File name: | updatekas.zip |
Full analysis: | https://app.any.run/tasks/46394b76-fe32-41aa-9749-0e4d039b3bd3 |
Verdict: | Malicious activity |
Analysis date: | July 07, 2021, 14:40:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 1E4F6FEA32E12EA5806D9C08976A6D2A |
SHA1: | 09434BA2C13250B4CA61E863E3AF714F1015DFE4 |
SHA256: | E601C1D200BE641F1384C80B3D280C5A907947AAC067B3737B671E214374382F |
SSDEEP: | 6144:4Xn7hl6tHfTlSvPGuZI5GErHE0InQKCj6fpHLIT1aXi18/:g1ATwOm25VIMepH0JfC |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2021:07:07 19:49:15 |
ZipCRC: | 0xf45366fd |
ZipCompressedSize: | 234104 |
ZipUncompressedSize: | 262144 |
ZipFileName: | updatekas.exe |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3692 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\updatekas.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
2932 | "C:\Users\admin\Desktop\updatekas.exe" | C:\Users\admin\Desktop\updatekas.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: HIGH Description: This is production version Version: 1.1.39 Modules
|
(PID) Process: | (3692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3692) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3692) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\NetworkExplorer.dll,-1 |
Value: Network | |||
(PID) Process: | (3692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (3692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\updatekas.zip | |||
(PID) Process: | (3692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3692) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3692 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3692.19671\updatekas.exe | executable | |
MD5:DFC25E0EA7429AF7713993BA8B849325 | SHA256:03B842F01C0FCFFE65528C0CDA2B41426A01F1E005DA63BDAE4CE96AA0469A76 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA | US | — | — | whitelisted |
— | — | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA | US | binary | 9.91 Kb | whitelisted |
— | — | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA | US | binary | 11.2 Kb | whitelisted |
— | — | HEAD | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/YGkwa4MXjfWSuERyWQYP_A_4/aapLKTSZ439A-0g3nqJr3Q | US | binary | 11.2 Kb | whitelisted |
— | — | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA | US | binary | 5.77 Kb | whitelisted |
— | — | GET | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AIQWwBRSWwfx2JCxD0aw30k_2657/I-4-aBwqaCFG5rMUT0QDpg | US | crx | 18.6 Kb | whitelisted |
— | — | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA | US | binary | 7.10 Kb | whitelisted |
— | — | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/Pu4v-tN-kWF2q40ZuKM9Sg_9.28.0/AJF3c7ikkTZsKlD4Mc2H2vA | US | binary | 9.91 Kb | whitelisted |
— | — | GET | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | crx | 242 Kb | whitelisted |
— | — | GET | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTQ3QUFYQzF5VF9DcWNsa0ZkMGdTQmdvQQ/1.0.0.8_llkgjffcdpffmhiakmfcdcblohccpfmo.crx | US | crx | 2.85 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 142.250.185.131:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
— | — | 142.250.181.228:443 | www.google.com | Google Inc. | US | whitelisted |
— | — | 142.250.184.202:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
— | — | 142.250.186.163:443 | www.gstatic.com | Google Inc. | US | whitelisted |
— | — | 142.250.185.109:443 | accounts.google.com | Google Inc. | US | suspicious |
— | — | 216.58.212.174:443 | ogs.google.com | Google Inc. | US | whitelisted |
— | — | 216.58.212.142:443 | apis.google.com | Google Inc. | US | whitelisted |
— | — | 142.250.184.206:443 | clients2.google.com | Google Inc. | US | whitelisted |
— | — | 142.250.74.195:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
— | — | 142.250.186.110:443 | encrypted-tbn0.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
clientservices.googleapis.com |
| whitelisted |
www.google.com |
| whitelisted |
accounts.google.com |
| shared |
clients2.google.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
ogs.google.com |
| whitelisted |
update.googleapis.com |
| whitelisted |
Process | Message |
---|---|
updatekas.exe | OWQkNSJRVWfjjAfhyvYaEWaKXZmvsleHiKWmYp |
updatekas.exe | LRsVtoOcLkJkMcJOHHlSdBocgEomDVQYYQUuHfIQKasHrZDTwVfyUZjJSFJAF |
updatekas.exe | lPwsCGQOdTMYSqUTehbJRACLDnhtLLJLwXcZlEmipMGokeFHeBTAYegk |
updatekas.exe | kiAKYFqrMpXStSoIWqmIrPfYpSeHSNoblIJwvw |
updatekas.exe | ETsVwMBMueBXYRbizkwEmBbxWcqbMZYjDcGqLNhlBzznEuCjgOkqAn |
updatekas.exe | dAIVZpVLZZGrFERXNStmMBfzWXPQaoktxaqyLrfwCHcnQDqYxdgyDekUCa |
updatekas.exe | gswTMwiyFCuQhkuyBXXRYuJLyWJnGBuYC |
updatekas.exe | AqrcdIficuEgYfKwqZRztGJTVoJjKucdasAelyHKguz |
updatekas.exe | mUQpqlFBUUfVyLzmtwTmSuzTEAoydiNCMFDTbiwzKfQ |
updatekas.exe | qperDYDoykBvEJfdVqHHJXCIjKsAjqc |