analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

scandoc.rar

Full analysis: https://app.any.run/tasks/d3ae3a44-8b55-47b7-bf83-60925dcd1e7f
Verdict: Malicious activity
Analysis date: December 06, 2018, 16:56:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

63F8B148B240503F8A7B93A83DDDC04B

SHA1:

8A11A2D727695A9FDFC8B19A84D3E60066EBB84F

SHA256:

1232402BEF625DC8328ECE768E9943667389AED97207CF24F5215FE88B5F88EC

SSDEEP:

1536:01jMMIu/7LPqqvQ7fh+FTB9dYsnEguWz79ALasPmQEhW5xf7nzGMO:qMcDLiqIl+F7GWfaLasedwjf/Gd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3148)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3148)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2960)

    • Executable content was dropped or overwritten

      • Rar.exe (PID: 3080)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3148)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs cmd.exe no specs rar.exe rar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\scandoc.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3148"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa2960.41029\Scan0033.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1376C:\WINDOWS\system32\cmd.exe /c set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul *.rar scan032.jpg & rar.exe e -o+ -r -inul scan032.jpg backup.exe & backup.exe C:\WINDOWS\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3080rar.exe e -o+ -r -inul *.rar scan032.jpg C:\Program Files\WinRAR\Rar.exe
cmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
Command line RAR
Exit code:
0
Version:
5.60.0
3048rar.exe e -o+ -r -inul scan032.jpg backup.exe C:\Program Files\WinRAR\Rar.execmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
Command line RAR
Exit code:
10
Version:
5.60.0
Total events
1 316
Read events
1 256
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
0
Unknown types
33

Dropped files

PID
Process
Filename
Type
3148WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB876.tmp.cvr
MD5:
SHA256:
3148WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C053A636.png
MD5:
SHA256:
3148WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BE59C25.wmf
MD5:
SHA256:
3148WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\ShockwaveFlashObjects.exdtlb
MD5:C2C137E3AD64C7F344F08A6244660A45
SHA256:3EE314B690C8FB434B1B721129601BD1692C3716F2C091E5A101BFF988176C08
3148WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIa2960.41029\~$an0033.docpgc
MD5:F0AD17770887BC1832DCD8FE633C98F8
SHA256:23695CABFD94A29FB339F8117A7A659F0729EB296E1EF6900FFFD598517660DE
2960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2960.41029\Scan0033.docdocument
MD5:BFC05909537F5522EB2AA2FAC4DF5836
SHA256:9C6FBE25429D177FCAC4CB53F85DACC58D84A618E3BDDD1181CD0E604CB522CE
3148WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:35E1E8E39A24BFB966DB6952B4C32D8E
SHA256:A4C2008762CB30A5D71A151542D32E07222C58F84F67EFC2D6B628B269EA0BB9
3148WINWORD.EXEC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.solsol
MD5:A6A3011D711FB7A838A88BA29C80679E
SHA256:B394504D9300AD8C900BA53D70275F08FCC34C7E675FD0FA2A89A37A5D6AD425
3148WINWORD.EXEC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxxsol
MD5:0DD3631A4DF7BED11E4B389AC2E95882
SHA256:F06E531C2FEB84B511F7FEED945C13936122AA2A6DCE287776F724398D27394A
3080Rar.exeC:\Users\admin\AppData\Local\Temp\scan032.jpgexecutable
MD5:EFE45B2640D63F4A25C03F0F4D711F11
SHA256:E34F7E6E26F80CA0DBC83A0218B73110FF50939BD2D0A9BF5B6D403C92E59D45
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
scandoc.rar