analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Cornavirus.zip

Full analysis: https://app.any.run/tasks/8dfba419-38c1-43dd-b2ff-0ccf3455b739
Verdict: Malicious activity
Analysis date: March 31, 2020, 09:16:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
maldoc-5
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

75DD170F07A225480AF9147923336521

SHA1:

687F96CA341D8CDF5D122B163276B32C66AF3245

SHA256:

2D5368FE9567C1F4581B43119BF8FC3A06D75C51F4A29E0D6EBDF8F9C619DF36

SSDEEP:

384:E1mjctfz7jcbLaq1AA+IbmqnGPtycFd1bugx56dXWLDACEq34pbDOm2ToW+Xyer:EUGfzMXn2XqGPt1/cdGLDACES4FD+TEX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 2644)

    • Executes PowerShell scripts

      • EXCEL.EXE (PID: 3724)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3724)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 2644)

    • Creates files in the user directory

      • powershell.exe (PID: 2956)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3724)

    • Manual execution by user

      • EXCEL.EXE (PID: 3724)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:03:31 11:15:26
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Cornavirus/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs tzutil.exe no specs certutil.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe excel.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2644"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Cornavirus.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3620cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2644.2512\Italiano.bat" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3472tzutil /s "W. Europe Standard Time"C:\Windows\system32\tzutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Zone Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2724certutil /decode "C:\Users\admin\AppData\Local\Temp\b64" "C:\Users\admin\AppData\Local\Temp\decoded" C:\Windows\system32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2908regedit.exe /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2340"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
816"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3724"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2956powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 507
Read events
1 260
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
7
Unknown types
5

Dropped files

PID
Process
Filename
Type
3724EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRC30A.tmp.cvr
MD5:
SHA256:
2956powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FX6S14DZXTGL9FOP8F3N.temp
MD5:
SHA256:
3724EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF9E8958CE93B3726E.TMP
MD5:
SHA256:
3724EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A6D0E53.emf
MD5:
SHA256:
3724EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B159CC38.emf
MD5:
SHA256:
2644WinRAR.exeC:\Users\admin\Desktop\FT30-03-2020-V1-202072995.xlsdocument
MD5:AD7677318E9FF63FA0ACE3AB445D036F
SHA256:F424B6EB3B855C89E4D2329115E1C43B8DA179D40750B7AEE1D192D700610331
2956powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa6cba5.TMPbinary
MD5:3B712DE36DC1672EC51A90C5EE31744F
SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1
3724EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\574BC317.emfemf
MD5:BF712F7CD122F15CB291365FCE01F9FC
SHA256:D058D04DC80FB2A3BC39CB1CFD6F4EF87A1A0027FE32FA0D2381A4C7CF5C1D66
3724EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exdtlb
MD5:62692325EC91B9044ED61FA9EA9EBE44
SHA256:E6D985018C8878A431F4D249A454C0AE475D7F65C0C81810F813726273210893
2724certutil.exeC:\Users\admin\AppData\Local\Temp\decodedtext
MD5:CC4D5700F092115E8867C7DD6372F0C3
SHA256:3CCF035606E304B96E0AA7B17E045A32C8AA8BD9B7CE664DBA4D9BD87784F018
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
powershell.exe
*** Status Originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\ntos\rtl\lblob.cpp, line 1020
powershell.exe
*** Status propagated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
powershell.exe
*** Status propagated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
powershell.exe
*** Status propagated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Cornavirus.zip