analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8420e_Original Shipping Documents____.gh.docx

Full analysis: https://app.any.run/tasks/eb5bdb8b-9437-4251-87e6-e6946a0235ac
Verdict: Malicious activity
Analysis date: March 31, 2020, 08:28:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8420E267FA21BD712944BF6BBC21141C

SHA1:

36452B27E226A23858C805AD40ED8D0304CEF0FC

SHA256:

2AC0CBCDB11FE8F2D6D8B24CEB739EA67E79F97445746AC4824A713E8CBF09E9

SSDEEP:

12288:3rUJ6QsaBEW4cvdydRTXNiJ5N/mnHdXd78qcePLmqwMVEuwUA+B7n3:bBF6EW7vcYp/mnHdd7kGRzBA+l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Original Shipping Documents.exe (PID: 1544)
      • Original Shipping Documents.exe (PID: 660)
      • Original Shipping Documents.exe (PID: 3580)

    • Actions looks like stealing of personal data

      • Original Shipping Documents.exe (PID: 1544)

    • Changes settings of System certificates

      • Original Shipping Documents.exe (PID: 1544)

  • SUSPICIOUS

    • Application launched itself

      • Original Shipping Documents.exe (PID: 3580)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2896)

    • Connects to SMTP port

      • Original Shipping Documents.exe (PID: 1544)

    • Adds / modifies Windows certificates

      • Original Shipping Documents.exe (PID: 1544)

  • INFO

    • Reads settings of System Certificates

      • Original Shipping Documents.exe (PID: 1544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Original Shipping Documents.exe
ZipUncompressedSize: 993280
ZipCompressedSize: 587829
ZipCRC: 0xdd45a4cf
ZipModifyDate: 2020:03:30 19:31:22
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe original shipping documents.exe no specs original shipping documents.exe original shipping documents.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\8420e_Original Shipping Documents____.gh.docx.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3580"C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1544"C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exe
Original Shipping Documents.exe
User:
admin
Integrity Level:
MEDIUM
660"C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exe" 2 1544 10922781C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exeOriginal Shipping Documents.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Total events
4 046
Read events
490
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exeexecutable
MD5:53CCC490B4266F593881C077F5286733
SHA256:62C31F957A8E7358D7E63791C17ED333C9E7863341AAB98EBF82CAB1545344E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1544
Original Shipping Documents.exe
77.88.21.158:587
smtp.yandex.com
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
smtp.yandex.com
  • 77.88.21.158
shared

Threats

PID
Process
Class
Message
1544
Original Shipping Documents.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
8420e_Original Shipping Documents____.gh.docx