analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5648147193724928.zip

Full analysis: https://app.any.run/tasks/65fff154-597a-4252-b2fb-16899aa68548
Verdict: Malicious activity
Analysis date: November 08, 2019, 15:25:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ta505
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

9A7C55C2225143C94BC1051018DD33C1

SHA1:

A81400CF09069096FA34996EA2476F0FA84E3D23

SHA256:

2F609229A949BFD7CD2965F07DDBEFC70F4F1AFC7F144AFEDC5B50CBD521F8CE

SSDEEP:

12288:a7sDqV7zz/6LKYJXmKiA+L3cGePTqtsWxfjbpyXCbjijZG:a4Dy22YF8n6LqlLWVjZG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • WINWORD.EXE (PID: 600)
    • Drops known malicious document

      • WINWORD.EXE (PID: 600)
      • WinRAR.exe (PID: 1576)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 600)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 600)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 600)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: ee0f4b68d75c92a8cdad7e84c41fc7a4698765e3fa1748cab2e9b58f183744e3
ZipUncompressedSize: 870912
ZipCompressedSize: 536788
ZipCRC: 0xaf32f047
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
1576"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\5648147193724928.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
600"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\dd.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
1 483
Read events
1 213
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
4
Text files
2
Unknown types
8

Dropped files

PID
Process
Filename
Type
600WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5970.tmp.cvr
MD5:
SHA256:
600WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~WRD0000.tmp
MD5:
SHA256:
600WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~WRD0001.tmp
MD5:
SHA256:
600WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:B41E6594C23EEA8220D1A575ADAE18FD
SHA256:9875236DA88E1EEF9D1B5C3226D8C3E879731EF3E79FF59ED0D5250FC3266046
600WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:7C080C6410B8F583EECECFB562DB0F79
SHA256:E2B92CEF4D01DC12D0E6DAF87B03C08659544BB4D63F73F11ECB208B19B725DF
600WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:50DBDF58597F67044B2177D557322C89
SHA256:4865A7A9C6C34EF158B9F211FA2C77BFEC1395FFB0142E5CA541D4A63F9C9A63
600WINWORD.EXEC:\Users\admin\AppData\Local\Temp\main_tamplate.docx.zipdocument
MD5:1BF99BA95EE70B43CEBB93542ABBEF8A
SHA256:3E33523535750E8836110C99A1AD935B8CC6C808F00B71B799AFE9D3E7C260AE
600WINWORD.EXEC:\Users\admin\AppData\Local\Temp\oleObject1.binbinary
MD5:77C649B09F948A3D1F9D2C347ACB0DFB
SHA256:BD90B570B8D9EBDD3ED945B53B10648F0FBAC3B32D1D4E907AA6C077EE04DDB5
600WINWORD.EXEC:\Users\admin\Desktop\~$dd.docpgc
MD5:E7F9275D74669ED47EE3539ED11514B5
SHA256:30772A6DD480BB793F5FACD9AF85B0A025B1B7DB5B13C2EAEC5F20B1A6CD45A1
600WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D7BE567.emfemf
MD5:F29F11F255B022C658FAB84C709BA598
SHA256:2A802EDD7E8EC9BDA61E2AEF9E7459D4A0B8EDF9B4A81447F9DF57B9BF62CE96
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
600
WINWORD.EXE
185.176.221.45:443
microsoft-live-us.com
LV
suspicious

DNS requests

Domain
IP
Reputation
microsoft-live-us.com
  • 185.176.221.45
suspicious

Threats

No threats detected
No debug info