File name:

Employee Direct Deposit 112522.htm.zip

Full analysis: https://app.any.run/tasks/fee6be08-10b3-4f93-8590-e42a69191ed9
Verdict: Malicious activity
Analysis date: December 05, 2022, 18:00:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

51752B67535B3C6B289173C25F755528

SHA1:

C47292E86BCE40C68BBE4D2E316F06B013C99FB7

SHA256:

CADB9C47E9F067D98D2CAA613CB041198F7FB64CF32E3C308D8962BEB4BC1058

SSDEEP:

192:Fzjr6ErqPGosUH/rBTl2XDR6Ij814ukMi9cQUczbwLNl+Bdt0LWDMzczNAZSJWy8:FzKcqPfsUzPFkMi9PH0N4OMMzKISPupF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3020)
      • iexplore.exe (PID: 3496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs iexplore.exe iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Employee Direct Deposit 112522.htm.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3020"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1580.25475\Employee Direct Deposit 112522.htmC:\Program Files\Internet Explorer\iexplore.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3496"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3020 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1464"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3020 CREDAT:398593 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
Total events
25 529
Read events
25 349
Write events
174
Delete events
6

Modification events

(PID) Process:(1580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1580) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Employee Direct Deposit 112522.htm.zip
(PID) Process:(1580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
12
Text files
16
Unknown types
9

Dropped files

PID
Process
Filename
Type
3020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:503AD061073A29CEE4CB12D552F6A5B3
SHA256:D2A97423F8B71CA1DAAC39F8A037DCA022303C1ADFBD49995EFF3B36AFFF33F9
3020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:AB59D100ECF5B96AB36B3FE8CFE09F16
SHA256:91970BC7EF620BACFFFB462DD87DBF3D493E317D6DCCAC32CCBACCADCB6F54CA
3020iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
3496iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:968C68564474353160517F41D180D718
SHA256:F9D9AFACBE12C690C1825367F339AEB757116F958D4A60440E8DC0F5F7C672D5
3496iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_F3E21F68828E98A453D37A8C9958DDEDder
MD5:3755270D87889EBE8F0644EEE5DDCC05
SHA256:B8FBB43140E0F776884C7C23D852A4113B678A530409AA92536CE7BE6B3698E4
3496iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_33E6263BAF1D93C3B754E2140B85CB43binary
MD5:145425416CCAAD676356F42081340F31
SHA256:CABD24F9C62F80E3CD8C85D52CA7B273C532B4BAE3A11423A02C48A02AF04715
3020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:5EB7793E579094B71481A5674115DE9D
SHA256:E243710FE6C305A309C64BFCBEEF0C56453BD877A12A3411CBF495287127404F
3496iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:7A1B8028AAA85D4D3BE7236CA30C40A3
SHA256:195C4065276FCD59B44B7E67AE6A38D72F4B532EC0A864CEA329485ED8BECE5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
34
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3496
iexplore.exe
GET
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?42a6b136c597e2a1
US
whitelisted
3020
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
3496
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d6beea08a703e6b3
US
compressed
4.70 Kb
whitelisted
3496
iexplore.exe
GET
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?331c52fcf06f4c80
US
whitelisted
3496
iexplore.exe
GET
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bda1ee92bcfe554b
US
whitelisted
3496
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
1.42 Kb
whitelisted
3496
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEA9w47FDRKm6Ehu8Jb0wAzw%3D
US
der
279 b
whitelisted
3020
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1b946f80c2af1f78
US
compressed
4.70 Kb
whitelisted
3020
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
3496
iexplore.exe
GET
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9898dce6bf9642d2
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3496
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
suspicious
3020
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3020
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3496
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3020
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
suspicious
3496
iexplore.exe
104.16.87.20:443
cdn.jsdelivr.net
CLOUDFLARENET
shared
3496
iexplore.exe
104.21.235.182:443
www.linkpicture.com
CLOUDFLARENET
suspicious
3496
iexplore.exe
69.16.175.42:443
code.jquery.com
STACKPATH-CDN
US
malicious
3496
iexplore.exe
104.18.32.68:80
ocsp.comodoca.com
CLOUDFLARENET
suspicious
3496
iexplore.exe
172.64.155.188:80
ocsp.comodoca.com
CLOUDFLARENET
US
suspicious

DNS requests

Domain
IP
Reputation
cdn.jsdelivr.net
  • 104.16.87.20
  • 104.16.89.20
  • 104.16.86.20
  • 104.16.85.20
  • 104.16.88.20
whitelisted
code.jquery.com
  • 69.16.175.42
  • 69.16.175.10
whitelisted
www.linkpicture.com
  • 104.21.235.182
  • 104.21.235.181
malicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.comodoca.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
ocsp.usertrust.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info