File name: | SAMPLE.zip |
Full analysis: | https://app.any.run/tasks/d02c6fab-b866-4b30-8567-01214da2f36c |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 20:50:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | A5942CE6165E7F6FDC34FD3D75CC7F84 |
SHA1: | 1874AAF88B7591D092328E3095070C449C88EFDF |
SHA256: | D84D470453CDE79F2DC9FB7F0242F0019E72DBC5C24492CD552855A0B95EEF4C |
SSDEEP: | 24576:G9VMZZHiPhu/uPfW9Xb+Y651w6BzlJJrcgsOI6cldYIyXyZP:6V2iZu/uXW2GCBjrcNOJZI6yZP |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 25ceeaed228c2d7c08bad41362ad6619c243324ad8a0e05c75d3672e96373bed.bin |
---|---|
ZipUncompressedSize: | 2113312 |
ZipCompressedSize: | 1072075 |
ZipCRC: | 0x0845c3e2 |
ZipModifyDate: | 2019:07:11 20:50:12 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2708 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SAMPLE.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3772 | "C:\Users\admin\Desktop\mail.exe" | C:\Users\admin\Desktop\mail.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: sputnik Exit code: 0 Version: 5.1.0.194 | ||||
3404 | "C:\Users\admin\Desktop\mail.exe" --elevation | C:\Users\admin\Desktop\mail.exe | mail.exe | |
User: admin Integrity Level: HIGH Description: sputnik Exit code: 3221225547 Version: 5.1.0.194 | ||||
1468 | "C:\Users\admin\AppData\Local\Temp\3c61-94c9-4d98-ebcb\na_runner.exe" --install | C:\Users\admin\AppData\Local\Temp\3c61-94c9-4d98-ebcb\na_runner.exe | mail.exe | |
User: admin Company: Mail.Ru Integrity Level: HIGH Description: Mail.Ru updater Exit code: 0 Version: 5.0.0.176 | ||||
1312 | "C:\Users\admin\AppData\Local\Mail.Ru\MailRuUpdater.exe" | C:\Users\admin\AppData\Local\Mail.Ru\MailRuUpdater.exe | na_runner.exe | |
User: admin Company: Mail.Ru Integrity Level: HIGH Description: Mail.Ru updater Exit code: 0 Version: 5.0.0.176 | ||||
2972 | "C:\Program Files\Mail.Ru\MailRuUpdater\MailRuUpdater.exe" --s | C:\Program Files\Mail.Ru\MailRuUpdater\MailRuUpdater.exe | services.exe | |
User: SYSTEM Company: Mail.Ru Integrity Level: SYSTEM Description: Mail.Ru updater Exit code: 0 Version: 5.0.0.176 | ||||
2828 | "C:\Windows\TEMP\768b-df4b-a225-e7e2" --install | C:\Windows\TEMP\768b-df4b-a225-e7e2 | MailRuUpdater.exe | |
User: SYSTEM Company: Mail.Ru Integrity Level: SYSTEM Description: Mail.Ru Update Service Exit code: 0 Version: 3.12.0.10 | ||||
3800 | "C:\Program Files\Mail.Ru\Update Service\mrupdsrv.exe" --s | C:\Program Files\Mail.Ru\Update Service\mrupdsrv.exe | services.exe | |
User: SYSTEM Company: Mail.Ru Integrity Level: SYSTEM Description: Mail.Ru Update Service Version: 3.12.0.10 | ||||
2264 | "C:\Windows\System32\regsvr32.exe" /s "C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\ie_addon_dll.dll" | C:\Windows\System32\regsvr32.exe | mail.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2360 | "C:\Users\admin\AppData\Local\Mail.Ru\MailRuUpdater\us\2d0cd78004_d\MailRuUpdater.exe" --update-installation | C:\Users\admin\AppData\Local\Mail.Ru\MailRuUpdater\us\2d0cd78004_d\MailRuUpdater.exe | MailRuUpdater.exe | |
User: admin Company: Mail.Ru Integrity Level: HIGH Description: Mail.Ru updater Exit code: 0 Version: 5.1.0.195 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2708 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2708.26925\25ceeaed228c2d7c08bad41362ad6619c243324ad8a0e05c75d3672e96373bed.bin | — | |
MD5:— | SHA256:— | |||
3404 | mail.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3404 | mail.exe | C:\Users\admin\AppData\Local\Temp\674a-9a46-5cb2-d294\MailRu.ico | — | |
MD5:— | SHA256:— | |||
3404 | mail.exe | C:\Users\admin\AppData\Local\Temp\b8ff-9d61-a866-e1d4\GoMailRu.ico | — | |
MD5:— | SHA256:— | |||
3404 | mail.exe | C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mail.Ru.lnk | lnk | |
MD5:2D5E9A5F28DBE2648229312808B40463 | SHA256:7261322C0AFCC6E91F52D0D8CFBE4796DED242933BDDCB93E85AEFD5BE502794 | |||
3404 | mail.exe | C:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\{EBAF811D-2741-4124-B970-47137A88CE46}_c | binary | |
MD5:3E5052D5235B022C9F4919A4C3ABFC83 | SHA256:E32FB994B214DF53099FAC1605720F64FC2CBEC75D2AB877B26150CA49DC4450 | |||
3404 | mail.exe | C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\GoMailRu.ico | image | |
MD5:ED62B573B9FF118E3EC726D78C5A099F | SHA256:D8AE22194708322B6CA7C8F5686C85D41EAF847A804657ADEEF6ABCAB74B3270 | |||
3404 | mail.exe | C:\Users\admin\Favorites\Искать в Интернете.url | text | |
MD5:EB08378217B4A9D27F46FA00527D778B | SHA256:B0C3586271724BE93C4BA4AF3D9A7DF05462F76B603DD7EF7E5BA4448BB7C244 | |||
3404 | mail.exe | C:\Users\admin\Desktop\Искать в Интернете.url | text | |
MD5:EAA4AE3F04FD33F17CA945431D639099 | SHA256:8C1F09710F5AA6E6A82433F12FE1854C2E64A9A07ED9D5F32E1DB8AE43ACC202 | |||
3404 | mail.exe | C:\ProgramData\Mail.Ru\Id | text | |
MD5:3F629FC77512AAC17B0378ED30E43FCB | SHA256:7A412C6F91EEA6BA5B8125BD6E7BC250FABEA925F6679782CE382E5B9AE79E90 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3404 | mail.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=spparams&raw=--elevation&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules= | RU | — | — | suspicious |
3404 | mail.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=install&bgn=1&standalone=1&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules= | RU | — | — | suspicious |
3404 | mail.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_mailru&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=2&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules= | RU | — | — | suspicious |
3404 | mail.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_gomailru&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=2&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules= | RU | — | — | suspicious |
3404 | mail.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=fav_gomailru&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=2&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules= | RU | — | — | suspicious |
3404 | mail.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=taskbar_mailru&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=2&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules= | RU | — | — | suspicious |
3404 | mail.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=spnative_load&id=mrupdater&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=14&elapsed_time=14&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules= | RU | — | — | suspicious |
1468 | na_runner.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=mru_install&ovr=0&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=5&elapsed_time=0&mr_service=0&os=win6.1&install_id=%7B91B7B558-A0A9-4458-8233-76AA3D25226A%7D&GUID=%7B91B7B558-A0A9-4458-8233-76AA3D25226A%7D&tool=mrupdater | RU | — | — | suspicious |
3404 | mail.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=desktop_mailru&event=done&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=2&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&common_rfr=&install_id=%7B81715541-897E-47C6-BC66-277937B5D9D0%7D&rfr_rules= | RU | — | — | suspicious |
2972 | MailRuUpdater.exe | GET | 204 | 217.69.139.245:80 | http://mrds.mail.ru/update/2/version.txt?type=mru_online_service&masterid=%7B4170D283-1CFF-42C2-83E1-1C1522907EE1%7D&user_id=%7BA393C707-0C17-490F-946A-88557E5D9868%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3583&tool_mem=5&elapsed_time=0&mr_service=1&os=win6.1&install_id=%7B91B7B558-A0A9-4458-8233-76AA3D25226A%7D&GUID=%7B91B7B558-A0A9-4458-8233-76AA3D25226A%7D&tool=mrupdater | RU | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3404 | mail.exe | 217.69.139.245:443 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
3404 | mail.exe | 217.69.139.247:443 | xmlbinupdate.mail.ru | Limited liability company Mail.Ru | RU | malicious |
3404 | mail.exe | 217.69.139.110:443 | xtnmailru.cdnmail.ru | Limited liability company Mail.Ru | RU | malicious |
3404 | mail.exe | 217.69.139.122:443 | conserv.go.mail.ru | Limited liability company Mail.Ru | RU | unknown |
3404 | mail.exe | 217.69.139.245:80 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
3404 | mail.exe | 94.100.180.110:443 | mailruupdater.cdnmail.ru | Limited liability company Mail.Ru | RU | suspicious |
1312 | MailRuUpdater.exe | 217.69.139.245:80 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
1468 | na_runner.exe | 217.69.139.245:80 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
1312 | MailRuUpdater.exe | 217.69.139.245:443 | mrds.mail.ru | Limited liability company Mail.Ru | RU | malicious |
1312 | MailRuUpdater.exe | 217.69.139.247:443 | xmlbinupdate.mail.ru | Limited liability company Mail.Ru | RU | malicious |
Domain | IP | Reputation |
---|---|---|
xmlbinupdate.mail.ru |
| shared |
conserv.go.mail.ru |
| unknown |
mrds.mail.ru |
| suspicious |
mailruupdater.cdnmail.ru |
| unknown |
xtnmailru.cdnmail.ru |
| unknown |
binupdate.mail.ru |
| shared |
gosoftdl.mail.ru |
| shared |
xml.binupdate.mail.ru |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3800 | mrupdsrv.exe | Misc activity | ADWARE [PTsecurity] Win32/MailRuSputnik.ru Agent PUA |
3800 | mrupdsrv.exe | Misc activity | ADWARE [PTsecurity] Win32/MailRuSputnik.ru Agent PUA |
Process | Message |
---|---|
MailRuUpdater.exe | RunAsService: Entry |
MailRuUpdater.exe | Updater.Mail.Ru: SERVICE_CONTROL_STOP |
MailRuUpdater.exe | switches::kUpdateService run to update |
MailRuUpdater.exe | Service::Update update operation is proceed
|
MailRuUpdater.exe | RunAsService: Exit |
MailRuUpdater.exe | Service::StopService done
|
MailRuUpdater.exe | Service::CopyMeTo program files done
|
MailRuUpdater.exe | RunAsService: Entry |
MailRuUpdater.exe | Service::StartService done
|
MailRuUpdater.exe | Updater.Mail.Ru: SERVICE_CONTROL_STOP |