File name: | 75cad2-handselfdiy_2.exe.zip |
Full analysis: | https://app.any.run/tasks/8ff482a8-5fe9-402d-b3d6-5bb2c855859d |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 09:35:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | B26D0614CCC727AFC5B40299CE002111 |
SHA1: | EA18D869DAA9094F3DF2EA56C1A504E301EA6F94 |
SHA256: | D624CD4DDFAFB9B4EF610036307549833937C56F398CE5B609D2476E3A2A5078 |
SSDEEP: | 12288:KwDTf+S42DTE+1bhEEZYIVmLkfUMo0h/KVuUX/lOHzodzJul4QnlJlO4EAO:P/WF2nbq6mcqVdvMmzJulPHlO4EAO |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 75cad2-handselfdiy_2.exe |
---|---|
ZipUncompressedSize: | 1793024 |
ZipCompressedSize: | 810481 |
ZipCRC: | 0x35f26a1c |
ZipModifyDate: | 2022:06:27 11:31:23 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2492 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\75cad2-handselfdiy_2.exe.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
3468 | "C:\Users\admin\Desktop\75cad2-handselfdiy_2.exe" | C:\Users\admin\Desktop\75cad2-handselfdiy_2.exe | Explorer.EXE | |
User: admin Integrity Level: HIGH Exit code: 3 Version: 1.0.0.1 | ||||
524 | "C:\Users\admin\Desktop\75cad2-handselfdiy_2.exe" | C:\Users\admin\Desktop\75cad2-handselfdiy_2.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.1 | ||||
2628 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2848 | "C:\Users\admin\Desktop\75cad2-handselfdiy_2.exe" | C:\Users\admin\Desktop\75cad2-handselfdiy_2.exe | DllHost.exe | |
User: admin Integrity Level: HIGH Exit code: 3 Version: 1.0.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3468 | 75cad2-handselfdiy_2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D | binary | |
MD5:C98FBD2EF399A142E4F12CA5BD9155C7 | SHA256:3363BEC1F19883910A4A4AB42B21C4508EA5BC557885818DAEBD610DBE44C1EE | |||
2492 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2492.20770\75cad2-handselfdiy_2.exe | executable | |
MD5:479E6A45A08E74C6D0141C5F6D107574 | SHA256:75CAD21C1FD17E0C6206688DADE2C78AD51A16336EA8F3BB0201DD163AD4B123 | |||
3468 | 75cad2-handselfdiy_2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D | der | |
MD5:872D901541803FB019C7E7AF641F9017 | SHA256:BCC2A5457045C6CF2A2B888DFB1520144D62FBCF39F695B14737A78F5772D796 | |||
3468 | 75cad2-handselfdiy_2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9DD071679C018B2129B579E1C864DC6B | binary | |
MD5:1939FCB4DAE08364ACA890E94C1FF2C9 | SHA256:C4878B6E88B8335F23A8B108710C4A341FEF277A2A8856FD75F6DB173D88C3F6 | |||
3468 | 75cad2-handselfdiy_2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9DD071679C018B2129B579E1C864DC6B | der | |
MD5:015BA3C5475D9CB0916FFCCEC0B58242 | SHA256:D73348F4E15938468E31BCB3EF463D8823E4C0BC0CFC06FDF6D210EC9850E89F | |||
3468 | 75cad2-handselfdiy_2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:64DE575F1E9D54C57AE377FADDF5F4C9 | SHA256:A1F87FD2BB584522966529B0ACF4E859BC1048EB3E04D9B324BA8A9F82FEE90B | |||
2848 | 75cad2-handselfdiy_2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:5914987FA4A414CD0DFEFBF9809D1A1A | SHA256:CFF034FFA7624C76181A649539DB3DB29F5DDA11464B16F1EC2BF59F63A83EB0 | |||
2848 | 75cad2-handselfdiy_2.exe | C:\Users\admin\AppData\Local\Temp\CabDBEB.tmp | compressed | |
MD5:308336E7F515478969B24C13DED11EDE | SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9 | |||
2848 | 75cad2-handselfdiy_2.exe | C:\Users\admin\AppData\Local\Temp\TarDBEC.tmp | cat | |
MD5:2D8A5090656DE9FB55DD0F3BA20F9299 | SHA256:44AE1E61A4E6305C15AAA52FD1B29DDB060E69233703CBA611F5E781D766442E | |||
2848 | 75cad2-handselfdiy_2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:296BF72AAF00A5FB50C2817A27B7525F | SHA256:B6BA83227839D4078F1CDC234A7D106C37B9AC0CD1DFC8C9FAA49FDB3EABCAFF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2848 | 75cad2-handselfdiy_2.exe | GET | 200 | 41.63.96.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8f238310612a843d | ZA | compressed | 60.0 Kb | whitelisted |
3468 | 75cad2-handselfdiy_2.exe | GET | 200 | 104.18.32.68:80 | http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEQCyDO1VLjGgvzQ6dSh0O%2Bmr | US | der | 472 b | whitelisted |
3468 | 75cad2-handselfdiy_2.exe | GET | 200 | 79.133.177.216:80 | http://ocsp.trust-provider.cn/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQDhvjmfMdSVsHZ9u52p9jqu3rd8gQUXzp8ERB%2BDGdxYdyLo7UAA2f1VxwCEQCMXk%2BMGFdCQ4Wss7oZvYg0 | RU | der | 600 b | suspicious |
3468 | 75cad2-handselfdiy_2.exe | GET | 200 | 41.63.96.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ef57c6086ee3a9c6 | ZA | compressed | 4.70 Kb | whitelisted |
2848 | 75cad2-handselfdiy_2.exe | GET | 200 | 96.16.145.230:80 | http://x1.c.lencr.org/ | US | der | 717 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3468 | 75cad2-handselfdiy_2.exe | 79.133.177.216:80 | ocsp.trust-provider.cn | SOT LINE Limited Company | RU | suspicious |
3468 | 75cad2-handselfdiy_2.exe | 41.63.96.128:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | ZA | suspicious |
3468 | 75cad2-handselfdiy_2.exe | 104.18.32.68:80 | ocsp.comodoca.com | Cloudflare Inc | US | suspicious |
3468 | 75cad2-handselfdiy_2.exe | 149.28.253.196:443 | www.icodeps.com | — | US | suspicious |
2848 | 75cad2-handselfdiy_2.exe | 41.63.96.128:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | ZA | suspicious |
3468 | 75cad2-handselfdiy_2.exe | 148.251.234.83:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
2848 | 75cad2-handselfdiy_2.exe | 148.251.234.83:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
2848 | 75cad2-handselfdiy_2.exe | 96.16.145.230:80 | x1.c.lencr.org | Akamai Technologies, Inc. | US | suspicious |
2848 | 75cad2-handselfdiy_2.exe | 149.28.253.196:443 | www.icodeps.com | — | US | suspicious |
2092 | WerFault.exe | 20.189.173.20:443 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.icodeps.com |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.trust-provider.cn |
| suspicious |
iplogger.org |
| shared |
x1.c.lencr.org |
| whitelisted |
watson.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY IP Check Domain (iplogger .org in DNS Lookup) |
3468 | 75cad2-handselfdiy_2.exe | Potential Corporate Privacy Violation | ET POLICY IP Check Domain (iplogger .org in TLS SNI) |
2848 | 75cad2-handselfdiy_2.exe | Potential Corporate Privacy Violation | ET POLICY IP Check Domain (iplogger .org in TLS SNI) |