File name: | itnqknf5.cmd.zip |
Full analysis: | https://app.any.run/tasks/8b6b65fe-683b-4a3f-9ac9-42094555e92e |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 15:00:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 9BC01073559E1619030F5FE546A698BC |
SHA1: | 707F0B1E3CCC92AB1454047ECE44757550D5C4B9 |
SHA256: | 3F1C0E527A4AD87AA700C8EB014EF3787955AF3CCC43CFB36EE5D2C3D386D253 |
SSDEEP: | 24:AuB3/pbboxOG137oTzFmKqAVJjLDhd4iczs:TB3/pbbOV13EPFoAVJPvrczs |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:11:14 16:23:15 |
ZipCRC: | 0xe41c54c4 |
ZipCompressedSize: | 612 |
ZipUncompressedSize: | 1096 |
ZipFileName: | itnqknf5.cmd |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3184 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\itnqknf5.cmd.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3944 | cmd /c ""C:\Users\admin\Desktop\itnqknf5.cmd" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2792 | TIMEOUT /T 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3448 | cscript //nologo "C:\Users\admin\AppData\Local\Temp\_.vbs" | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2696 | TASkKILL /F /IM winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2840 | reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3232 | C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3432 | REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1" | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3836 | reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2200 | C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3944 | cmd.exe | C:\Users\admin\AppData\Local\Temp\_.vbs | text | |
MD5:C528053C4B7CCAAEC518BF6C9E4639C9 | SHA256:F4972539FBC83EF1768EA8390B0411726D8D116818D9B3C9D964EADBE80B33D0 | |||
3184 | WinRAR.exe | C:\Users\admin\Desktop\itnqknf5.cmd | text | |
MD5:A3B2EC295AD5A65C83A52892A2ABE0FE | SHA256:5A8956E665402C41F00377A5F5F2900B1A3DBC8B04099D8293207D3C65CAA238 |