analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

01.7z

Full analysis: https://app.any.run/tasks/006c22bf-7881-41b5-9cef-83856a0a0a05
Verdict: Malicious activity
Analysis date: October 09, 2019, 15:38:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-5
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

14C044A6A1D9D4D37AF1F6BFEDBF7529

SHA1:

CD991ED0B7BF63B8E8BA1655AC5C2637038B7F59

SHA256:

5335AE26B64FE7DE855B98526DE60A9E3B1FDAFED5249A0EC011C92E793907E1

SSDEEP:

768:eNJQsuDcbtEHcCBOnsMtEys0u652u87aHJl+:eNJQsJtEHIftJuKw8K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 2824)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2824)
    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 2824)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3400)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 3400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
14
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs tzutil.exe no specs certutil.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe excel.exe no specs cmd.exe no specs tzutil.exe no specs certutil.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe

Process information

PID
CMD
Path
Indicators
Parent process
2824"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\01.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2812cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2824.2626\italiano.bat" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3400tzutil /s "W. Europe Standard Time"C:\Windows\system32\tzutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Zone Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3944certutil /decode "C:\Users\admin\AppData\Local\Temp\b64" "C:\Users\admin\AppData\Local\Temp\decoded" C:\Windows\system32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2860regedit.exe /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2876"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3484"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3400"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3432cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2824.16339\italiano.bat" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1432tzutil /s "W. Europe Standard Time"C:\Windows\system32\tzutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Zone Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 381
Read events
1 163
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
10
Unknown types
3

Dropped files

PID
Process
Filename
Type
3400EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRBE88.tmp.cvr
MD5:
SHA256:
3400EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFD4B8BE0E645FFC6E.TMP
MD5:
SHA256:
3400EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFD7C02AEFC094A725.TMP
MD5:
SHA256:
3400EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFE13021ACD04F6ED1.TMP
MD5:
SHA256:
3432cmd.exeC:\Users\admin\AppData\Local\Temp\b64text
MD5:31D3914C66095D867C9A84C8FAE369B0
SHA256:97FF2CFDC676C831EBCBD0440DE720647FB8B22367344279E57BBECFAAB4E859
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2824.2626\italiano.battext
MD5:1EF792C1087122735BE1F937D68AE8A4
SHA256:110DAE47D95110833713E39691180E88DF9DF59AA3FCBCE680B33617D3BDF492
3400EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\190D8A5B.emfemf
MD5:4A4A3AA96A61277CA1F0CD523F168960
SHA256:0481260197795CE84CD3914DB6B15062ABADF9E876D0C0BC9B2521776A78C9EA
3944certutil.exeC:\Users\admin\AppData\Local\Temp\decodedtext
MD5:CC4D5700F092115E8867C7DD6372F0C3
SHA256:3CCF035606E304B96E0AA7B17E045A32C8AA8BD9B7CE664DBA4D9BD87784F018
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2824.16339\italiano.battext
MD5:1EF792C1087122735BE1F937D68AE8A4
SHA256:110DAE47D95110833713E39691180E88DF9DF59AA3FCBCE680B33617D3BDF492
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2824.3606\Docume~1.xlsdocument
MD5:363579A6B75ABF6B3E009FB5B30C0DDA
SHA256:ED836BA2FFDA033626959330600E6390884BB63F49D79494F501946EFDBC5FA3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info