File name:	request.zip
Full analysis:	https://app.any.run/tasks/54e86f04-e5b5-48d2-947a-79cb5e598fe1
Verdict:	Malicious activity
Threats:	Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	October 16, 2020, 15:12:25
OS:	Windows 10 Professional (build: 16299, 64 bit)
Tags:	trojan
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	8BD7CB4BC870478DF5445FE268D113EC
SHA1:	265DB6D60C6AF85F33AEFB02C608D04CC45E850B
SHA256:	0044C5D9921EC5081F157ECC0EBDB5C47B9E67B0C0755C5B3F7E0FB221EE3CA3
SSDEEP:	3072:y7XdWZnh/ELyj7X5qmUiwzLq9aiLn7O9Q2NAOePZw:SXdWl/LnU/3+cBNxePO

ZipRequiredVersion:	20
ZipBitFlag:	0x0009
ZipCompression:	Deflated
ZipModifyDate:	2020:10:16 02:26:23
ZipCRC:	0x49869a14
ZipCompressedSize:	96797
ZipUncompressedSize:	101139
ZipFileName:	decree,010.20.doc


(PID) Process:	(3364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3364) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\19e\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3364) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\19e\52C64B7E
Operation:	write	Name:	@C:\WINDOWS\system32\windows.storage.dll,-9216
Value: This PC
(PID) Process:	(3364) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\19e\52C64B7E
Operation:	write	Name:	@windows.storage.dll,-21825
Value: 3D Objects
(PID) Process:	(3364) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\19e\52C64B7E
Operation:	write	Name:	@C:\WINDOWS\system32\windows.storage.dll,-50691
Value: Libraries
(PID) Process:	(3364) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\19e\52C64B7E
Operation:	write	Name:	@C:\WINDOWS\system32\NetworkExplorer.dll,-1
Value: Network
(PID) Process:	(3364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\request.zip
(PID) Process:	(3364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3364) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80

PID	Process	Filename		Type
640	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A1FEDU2BYDWIJ1DO4K2H.temp		—
		MD5:—	SHA256:—
640	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\.ses		text
		MD5:—	SHA256:—
640	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:—	SHA256:—
640	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Rar$DIb3364.410\~$cree,010.20.doc		pgc
		MD5:—	SHA256:—
640	WINWORD.EXE	C:\programdata\fidiI.txt		xml
		MD5:—	SHA256:—
640	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms		binary
		MD5:E4A1661C2C886EBB688DEC494532431C	SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
3364	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIb3364.410\decree,010.20.doc		document
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
640	WINWORD.EXE	GET	404	185.98.87.81:80	http://go5bln3.com/muty/sohaq.php?l=tali7.cab	RU	xml	345 b	malicious
640	WINWORD.EXE	GET	404	13.107.42.23:443	https://config.edge.skype.com/config/v2/Office/word/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bFFCF4442-CFCE-4AE2-8A6A-071FBF35FAB3%7d&LabMachine=false	US	xml	345 b	malicious
640	WINWORD.EXE	POST	404	52.114.74.43:443	https://self.events.data.microsoft.com/OneCollector/1.0/	NL	xml	345 b	whitelisted

Domain	IP	Reputation
config.edge.skype.com	13.107.42.23	malicious
go5bln3.com	185.98.87.81	malicious
self.events.data.microsoft.com	52.114.74.43	whitelisted

Process	Message
WINWORD.EXE	2020-10-16 15:13:28.601 T#3688 <E> [MATSDK] HTTP request WI-1 failed after 362 ms, events were rejected by the server (404) and will be all dropped
WINWORD.EXE	2020-10-16 15:13:28.601 T#3688 <E> [MATSDK] Http response JSON parsing failed

General Info

request.zip

8BD7CB4BC870478DF5445FE268D113EC

265DB6D60C6AF85F33AEFB02C608D04CC45E850B

0044C5D9921EC5081F157ECC0EBDB5C47B9E67B0C0755C5B3F7E0FB221EE3CA3

3072:y7XdWZnh/ELyj7X5qmUiwzLq9aiLn7O9Q2NAOePZw:SXdWl/LnU/3+cBNxePO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Unusual execution from Microsoft Office

SUSPICIOUS

Creates files in the program directory

Starts Microsoft Office Application

INFO

Reads the software policy settings

Creates files in the user directory

Scans artifacts that could help determine the target

Reads Microsoft Office registry keys

Reads Environment values

Reads the machine GUID from the registry

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings