File name: | 7a30581de07bad69f3f05af56edeccdfae83a025532daad559d30a381ce1f6d3.zip |
Full analysis: | https://app.any.run/tasks/19087d1f-b9a3-4087-8167-e0d9b7aa57e9 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 14:23:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v5.1 to extract |
MD5: | 8F02100A55AEC031FE205E36F855018C |
SHA1: | 34C2F17D0C0C5E864E4D1381349E365BD8F126A7 |
SHA256: | DFB4D42E1EA6E7D616173A97624DE893ADD53F59E6B07F98F27667DECB88A7A5 |
SSDEEP: | 192:PEpT2tENOCeUzPD7fju8iUsh5RiU0WBo9jaE/U1ak5JO8E4OV8V+VqDDJBkH:MhDsUrDrjd+iU04o9OE81HkV4OV8V+OK |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 7a30581de07bad69f3f05af56edeccdfae83a025532daad559d30a381ce1f6d3.bat |
---|---|
ZipUncompressedSize: | 13776 |
ZipCompressedSize: | 9540 |
ZipCRC: | 0x030a8048 |
ZipModifyDate: | 2022:08:10 11:04:07 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0003 |
ZipRequiredVersion: | 51 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3388 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7a30581de07bad69f3f05af56edeccdfae83a025532daad559d30a381ce1f6d3.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
508 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIb3388.34410\7a30581de07bad69f3f05af56edeccdfae83a025532daad559d30a381ce1f6d3.bat" " | C:\Windows\system32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2784 | cscript x.js | C:\Windows\system32\cscript.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
596 | "C:\Users\admin\AppData\Roaming\MEMZ.exe" | C:\Users\admin\AppData\Roaming\MEMZ.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
3160 | "C:\Users\admin\AppData\Roaming\MEMZ.exe" | C:\Users\admin\AppData\Roaming\MEMZ.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
1060 | "C:\Users\admin\AppData\Roaming\MEMZ.exe" | C:\Users\admin\AppData\Roaming\MEMZ.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2432 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIb3388.34998\7a30581de07bad69f3f05af56edeccdfae83a025532daad559d30a381ce1f6d3.bat" " | C:\Windows\system32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3048 | cscript x.js | C:\Windows\system32\cscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2636 | "C:\Users\admin\AppData\Roaming\MEMZ.exe" | C:\Users\admin\AppData\Roaming\MEMZ.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
3000 | "C:\Users\admin\AppData\Roaming\MEMZ.exe" | C:\Users\admin\AppData\Roaming\MEMZ.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3388.34410\7a30581de07bad69f3f05af56edeccdfae83a025532daad559d30a381ce1f6d3.bat | text | |
MD5:3427EB1EEA128DD6C28659105F8D79DD | SHA256:7A30581DE07BAD69F3F05AF56EDECCDFAE83A025532DAAD559D30A381CE1F6D3 | |||
3240 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\FWPH6XZC.txt | text | |
MD5:2D3173D11BFE328FB276A7E09E9BB432 | SHA256:229DEA55E9FF36B7F10AB37AAAF1A506E9E2D150EFFE84E1D63FD8D1469CDA68 | |||
3196 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF3DC5AC72222B77E0.TMP | gmc | |
MD5:FAAA4458CD9EAFFA7453BD1875C7C88E | SHA256:15A6964A1E8E0BE29E95095BDE9870468C8A03C59DA0CAD968F37F9E94E2CF3D | |||
3196 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{699C55CF-1A4A-11ED-8C90-12A9866C77DE}.dat | binary | |
MD5:0A227C36291F1D7C682375A83F144ACC | SHA256:5449EFD0EC3809A8FF46A057C70376D5027B02507FD1653F200085DE3238EC32 | |||
3196 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFB3FAD90927889215.TMP | gmc | |
MD5:F4A3361C515018EEF6921437CB616F24 | SHA256:80D19A9688ACAE31F108DD9C50BA10C8884D6898E36308770D4ED9C54B3CE769 | |||
3388 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3388.34998\7a30581de07bad69f3f05af56edeccdfae83a025532daad559d30a381ce1f6d3.bat | text | |
MD5:3427EB1EEA128DD6C28659105F8D79DD | SHA256:7A30581DE07BAD69F3F05AF56EDECCDFAE83A025532DAAD559D30A381CE1F6D3 | |||
3196 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF57DC09F0C1570848.TMP | gmc | |
MD5:BFB941EB670101FFB99FE4A57A1AEDEC | SHA256:96FDCD22019AD2AA0161986110C985DFE8EB54D406FFDE8954D12A47F64254C3 | |||
508 | cmd.exe | C:\Users\admin\AppData\Local\Temp\x.js | text | |
MD5:D94C93F882CF030ED9D66CC35796731D | SHA256:F7941E6BE49D757B46B9D6FB5ECB15392EC36A64E8906692D2EEB2BA9FC67CB6 | |||
3196 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{699C55D2-1A4A-11ED-8C90-12A9866C77DE}.dat | binary | |
MD5:F6A7972BD5391A1CF42A8237D29F6828 | SHA256:F82290F83F68613511B93563A8B714B96B4F9B27585CA3A712A46CB006CA6127 | |||
3196 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF62675F2CB108B625.TMP | gmc | |
MD5:BFDB1D743B617F9DD4C6D6B3554247B4 | SHA256:FE1EEA69CC4FA2F237DBD6666F8EE61CA785A8072F685D850CCF708A21AC06E4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
876 | iexplore.exe | GET | 301 | 104.111.216.166:80 | http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45 | NL | — | — | whitelisted |
2228 | iexplore.exe | GET | — | 216.58.212.164:80 | http://google.co.ck/search?q=minecraft+hax+download+no+virus | US | — | — | whitelisted |
3668 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
304 | iexplore.exe | GET | 302 | 216.58.212.164:80 | http://google.co.ck/search?q=the+memz+are+real | US | html | 347 b | whitelisted |
3240 | iexplore.exe | GET | 302 | 216.58.212.164:80 | http://google.co.ck/search?q=mcafee+vs+norton | US | html | 344 b | whitelisted |
304 | iexplore.exe | GET | 429 | 172.217.18.100:80 | http://www.google.com/sorry/index?continue=http://google.co.ck/search%3Fq%3Dthe%2Bmemz%2Bare%2Breal&q=EgRVzqZSGJrF2ZcGIhAN0LKgZj9jxcEZ3A8JCNoSMgFy | US | html | 2.95 Kb | whitelisted |
3240 | iexplore.exe | GET | 429 | 172.217.18.100:80 | http://www.google.com/sorry/index?continue=http://google.co.ck/search%3Fq%3Dmcafee%2Bvs%2Bnorton&q=EgRVzqZSGJ_F2ZcGIhDRn7MM_85hF30BCGiIZNbyMgFy | US | html | 2.95 Kb | whitelisted |
3668 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
1176 | opera.exe | GET | — | 142.250.184.227:80 | http://www.google.com.ua/search?q=youtube&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest | US | — | — | whitelisted |
476 | iexplore.exe | GET | — | 216.58.212.164:80 | http://google.co.ck/search?q=best+way+to+kill+yourself | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3668 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
304 | iexplore.exe | 216.58.212.164:80 | google.co.ck | Google Inc. | US | whitelisted |
876 | iexplore.exe | 104.111.216.166:80 | answers.microsoft.com | Akamai International B.V. | NL | unknown |
3240 | iexplore.exe | 216.58.212.164:80 | google.co.ck | Google Inc. | US | whitelisted |
876 | iexplore.exe | 104.111.216.166:443 | answers.microsoft.com | Akamai International B.V. | NL | unknown |
3240 | iexplore.exe | 172.217.18.100:80 | www.google.com | Google Inc. | US | whitelisted |
304 | iexplore.exe | 172.217.18.100:80 | www.google.com | Google Inc. | US | whitelisted |
3668 | iexplore.exe | 152.199.19.161:443 | r20swj13mr.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3668 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3240 | iexplore.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
answers.microsoft.com |
| whitelisted |
dns.msftncsi.com |
| shared |
google.co.ck |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
www.google.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
certs.opera.com |
| whitelisted |