analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

itnqknf5.cmd.zip

Full analysis: https://app.any.run/tasks/8b6b65fe-683b-4a3f-9ac9-42094555e92e
Verdict: Malicious activity
Analysis date: November 15, 2018, 15:00:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

9BC01073559E1619030F5FE546A698BC

SHA1:

707F0B1E3CCC92AB1454047ECE44757550D5C4B9

SHA256:

3F1C0E527A4AD87AA700C8EB014EF3787955AF3CCC43CFB36EE5D2C3D386D253

SSDEEP:

24:AuB3/pbboxOG137oTzFmKqAVJjLDhd4iczs:TB3/pbbOV13EPFoAVJPvrczs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3944)
      • cmd.exe (PID: 2200)
      • cmd.exe (PID: 3232)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 2524)
      • cmd.exe (PID: 3388)
      • cmd.exe (PID: 2760)
    • Executes scripts

      • cmd.exe (PID: 3944)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3944)
    • Application launched itself

      • cmd.exe (PID: 3944)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3944)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2018:11:14 16:23:15
ZipCRC: 0xe41c54c4
ZipCompressedSize: 612
ZipUncompressedSize: 1096
ZipFileName: itnqknf5.cmd
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
24
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs timeout.exe no specs cscript.exe no specs taskkill.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3184"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\itnqknf5.cmd.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3944cmd /c ""C:\Users\admin\Desktop\itnqknf5.cmd" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2792TIMEOUT /T 1C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3448cscript //nologo "C:\Users\admin\AppData\Local\Temp\_.vbs"C:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2696TASkKILL /F /IM winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2840reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3232C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3432REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3836reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2200C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
531
Read events
518
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3944cmd.exeC:\Users\admin\AppData\Local\Temp\_.vbstext
MD5:C528053C4B7CCAAEC518BF6C9E4639C9
SHA256:F4972539FBC83EF1768EA8390B0411726D8D116818D9B3C9D964EADBE80B33D0
3184WinRAR.exeC:\Users\admin\Desktop\itnqknf5.cmdtext
MD5:A3B2EC295AD5A65C83A52892A2ABE0FE
SHA256:5A8956E665402C41F00377A5F5F2900B1A3DBC8B04099D8293207D3C65CAA238
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info