File name:

8420e_Original Shipping Documents____.gh.docx

Full analysis: https://app.any.run/tasks/eb5bdb8b-9437-4251-87e6-e6946a0235ac
Verdict: Malicious activity
Analysis date: March 31, 2020, 08:28:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8420E267FA21BD712944BF6BBC21141C

SHA1:

36452B27E226A23858C805AD40ED8D0304CEF0FC

SHA256:

2AC0CBCDB11FE8F2D6D8B24CEB739EA67E79F97445746AC4824A713E8CBF09E9

SSDEEP:

12288:3rUJ6QsaBEW4cvdydRTXNiJ5N/mnHdXd78qcePLmqwMVEuwUA+B7n3:bBF6EW7vcYp/mnHdd7kGRzBA+l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Original Shipping Documents.exe (PID: 3580)
      • Original Shipping Documents.exe (PID: 1544)
      • Original Shipping Documents.exe (PID: 660)

    • Actions looks like stealing of personal data

      • Original Shipping Documents.exe (PID: 1544)

    • Changes settings of System certificates

      • Original Shipping Documents.exe (PID: 1544)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2896)

    • Application launched itself

      • Original Shipping Documents.exe (PID: 3580)

    • Connects to SMTP port

      • Original Shipping Documents.exe (PID: 1544)

    • Adds / modifies Windows certificates

      • Original Shipping Documents.exe (PID: 1544)

  • INFO

    • Reads settings of System Certificates

      • Original Shipping Documents.exe (PID: 1544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:03:30 19:31:22
ZipCRC: 0xdd45a4cf
ZipCompressedSize: 587829
ZipUncompressedSize: 993280
ZipFileName: Original Shipping Documents.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe original shipping documents.exe no specs original shipping documents.exe original shipping documents.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660"C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exe" 2 1544 10922781C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exeOriginal Shipping Documents.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2896.20275\original shipping documents.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1544"C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exe
Original Shipping Documents.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2896.20275\original shipping documents.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
2896"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\8420e_Original Shipping Documents____.gh.docx.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3580"C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2896.20275\original shipping documents.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
4 046
Read events
490
Write events
2 370
Delete events
1 186

Modification events

(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2896) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\8420e_Original Shipping Documents____.gh.docx.zip
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2896) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2896.20275\Original Shipping Documents.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1544
Original Shipping Documents.exe
77.88.21.158:587
smtp.yandex.com
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
smtp.yandex.com
  • 77.88.21.158
malicious

Threats

PID
Process
Class
Message
1544
Original Shipping Documents.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8420e_Original Shipping Documents____.gh.docx