File name: | Product list.pdf.gz |
Full analysis: | https://app.any.run/tasks/7a27b3ff-c567-4046-be81-6c63eb23597a |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 01:24:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 5476D7E612541522C4EBBC17654C169B |
SHA1: | 7C11B4E31721F2EF61E85C3E8291281DD8A5A7A3 |
SHA256: | F1CC7BCFCE852A007B51FBDFC19292619461715999C2C619ED91DBAAFA579D7B |
SSDEEP: | 384:zfczVl3LvPOJsSDgq/w48OJmKzaO3RfhqduY5m8hu02nepIXKtkIs4MUivV:zUV1vPusmnQO4eJh6mnv6tkIs4nivV |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1756 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Product list.pdf.gz" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1488 | "C:\Users\admin\Desktop\Product list.pdf.exe" | C:\Users\admin\Desktop\Product list.pdf.exe | — | explorer.exe |
User: admin Company: WONderware Integrity Level: MEDIUM Description: Stiklings Exit code: 0 Version: 1.00 | ||||
608 | "C:\Users\admin\Desktop\Product list.pdf.exe" | C:\Users\admin\Desktop\Product list.pdf.exe | Product list.pdf.exe | |
User: admin Company: WONderware Integrity Level: MEDIUM Description: Stiklings Version: 1.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
608 | Product list.pdf.exe | C:\Users\admin\AppData\Local\Temp\CabFF1.tmp | — | |
MD5:— | SHA256:— | |||
608 | Product list.pdf.exe | C:\Users\admin\AppData\Local\Temp\TarFF2.tmp | — | |
MD5:— | SHA256:— | |||
1756 | WinRAR.exe | C:\Users\admin\Desktop\Product list.pdf.exe | executable | |
MD5:904984BAD4E1841FC86A010409AEE08C | SHA256:DF48B963C63E8C2F4C2F03B534745CD55ED35BBE0AF13877BE2ED4D82097FD65 | |||
608 | Product list.pdf.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | binary | |
MD5:440CA8AACE71D880EBE564B4B42E2619 | SHA256:B775DB6FEE34219DD788DD80F36CF842F64DB38C359D603D2454AC9F8F807B6F | |||
608 | Product list.pdf.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | der | |
MD5:7EDFA95BE4ED2446834630176880B200 | SHA256:72BC58B52F64AB4CEE37C8E60435B66B3944567AF08DBF69DCC93DC0C43EF523 | |||
608 | Product list.pdf.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\0OOJWKXC.txt | text | |
MD5:416FA1FE35BCD1D329BEC092686A4788 | SHA256:229135EB56AF6C7E7BBD71A7BE7E18D6F7F079DBBE609EF32040A0496B5C5496 | |||
608 | Product list.pdf.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | binary | |
MD5:9BC39B5A13239D2E8C298F11B5BD6AC4 | SHA256:44E085A01E82244DDB1018F237BDA5212FD1E2A75EC49FF054A75836FF2529DC | |||
608 | Product list.pdf.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | der | |
MD5:B211134DC2B559A0A8FDD5600FCA0662 | SHA256:471E7C400B878CF174F3D1E67CFBFF5B099378A6EAA8E4E5E346E7D6B681981E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
608 | Product list.pdf.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
608 | Product list.pdf.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
608 | Product list.pdf.exe | 13.107.42.12:443 | 4apotw.bn.files.1drv.com | Microsoft Corporation | US | suspicious |
608 | Product list.pdf.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
608 | Product list.pdf.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
608 | Product list.pdf.exe | 212.227.15.142:587 | smtp.1and1.es | 1&1 Internet SE | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
onedrive.live.com |
| shared |
ocsp.digicert.com |
| whitelisted |
4apotw.bn.files.1drv.com |
| whitelisted |
smtp.1and1.es |
| shared |
PID | Process | Class | Message |
---|---|---|---|
608 | Product list.pdf.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |