analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SPAM2.zip

Full analysis: https://app.any.run/tasks/14831d4e-99ee-4764-b395-3a695161c0ee
Verdict: Malicious activity
Analysis date: December 06, 2019, 12:19:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

69187989C5D4461D4D6884AC225C1FE5

SHA1:

AF6F5065B14E1C705F04CF8FFE7B9A214671636B

SHA256:

2D6E1783704BDE8119698D2BE7F6221A94047F34BDFCE8BCB3CD6EC2A8FDEA6E

SSDEEP:

98304:VTPS3OTPS3GTPS3gnTPS33TPS3NTPS3cTPS3sTPS3CTPS3TTPS3iTPS3tSTPS36:4lt5uAP/Za5n6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes scripts

      • WINWORD.EXE (PID: 2804)
      • WINWORD.EXE (PID: 2332)
      • WINWORD.EXE (PID: 1508)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2804)
      • WINWORD.EXE (PID: 2332)
      • WINWORD.EXE (PID: 1508)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 2416)
      • WScript.exe (PID: 312)
      • WScript.exe (PID: 1176)
      • WScript.exe (PID: 2100)

  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 2712)
      • WINWORD.EXE (PID: 2804)
      • WINWORD.EXE (PID: 2332)
      • WINWORD.EXE (PID: 1508)
      • Notepad.exe (PID: 400)
      • WScript.exe (PID: 2100)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2804)
      • WINWORD.EXE (PID: 2332)
      • WINWORD.EXE (PID: 1508)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2804)
      • WINWORD.EXE (PID: 2332)
      • WINWORD.EXE (PID: 1508)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2804)
      • WINWORD.EXE (PID: 2332)
      • WINWORD.EXE (PID: 1508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:12:06 13:13:10
ZipCRC: 0x8b2d759a
ZipCompressedSize: 375209
ZipUncompressedSize: 664576
ZipFileName: Delivery_Information_10093.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
16
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs winword.exe no specs wscript.exe no specs dw20.exe no specs dwwin.exe no specs winword.exe no specs wscript.exe no specs dw20.exe no specs dwwin.exe no specs winword.exe no specs wscript.exe no specs dw20.exe no specs dwwin.exe no specs wscript.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2612"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SPAM2.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2712"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\SPAM2.zip" C:\Users\admin\Desktop\SPAM2\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2804"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\SPAM2\Delivery_Information_1032.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
2416"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Word\ATedr\Nerdcv.jse" C:\Windows\System32\WScript.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1700"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 424C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Application Error Reporting
Exit code:
0
Version:
14.0.4750.1000
1788C:\Windows\system32\dwwin.exe -x -s 424C:\Windows\system32\dwwin.exeDW20.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Watson Client
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2332"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\SPAM2\Delivery_Information_1266.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
312"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Word\ATedr\Nerdcv.jse" C:\Windows\System32\WScript.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2128"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1076C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Application Error Reporting
Exit code:
0
Version:
14.0.4750.1000
344C:\Windows\system32\dwwin.exe -x -s 1076C:\Windows\system32\dwwin.exeDW20.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Watson Client
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
5 177
Read events
4 087
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
23
Text files
6
Unknown types
20

Dropped files

PID
Process
Filename
Type
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAC98.tmp.cvr
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F790FF89.wmf
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF9F537F.wmf
MD5:
SHA256:
2712WinRAR.exeC:\Users\admin\Desktop\SPAM2\Delivery_Information_1032.docdocument
MD5:F7D7916B0C6F8CAA101C22B37A59F321
SHA256:465DA878316E41D01AC2F33B596535D45FBC617BED58ED44935F6EACBA533D26
2804WINWORD.EXEC:\Users\admin\Desktop\SPAM2\~WRD0000.tmp
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF77C5319DAE46F780.TMP
MD5:
SHA256:
2712WinRAR.exeC:\Users\admin\Desktop\SPAM2\Delivery_Information_1266.docdocument
MD5:577F122A9ADCD6D84430E629D0432BC4
SHA256:E4A493E7DF93E850A5C0838CD0B1F7CDBAEE6D65556A1275937AAE5C212558F8
2712WinRAR.exeC:\Users\admin\Desktop\SPAM2\Delivery_Information_11316.docdocument
MD5:70008CE3BEA7F1305197DAFB9B181F48
SHA256:6DCE68BFC0B6078BB3047C1D6BBF4AF2942CE9E5478D496BBD166E626C9A4815
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFFF0A77A0CF72E235.TMP
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF456D24747B769890.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
192
mscorsvw.exe
GET
200
8.248.123.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4cc838c554051176
US
compressed
6.73 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192
mscorsvw.exe
8.248.123.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 8.248.123.254
  • 8.248.119.254
  • 8.248.127.254
  • 8.248.115.254
  • 8.248.131.254
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SPAM2.zip