File name: | Payment Advice.ace |
Full analysis: | https://app.any.run/tasks/34ff4a00-c182-4866-9b9a-a2882accbefe |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 05:43:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 0FF37D425095F2FBB669E43F91535220 |
SHA1: | F92DDA7045508AE9C203E51DD7493B46D8DEB411 |
SHA256: | E7CA1DC16DAE0E71455C318E25398FB1DC67FFF3D1082A7299E5BC2E9611F3B3 |
SSDEEP: | 24576:/mFuoSWkQ+MCIOBcgn8PgWepuClnD4o+C6X4XwOA9272KR1VQI3:/+dSWzIIOM4WeQClMo+C6X4Ay72Klv3 |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3144 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Payment Advice.ace" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3804 | "C:\Users\admin\Desktop\Payment Advice.exe" | C:\Users\admin\Desktop\Payment Advice.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
3384 | "C:\Users\admin\Desktop\Payment Advice.exe" | C:\Users\admin\Desktop\Payment Advice.exe | explorer.exe | |
User: admin Integrity Level: HIGH | ||||
3544 | "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | Payment Advice.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 4294967295 Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3708 | "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | Payment Advice.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3144 | WinRAR.exe | C:\Users\admin\Desktop\Payment Advice.exe | executable | |
MD5:97C0A892DB84257539A3FDA4B791E6AA | SHA256:28E2FC34B4264456223EE38CC007B03DF851C4B262B8A8BE2B4DBC5AED1338B4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2356 | WerFault.exe | GET | — | 51.143.111.81:80 | http://watson.microsoft.com/StageOne/Payment%20Advice_exe/0_0_0_0/5e81b68e/ntdll_dll/6_1_7601_18247/521ea91c/c0000005/00052d94.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063 | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3708 | RegAsm.exe | 5.250.244.184:587 | mail.dogulumetal.com | Erhan Mahmut trading as Aysima Bilisim Teknolojileri Erhan Mahmut | TR | malicious |
2356 | WerFault.exe | 51.143.111.81:80 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
watson.microsoft.com |
| whitelisted |
mail.dogulumetal.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3708 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |