analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2404-archivo-mail.zip

Full analysis: https://app.any.run/tasks/a69705e0-c094-4722-8a43-a8ac397104c2
Verdict: Malicious activity
Analysis date: April 25, 2019, 06:03:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B9DC83F695EAB120D71BE1AA44BE5E26

SHA1:

64A16247621C14BA3309B5F6C910841EB002E9DA

SHA256:

56D3866FFCDF10E74FE8381F93DA860688DF7C93C4FB42194DDEBF0F4CBD0B73

SSDEEP:

96:KE2xnaW41is4YZpXOB+56FNDmeh+xqiR37UzhzNh6o:ronafIsNZpXOs56riK+xl3gzVeo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3064)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • cmd.exe (PID: 920)
      • cmd.exe (PID: 2388)
      • cmd.exe (PID: 3472)
      • cmd.exe (PID: 3320)
    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 2560)
      • cmd.exe (PID: 2388)
      • cmd.exe (PID: 3320)
    • Executes scripts

      • cmd.exe (PID: 3064)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:04:23 23:14:25
ZipCRC: 0x28e6bda5
ZipCompressedSize: 3793
ZipUncompressedSize: 23057
ZipFileName: 2404-archivo-mail.cmd
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
15
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs ping.exe no specs wscript.exe chcp.com no specs cmd.exe no specs cmd.exe no specs chcp.com no specs chcp.com no specs cmd.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
2560"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2404-archivo-mail.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3320cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2560.27131\2404-archivo-mail.cmd" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3472C:\Windows\system32\cmd.exe /c chcpC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
404chcpC:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2616chcp 708C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3064cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2560.27131\2404-archivo-mail.cmd" "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3192ping 127.0.0.1 -n 1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3372wscript //Nologo "C:\Users\admin\admin.vbs" VBoao4op6V4t1g4c2tzqohE7ZSTtnDxtdDwVdriQYPQuX5 C:\Windows\system32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3828chcp 437C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2388cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2560.29332\2404-archivo-mail.cmd" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
909
Read events
875
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
67
Unknown types
0

Dropped files

PID
Process
Filename
Type
3064cmd.exeC:\Users\admin\admin.vbstext
MD5:3F24C3E7ABA1D4ED3FF7013C78FB4617
SHA256:451EE51B18615E8B462FFED18F0370ED703F3C4DCB5D9D36AC35A0079716A848
2560WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2560.27131\2404-archivo-mail.cmdtext
MD5:40400F1FC038CCA8A22C8CDE644F17F9
SHA256:8E6EF64235DA6FA1A40E3DF78396753FD01D8816AD23F9C60B8F8DD5EC63881A
2560WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2560.29332\2404-archivo-mail.cmdtext
MD5:40400F1FC038CCA8A22C8CDE644F17F9
SHA256:8E6EF64235DA6FA1A40E3DF78396753FD01D8816AD23F9C60B8F8DD5EC63881A
3372wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\y194[1].zipcompressed
MD5:F649F285BD17BE292F03D5BD4B2991BF
SHA256:978DE44C5FE81F33356806BC40F2866E8FBBE11E218CCA8FDCC28AC2384975EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3372
wscript.exe
GET
200
198.27.68.160:80
http://seguridad24hs.com/y194/y194.zip
CA
compressed
8.33 Mb
malicious
3372
wscript.exe
POST
200
198.27.68.160:80
http://seguridad24hs.com/y194/OVctnhACN7BA9IM0DEKG0KGB5a84ENB6866C9G.txt
CA
text
519 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3372
wscript.exe
198.27.68.160:80
seguridad24hs.com
OVH SAS
CA
suspicious

DNS requests

Domain
IP
Reputation
seguridad24hs.com
  • 198.27.68.160
malicious

Threats

PID
Process
Class
Message
3372
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Virus.vbs.qexvmc (N40/KLBanker)
No debug info