File name: | N. 490.349 N. 491.189.zip |
Full analysis: | https://app.any.run/tasks/43cee062-8f3a-4a3a-998b-1d24f67d7d3a |
Verdict: | Malicious activity |
Analysis date: | July 12, 2020, 08:13:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 2A245C0245809F4A33B5AAC894070519 |
SHA1: | C27F2ED5029418C7F786640FB929460B9F931671 |
SHA256: | FB7E8A99CF8CB30F829DB0794042232ACFE7324722CBEA89BA8B77CE2DCF1CAA |
SSDEEP: | 12288:5swwMW9MrSXLFCwBFzUojVHdSAZ1skrCgU8eq5cIkR9GB9PvBpIwP4NK+RTSFoFA:Hwg+XLtBFzUCVHdIkrCgU85BqGBWk4Nc |
.zip | | | ZIP compressed archive (100) |
ZipFileName: | DOC-2020-05-15T092742.441/ |
ZipUncompressedSize: | 0 |
ZipCompressedSize: | 0 |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2020:05:18 14:49:00 |
ZipCompression: | None |
ZipBitFlag: | 0 |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\N. 490.349 N. 491.189.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3040 | "C:\Users\admin\Desktop\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.exe" | C:\Users\admin\Desktop\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.exe | explorer.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Reader 9.0 Version: 9.0.0.2008061200 | ||||
2932 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.pdf" | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | DOC-2020-05-15T092742.441.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.7.20033.133275 | ||||
2752 | "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --channel=2932.0.637666135 --type=renderer "C:\Users\admin\Desktop\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.pdf" | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.7.20033.133275 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3040 | DOC-2020-05-15T092742.441.exe | C:\Users\admin\Desktop\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.pdf | ||
MD5:92C27C5DE0EF3119D447769750496222 | SHA256:2BC7ED201C7AF3E57A20EEC4099E242631734FA37B50FA4BCE194751F497F7C8 | |||
2964 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2964.48513\DOC-2020-05-15T092742.441\DOC-2020-05-15T092742.441.exe | executable | |
MD5:E16DD9FAECA97B4C185426E5672BECBA | SHA256:C21BFC263890F02763F56B4E9F5CF9113656CF09D7864B53EC2FD2024BDADD60 | |||
3040 | DOC-2020-05-15T092742.441.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\dis[1].gif | html | |
MD5:7BBBF2015E0575388B4F2DE42065F699 | SHA256:5882AB797F622B87B4836F71D7EABEEE4D61AFAF65F6CF4118E5985DE11AE029 | |||
2964 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2964.48513\DOC000(54)\acrord32.dll | executable | |
MD5:F888BB77AF9018A617B8A74D739AC29F | SHA256:1F4C6010859130CE9DF006AA169CE1840624DE8DA5FEE845F209C2A7D6B606A8 | |||
2964 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2964.48513\DOC-2020-05-15T092742.441\acrord32.dll | executable | |
MD5:6060F7DC35C4D43728D5CA5286327C01 | SHA256:8A07C265A20279D4B60DA2CC26F2BB041730C90C6D3ECA64A8DD9F4A032D85D3 | |||
2964 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2964.48513\DOC000(54)\DOC000(54).exe | executable | |
MD5:E16DD9FAECA97B4C185426E5672BECBA | SHA256:C21BFC263890F02763F56B4E9F5CF9113656CF09D7864B53EC2FD2024BDADD60 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3040 | DOC-2020-05-15T092742.441.exe | GET | 200 | 167.88.180.198:80 | http://167.88.180.198/dis.dat | CA | html | 89 b | malicious |
3040 | DOC-2020-05-15T092742.441.exe | GET | 404 | 52.7.9.69:443 | https://cloud.acrobat.com/appmeasurement.js | US | text | 66 b | whitelisted |
3040 | DOC-2020-05-15T092742.441.exe | GET | 404 | 52.7.9.69:443 | https://cloud.acrobat.com/appmeasurement.js | US | text | 66 b | whitelisted |
3040 | DOC-2020-05-15T092742.441.exe | GET | 404 | 52.7.9.69:443 | https://cloud.acrobat.com/appmeasurement.js | US | text | 66 b | whitelisted |
3040 | DOC-2020-05-15T092742.441.exe | GET | 404 | 52.7.9.69:443 | https://cloud.acrobat.com/appmeasurement.js | US | text | 66 b | whitelisted |
3040 | DOC-2020-05-15T092742.441.exe | GET | 404 | 52.7.9.69:443 | https://cloud.acrobat.com/appmeasurement.js | US | text | 66 b | whitelisted |
3040 | DOC-2020-05-15T092742.441.exe | GET | 404 | 52.7.9.69:443 | https://cloud.acrobat.com/appmeasurement.js | US | text | 66 b | whitelisted |
— | — | GET | 200 | 167.88.180.198:80 | http://167.88.180.198/dis.dat | CA | html | 89 b | malicious |
3040 | DOC-2020-05-15T092742.441.exe | GET | 404 | 52.7.9.69:443 | https://cloud.acrobat.com/appmeasurement.js | US | text | 66 b | whitelisted |
3040 | DOC-2020-05-15T092742.441.exe | GET | 404 | 52.7.9.69:443 | https://cloud.acrobat.com/appmeasurement.js | US | text | 66 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3040 | DOC-2020-05-15T092742.441.exe | 167.88.180.198:80 | — | — | CA | malicious |
— | — | 167.88.180.198:80 | — | — | CA | malicious |
— | — | 2.16.177.91:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
— | — | 52.7.9.69:443 | cloud.acrobat.com | Amazon.com, Inc. | US | unknown |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
— | — | 2.16.177.113:80 | ardownload.adobe.com | Akamai International B.V. | — | suspicious |
— | — | 34.224.183.8:443 | cloud.acrobat.com | Amazon.com, Inc. | US | unknown |
— | — | 3.226.128.10:443 | cloud.acrobat.com | — | US | unknown |
— | — | 34.202.87.85:443 | cloud.acrobat.com | Amazon.com, Inc. | US | unknown |
— | — | 52.73.1.97:443 | cloud.acrobat.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
cloud.acrobat.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
ardownload.adobe.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3040 | DOC-2020-05-15T092742.441.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) |
3040 | DOC-2020-05-15T092742.441.exe | A Network Trojan was detected | ET TROJAN Request for Malicious .dat File |
— | — | A Network Trojan was detected | ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) |
— | — | A Network Trojan was detected | ET TROJAN Request for Malicious .dat File |