File name: | video_785.zip |
Full analysis: | https://app.any.run/tasks/8583e5af-28af-4c70-9d44-bb36e44a1478 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | November 15, 2018, 03:52:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | CADD402BC7075CF34B00D4A85033FE25 |
SHA1: | 660104B0E443AC6A1EDE62A9D59E673841C83A73 |
SHA256: | F79A3EF929FB4AEBFECAD8EE8E014FA25413DE28F46214114B9BCE217EC81B32 |
SSDEEP: | 6144:D3HpWpVUoeA2rTEMDXFkCsGQNI08EbaaZo4UjyxG7GNCr3Co04AUEeN2rDk43:AlesMDeCsLNP8EbJo4UuSGMPrl92rDf |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2017:12:19 06:22:26 |
ZipCRC: | 0x5bc1f23d |
ZipCompressedSize: | 483914 |
ZipUncompressedSize: | 974336 |
ZipFileName: | Video.5682770.mp4.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3176 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\video_785.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3204 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3176.45758\Video.5682770.mp4.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3176.45758\Video.5682770.mp4.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM | ||||
3944 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | Video.5682770.mp4.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2496 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | Video.5682770.mp4.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3684 | C:\Users\admin\AppData\Roaming\admin\7za.exe e files.7z -aoa -p6H5d75Z8QwgEeQyU | C:\Users\admin\AppData\Roaming\admin\7za.exe | Video.5682770.mp4.exe | |
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip Standalone Console Exit code: 0 Version: 17.01 beta | ||||
588 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --enable-automation --disable-infobars --load-extension=C:\Users\admin\AppData\Roaming\admin | C:\Program Files\Google\Chrome\Application\chrome.exe | Video.5682770.mp4.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
3808 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6eb400b0,0x6eb400c0,0x6eb400cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
2904 | C:\Users\admin\AppData\Roaming\admin\worker.exe | C:\Users\admin\AppData\Roaming\admin\worker.exe | Video.5682770.mp4.exe | |
User: admin Company: www.xmrig.com Integrity Level: MEDIUM Description: XMRig CPU miner Version: 2.8.3 | ||||
2840 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2964 --on-initialized-event-handle=296 --parent-handle=300 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
2700 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=880,2613070851812258193,11392223958177617259,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=C5968B943597BB95B04425F33D230C9F --mojo-platform-channel-handle=824 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 |
PID | Process | Filename | Type | |
---|---|---|---|---|
588 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old | — | |
MD5:— | SHA256:— | |||
588 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old | — | |
MD5:— | SHA256:— | |||
588 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old~RF16decc.TMP | — | |
MD5:— | SHA256:— | |||
3684 | 7za.exe | C:\Users\admin\AppData\Roaming\admin\config.json | text | |
MD5:A6B9ED28D3D867C05DE2E35B03FA7EB6 | SHA256:D46A36C3E9D647B0EC8A9BF815E8B45006E33AEA6EE05CDAF1040D46BAD05002 | |||
3176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3176.45758\Video.5682770.mp4.exe | executable | |
MD5:0787B691796F0C10597ABD8281F7C094 | SHA256:75C8216585D7C1193C672CC8144A63A6409B2AE1E53EE68A1DAA32221D644282 | |||
588 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\d90ecd4a-a293-46a6-b161-0ab695962b8e.tmp | — | |
MD5:— | SHA256:— | |||
3684 | 7za.exe | C:\Users\admin\AppData\Roaming\admin\background.js | text | |
MD5:10FE6915E362F3D9DF1FFA2699A0C8CE | SHA256:25FA71421D6F2286DAF167990920C9C0A01E59F8BE5370C9E739FC290DCEA27F | |||
3684 | 7za.exe | C:\Users\admin\AppData\Roaming\admin\worker.exe | executable | |
MD5:B629BBB9ABBE1F8C94D3F6ADA44D1432 | SHA256:586B81E455ED0AA7623507B0307BA34AFDC2FF3494A822CBF1FCC0C1A86AC974 | |||
3204 | Video.5682770.mp4.exe | C:\Users\admin\AppData\Roaming\admin\files.7z | compressed | |
MD5:EA08425D17DAD2136F22C1B43733BD73 | SHA256:69295599802D8728FB2CD441647B9C0D303A0967E1B0EA2BB633FCDDE8033362 | |||
588 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:CF5F48F4C30F262B4DD300675972A298 | SHA256:D393DC51038DD06C92A915B97132F7B5F20F26AB264C299C8D85A0CA8FF65832 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
588 | chrome.exe | GET | 200 | 159.89.28.40:80 | http://plugin.odure.ecaha.bid/config | US | text | 657 b | malicious |
588 | chrome.exe | GET | 200 | 159.89.28.40:80 | http://plugin.odure.ecaha.bid/check | US | text | 22 b | malicious |
3204 | Video.5682770.mp4.exe | GET | 200 | 159.89.28.40:80 | http://yumuy.johet.bid/api/cherry/login.php | US | — | — | malicious |
3204 | Video.5682770.mp4.exe | GET | 200 | 159.89.28.40:80 | http://yumuy.johet.bid/api/cherry/files.7z | US | compressed | 1.38 Mb | malicious |
3204 | Video.5682770.mp4.exe | GET | 200 | 159.89.28.40:80 | http://yumuy.johet.bid/api/cherry/7za.exe | US | executable | 674 Kb | malicious |
588 | chrome.exe | GET | 200 | 159.89.28.40:80 | http://plugin.odure.ecaha.bid/bgifgdxe | US | text | 353 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2904 | worker.exe | 37.187.163.200:3333 | pool.monero.hashvault.pro | OVH SAS | FR | suspicious |
588 | chrome.exe | 216.58.206.3:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3204 | Video.5682770.mp4.exe | 159.89.28.40:80 | yumuy.johet.bid | — | US | suspicious |
588 | chrome.exe | 216.58.206.10:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
588 | chrome.exe | 172.217.18.3:443 | www.google.de | Google Inc. | US | whitelisted |
588 | chrome.exe | 216.58.206.13:443 | accounts.google.com | Google Inc. | US | whitelisted |
588 | chrome.exe | 159.89.28.40:80 | yumuy.johet.bid | — | US | suspicious |
588 | chrome.exe | 172.217.18.170:443 | www.googleapis.com | Google Inc. | US | whitelisted |
588 | chrome.exe | 216.58.206.4:443 | www.google.com | Google Inc. | US | whitelisted |
588 | chrome.exe | 216.58.206.14:443 | apis.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
yumuy.johet.bid |
| malicious |
pool.monero.hashvault.pro |
| malicious |
clientservices.googleapis.com |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
www.google.de |
| whitelisted |
www.gstatic.com |
| whitelisted |
www.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| whitelisted |
plugin.odure.ecaha.bid |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3204 | Video.5682770.mp4.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
3204 | Video.5682770.mp4.exe | A Network Trojan was detected | ET INFO AutoIt User Agent Downloading EXE |
3204 | Video.5682770.mp4.exe | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
3204 | Video.5682770.mp4.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2904 | worker.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
2904 | worker.exe | Misc activity | SUSPICIOUS [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login |
2904 | worker.exe | Misc activity | SUSPICIOUS [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
2904 | worker.exe | Misc activity | SUSPICIOUS [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response |
2904 | worker.exe | Misc activity | SUSPICIOUS [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
2904 | worker.exe | Misc activity | SUSPICIOUS [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response |