6393EF61E216CEF94E17F1B881246E8D9A9E | |||
1732 | ie4uinit.exe | C:\Windows\system32\config\systemprofile\Favorites\desktop.ini | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
1732 | ie4uinit.exe | C:\Windows\system32\config\systemprofile\AppData\Local\Temp\RGI4DF9.tmp | ini | |
MD5:31CB7778F65DF8D02353E6C7B2B2CFFC | SHA256:647A8C7F316EF325F73C2037E8883854F9287584904C977C81D1662DB6471A58 | |||
1732 | ie4uinit.exe | C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini | ini | |
MD5:3C106F431417240DA12FD827323B7724 | SHA256:E469ED17B4B54595B335DC51817A52B81FCF13AAD7B7B994626F84EC097C5D57 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3900 | firefox.exe | POST | — | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | — | — | whitelisted |
3900 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3900 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
3900 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3900 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
3900 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3900 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
3900 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
3900 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
3900 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3900 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
3900 | firefox.exe | 52.222.214.84:443 | firefox.settings.services.mozilla.com | Amazon.com, Inc. | US | suspicious |
3900 | firefox.exe | 35.161.134.161:443 | location.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3900 | firefox.exe | 13.32.119.185:443 | www.mozilla.org | Amazon.com, Inc. | US | suspicious |
3900 | firefox.exe | 34.120.208.123:443 | incoming.telemetry.mozilla.org | — | US | malicious |
3900 | firefox.exe | 54.190.96.86:443 | accounts.firefox.com | Amazon.com, Inc. | US | unknown |
3900 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3900 | firefox.exe | 52.24.149.180:443 | shavar.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3900 | firefox.exe | 52.222.236.127:443 | normandy.cdn.mozilla.net | Amazon.com, Inc. | US | suspicious |
3900 | firefox.exe | 34.210.202.253:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
www.mozilla.org |
| whitelisted |
www.mozorg.moz.works |
| suspicious |
example.org |
| whitelisted |
ipv4only.arpa |
| whitelisted |
firefox.settings.services.mozilla.com |
| whitelisted |
accounts.firefox.com |
| whitelisted |
incoming.telemetry.mozilla.org |
| whitelisted |
prod.ingestion-edge.prod.dataops.mozgcp.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3900 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3900 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3900 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3900 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |