analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

31a64261fcf59f1d93eb5662ff68eabc57eae1cbf26344c5eddeffc9c096d9cb.zip

Full analysis: https://app.any.run/tasks/ffb27502-fe95-4f8d-a68e-24f7822f86f8
Verdict: Malicious activity
Analysis date: January 24, 2022, 16:41:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

DC08C67E8A986F1396BB979D710C8B72

SHA1:

CE4A6E8DA6EC91F5B01D08AA1C169462B609CF68

SHA256:

2CDB2A0B0FC17209A9C1607189B2994186E7E0A25AACF2DDFE22429F3DB6C525

SSDEEP:

3072:MIH3jjBYm8yZ8cz28QhUtNIy+CC9OUZOZBxv:LXBnZ8czrQoiy+3MFv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3764)

    • Registers / Runs the DLL via REGSVR32.EXE

      • EXCEL.EXE (PID: 3764)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2872)
      • WinRAR.exe (PID: 1256)

    • Reads the computer name

      • WinRAR.exe (PID: 2872)
      • WinRAR.exe (PID: 1256)

  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 2872)
      • EXCEL.EXE (PID: 3764)
      • notepad.exe (PID: 3452)

    • Reads the computer name

      • EXCEL.EXE (PID: 3764)

    • Checks supported languages

      • EXCEL.EXE (PID: 3764)
      • regsvr32.exe (PID: 700)
      • regsvr32.exe (PID: 3496)
      • regsvr32.exe (PID: 2316)
      • notepad.exe (PID: 3452)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3764)

    • Checks Windows Trust Settings

      • EXCEL.EXE (PID: 3764)

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 3764)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2022:01:24 16:27:16
ZipCRC: 0x75e8cdb3
ZipCompressedSize: 119611
ZipUncompressedSize: 119554
ZipFileName: uuirsimpcs-ieentia-ucbpeootretbahlvipxatrcoe.zip
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs excel.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1256"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\31a64261fcf59f1d93eb5662ff68eabc57eae1cbf26344c5eddeffc9c096d9cb.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2872"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\uuirsimpcs-ieentia-ucbpeootretbahlvipxatrcoe.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3764"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
700regsvr32 C:\Busta\teva.ocxC:\Windows\system32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2316regsvr32 C:\Busta\tevc.ocxC:\Windows\system32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3496regsvr32 C:\Busta\tevd.ocxC:\Windows\system32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3452"C:\Windows\system32\notepad.exe" C:\Windows\system32\notepad.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
7 437
Read events
7 299
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
7
Text files
1
Unknown types
5

Dropped files

PID
Process
Filename
Type
3764EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRB1CA.tmp.cvr
MD5:
SHA256:
3764EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:86E0813AB6B1CD1D86BE925655E2F626
SHA256:72E28ADC6DB19B8B94E17B0EFBB17CAB0D929A5CD134866AF62941E3A88621D3
2872WinRAR.exeC:\Users\admin\Desktop\THYH-1148073298.xlsbdocument
MD5:109208FD2182E558B050AADD5CCA35C3
SHA256:79A379F9FE8658371EA35E1254B070466F4C71FEB72D105EB7D4B8179C460335
1256WinRAR.exeC:\Users\admin\Desktop\uuirsimpcs-ieentia-ucbpeootretbahlvipxatrcoe.zipcompressed
MD5:7BE03A8A0EE850CB81DA5E6D8738CD2F
SHA256:31A64261FCF59F1D93EB5662FF68EABC57EAE1CBF26344C5EDDEFFC9C096D9CB
3764EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:DEB41FDE685B677627189445D54D518C
SHA256:2EA7CF05DE3E1393EE4F6FD7BD4BFE02355F5C19C2CE8AA2FA45773704DA0600
3764EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\377E6729DE07B96E9E4BCADBF4AF95C4binary
MD5:5AEF07A43C24BAF7C45ACCFBD1CEC6DB
SHA256:F906C250EF261E16E847C78448A04C92B3BBA3D5072726358FFCE967A7F0F79A
3764EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:54E9306F95F32E50CCD58AF19753D929
SHA256:45F94DCEB18A8F738A26DA09CE4558995A4FE02B971882E8116FC9B59813BB72
3764EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\THYH-1148073298.xlsb.LNKlnk
MD5:74BFB29CD09014E2917940993D513113
SHA256:F574CEEBC029A6C99B9D0C09F5FBD8FD328F37AD958C5F2A638BA2B66B1B1F4A
3764EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0A419DBBA361754D896A8615DC53C0Fder
MD5:EC11942305108981AD0A00B38B24CF7B
SHA256:02A0611CAA48E162DBA95E2E07FFD1BF847CC03A4B825A17359D1C3526F47BC2
3764EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:BD6C7BA40F4F12194C79863518F9161B
SHA256:B2E82365DD785C634E4082A8ADD8A9BAE6DFB76A03B0B10E6DEBE93635DF59D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3764
EXCEL.EXE
GET
200
23.72.17.56:80
http://x1.c.lencr.org/
US
der
717 b
whitelisted
3764
EXCEL.EXE
GET
200
104.123.50.96:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSDX2OTu2fH9YvZC%2FO%2BSv8n2A%3D%3D
US
der
503 b
shared
3764
EXCEL.EXE
GET
200
104.123.50.96:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgPSYN4i4BqqFZgzp5reUehpbg%3D%3D
US
der
503 b
shared
3764
EXCEL.EXE
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ed1be0439e5f8c30
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3764
EXCEL.EXE
23.72.17.56:80
x1.c.lencr.org
Akamai International B.V.
US
unknown
3764
EXCEL.EXE
192.185.141.13:443
pakunolaschool.com
CyrusOne LLC
US
unknown
3764
EXCEL.EXE
104.123.50.96:80
r3.o.lencr.org
Akamai Technologies, Inc.
US
suspicious
3764
EXCEL.EXE
13.107.4.50:80
ctldl.windowsupdate.com
Microsoft Corporation
US
whitelisted
3764
EXCEL.EXE
50.87.253.11:443
elimatlacomulco.com
Unified Layer
US
suspicious

DNS requests

Domain
IP
Reputation
pakunolaschool.com
  • 192.185.141.13
unknown
ctldl.windowsupdate.com
  • 13.107.4.50
whitelisted
x1.c.lencr.org
  • 23.72.17.56
whitelisted
r3.o.lencr.org
  • 104.123.50.96
shared
elimatlacomulco.com
  • 50.87.253.11
unknown
keltexfinancial.com
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
31a64261fcf59f1d93eb5662ff68eabc57eae1cbf26344c5eddeffc9c096d9cb.zip