File name: | sample_94.zip |
Full analysis: | https://app.any.run/tasks/d48df9ca-255e-4096-8eee-c0141785130b |
Verdict: | Malicious activity |
Analysis date: | June 12, 2019, 10:32:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 1F48BEB69EC05428AC249AA81DAA49E8 |
SHA1: | 8ED51ACC1C4D7A12A4F03D89CCB4680F40EFB6C0 |
SHA256: | E043741BF9594CB48DD3304CE3DC239CFB498E5CA25008A61A6E1B80ADE066E5 |
SSDEEP: | 1536:/+YxNvKRA/2UjK8mbkP8AzFHy2tmWm/3Kv:2a1H+U4tAzh3mWmfy |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | sample_94/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2018:05:01 18:48:22 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample_94.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3580 | "C:\Users\admin\Desktop\sample.exe\sample_94.exe" | C:\Users\admin\Desktop\sample.exe\sample_94.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2288 | netsh advfirewall firewall add rule name="ImgBurn" dir=in action=allow description="Multimedia suite" program="C:\Users\admin\AppData\Roaming\Microsoft\lsass.exe" enable=yes | C:\Windows\system32\netsh.exe | — | sample_94.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2604 | /k C:\Users\admin\Desktop\sample.exe\sample_94.exe | C:\Users\admin\AppData\Roaming\Microsoft\lsass.exe | sample_94.exe | |
User: admin Integrity Level: MEDIUM Version: 1.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2604 | lsass.exe | C:\Users\admin\AppData\Roaming\Microsoft\SrqKvPRubxbSxF.tmp | — | |
MD5:— | SHA256:— | |||
2604 | lsass.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\geoiptool_com[1].txt | html | |
MD5:6373E31C132C5554C7CD81469FEED908 | SHA256:8A4155304EB0DBDFDB0A51BC62AFD7C645421D088B635A4745AFE92D6B18B690 | |||
2932 | WinRAR.exe | C:\Users\admin\Desktop\sample.exe\sample_94 | executable | |
MD5:F536047A1FB17B7A962F0AE91CB8F838 | SHA256:8D21CB631C8CAF7F62F60BBB7C77FED05A698A6A9084478DC8FD00E946826BA6 | |||
3580 | sample_94.exe | C:\Users\admin\AppData\Roaming\Microsoft\lsass.exe | executable | |
MD5:F536047A1FB17B7A962F0AE91CB8F838 | SHA256:8D21CB631C8CAF7F62F60BBB7C77FED05A698A6A9084478DC8FD00E946826BA6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2604 | lsass.exe | GET | 301 | 158.69.67.193:80 | http://www.geoiptool.com/ | CA | html | 184 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2604 | lsass.exe | 158.69.67.193:443 | www.geoiptool.com | OVH SAS | CA | suspicious |
2604 | lsass.exe | 158.69.67.193:80 | www.geoiptool.com | OVH SAS | CA | suspicious |
Domain | IP | Reputation |
---|---|---|
www.geoiptool.com |
| malicious |
geoiptool.com |
| whitelisted |
thexrhostbooter82.no-ip.info |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2604 | lsass.exe | Potential Corporate Privacy Violation | ET POLICY Geo Location IP info online service (geoiptool.com) |
2604 | lsass.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
— | — | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain |