File name: | sample2.zip |
Full analysis: | https://app.any.run/tasks/5f6d7b5c-2d7b-40d6-8e45-7f250634eb05 |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 21:11:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 9D21ACAB8CD32FEEC8827E0D94513110 |
SHA1: | 78F2CAA1A0B906892F0070ADF5710EAC4848949D |
SHA256: | 553FB24BBD0689647A3E60C177A5722DC802252D6332772E381C81D83C88EB35 |
SSDEEP: | 98304:oV2d29ifgVav9dUfJiSUhkl6Eeu7hh5WYlzbpBpucAV7CL:c9ugVqdIJinkl9euQYVLpucUuL |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:12:18 22:00:01 |
ZipCRC: | 0x9cbc3616 |
ZipCompressedSize: | 3552705 |
ZipUncompressedSize: | 5267459 |
ZipFileName: | samples/2de98404eb4ac4a525ed1884f4ea445b.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample2.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
844 | C:\Windows\system32\svchost.exe -k netsvcs | C:\Windows\System32\svchost.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
416 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3116 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\2de98404eb4ac4a525ed1884f4ea445b.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2932.4272\samples\2de98404eb4ac4a525ed1884f4ea445b.exe | — | |
MD5:— | SHA256:— | |||
3116 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF24.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3116 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc | — | |
MD5:— | SHA256:— | |||
3116 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc | — | |
MD5:— | SHA256:— | |||
3116 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{75FF1A1A-C08F-42E0-BA27-E0A9B6E46CC9}.tmp | — | |
MD5:— | SHA256:— | |||
3116 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{76182A57-469D-4881-A174-804807B1712D}.tmp | — | |
MD5:— | SHA256:— | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\a7bd71699cd38d1c.automaticDestinations-ms | automaticdestinations-ms | |
MD5:DDFE619CE0E40B9495A3BB43DF964BD6 | SHA256:0B61576C0D7F9267172E32618F8801B31B97B5689B0D76BEBDC4D58C6E76C639 | |||
116 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\2de98404eb4ac4a525ed1884f4ea445b.doc.lnk | lnk | |
MD5:C35B4A96C5659696FF70366CEC78FC6B | SHA256:5E7DF88E86892B1E0AD5D8DD99F43318819FC1AD82BC81F073F42D7A50C3B655 | |||
844 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:F21900C7A25F863C30D1D846EA91370B | SHA256:19E89AC099570546B4FB964A14D5E70B72AB17B892739FFE1A6111AD8404641F | |||
3116 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:04DFB1492FD6837B8DCF67489B3DDDE4 | SHA256:8EA33F74073FBF85B0C94FFFDF123C345ACF53DC3FE8D6D2DDB40873C6BD70F8 |