File name: | 84f8b_dados68974942045.zip(1).zip |
Full analysis: | https://app.any.run/tasks/6db8d93e-8833-49b3-a6b4-ffa625da29ba |
Verdict: | Malicious activity |
Threats: | Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil. |
Analysis date: | March 31, 2020, 09:11:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | BE8B6D5BD7E3B915912C96BBA911E1C9 |
SHA1: | FC046B207A296560F4E9B0FC9A642927AED032A1 |
SHA256: | D9D72853EB1D4B49ED2589D810E01F8AF35147CBD972B3DBA2D4FB99DF79D326 |
SSDEEP: | 1536:tBpAC14D2/mT6/3suTZu0OsXDPQcqC57cdz9iw9q5+y+X3ECbqh4cZVQ7/wOeqGD:ZADZTysuTk7IzsCkzQww+y00xfjqvo |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:03:31 11:09:08 |
ZipCRC: | 0x5a1064eb |
ZipCompressedSize: | 126213 |
ZipUncompressedSize: | 126192 |
ZipFileName: | 84f8b_dados68974942045.zip |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2564 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\84f8b_dados68974942045.zip(1).zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3996 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\84f8b_dados68974942045.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2232 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\84f8b_dados68974942045.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2496 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\dados3213.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2120 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3216 | C:\Windows\system32\MsiExec.exe -Embedding 4D81A3D0C185AADF1871573C56A5C024 | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2628 | "C:\Windows\System32\reg.exe" add "HKCU\software\Microsoft\Windows\CurrentVersion\RunOnce" /v NPIE /t reg_sz /d C:\Users\admin\Documents\NPIE\NPIE.EXE | C:\Windows\System32\reg.exe | MsiExec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1812 | "C:\Users\admin\Documents\NPIE\NPIE.EXE" | C:\Users\admin\Documents\NPIE\NPIE.EXE | MsiExec.exe | |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: MEDIUM Description: Avira Version: 1.2.144.30330 | ||||
3548 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2564.23577\84f8b_dados68974942045.zip | — | |
MD5:— | SHA256:— | |||
2120 | msiexec.exe | C:\Windows\Installer\MSIF527.tmp | — | |
MD5:— | SHA256:— | |||
2120 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF08C58177B0CDA565.TMP | — | |
MD5:— | SHA256:— | |||
3216 | MsiExec.exe | C:\Users\admin\Documents\NPIE\Avira.OE.NativeCore.dll | — | |
MD5:— | SHA256:— | |||
3216 | MsiExec.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\video2[1].tar | compressed | |
MD5:8BD367E3E35A0EE2A2EF3DE33AE21214 | SHA256:9CF4C726E46022622BDB48772A88F061468D7DF5C1BB94C503D3119B83F5230B | |||
3996 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3996.25084\dados3213.msi | executable | |
MD5:A658DA0BF1A0EBD663044708CFCEA350 | SHA256:50F1F2F411B11A5529E7F7AC6590ED8FF8AB86ECC7F80F2CAF2EE2944DF07CBC | |||
3216 | MsiExec.exe | C:\Users\admin\Documents\NPIE_NPIE_NPIE.zip | compressed | |
MD5:8BD367E3E35A0EE2A2EF3DE33AE21214 | SHA256:9CF4C726E46022622BDB48772A88F061468D7DF5C1BB94C503D3119B83F5230B | |||
2120 | msiexec.exe | C:\Windows\Installer\a6f40f.ipi | binary | |
MD5:73AAEABADF291AD97F87105563416814 | SHA256:0640B94444AAD6E6D958BA5A4370EA6CF7FA4D675C47215C2F8ABE67C2B8624E | |||
2120 | msiexec.exe | C:\Windows\Installer\a6f40d.msi | executable | |
MD5:A658DA0BF1A0EBD663044708CFCEA350 | SHA256:50F1F2F411B11A5529E7F7AC6590ED8FF8AB86ECC7F80F2CAF2EE2944DF07CBC | |||
3216 | MsiExec.exe | C:\Users\admin\Documents\NPIE\Celuer um Gri (1).gif | image | |
MD5:6CD55D30CC8628605A70C309ACDFCB6A | SHA256:8CD26A84018DBA116F50F7D3131AE74F4842257E4A98B183D49C3AF2843D0FE3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1812 | NPIE.EXE | POST | — | 5.57.226.202:80 | http://novamultimidea.webcindario.com/covid19/ | ES | — | — | malicious |
3216 | MsiExec.exe | GET | 200 | 187.17.111.35:80 | http://moggiempilhadeiras.com.br/js/video2.Tar | BR | compressed | 13.0 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1812 | NPIE.EXE | 5.57.226.202:80 | novamultimidea.webcindario.com | ServiHosting Networks S.L. | ES | malicious |
3216 | MsiExec.exe | 187.17.111.35:80 | moggiempilhadeiras.com.br | Universo Online S.A. | BR | malicious |
Domain | IP | Reputation |
---|---|---|
moggiempilhadeiras.com.br |
| malicious |
novamultimidea.webcindario.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1812 | NPIE.EXE | Potentially Bad Traffic | ET INFO Suspicious POST Request with Possible COVID-19 URI M1 |