File name:

Black Friday.zip

Full analysis: https://app.any.run/tasks/30c8de56-2b3c-4563-aab9-7af176afb127
Verdict: Malicious activity
Analysis date: April 18, 2024, 12:36:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

F75DD471FC651508B5785569FB39E0CB

SHA1:

07C8D46F2FF4756FEB68C95F5F87A62AC98DC72F

SHA256:

5FD4B1EF7A3069C8AE76B83F220E0BEFF5B2B7F939357656F4B198ED02CD850C

SSDEEP:

768:7vdUBbCbWNCFD862PZjLHOGmuF27l8343uLCaOzcQQU/Rvk1Obt:7vdP0a462RPHR9F2J8I3SzOgQQUtZbt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Gets %appdata% folder path (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 3828)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Modifies registry startup key (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Unusual connection from system programs

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

  • SUSPICIOUS

    • Non-standard symbols in registry

      • WINWORD.EXE (PID: 3828)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • The process executes VB scripts

      • WINWORD.EXE (PID: 3828)

    • Reads the Internet Settings

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

  • INFO

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 668)

    • The process uses the downloaded file

      • WINWORD.EXE (PID: 3828)

    • Checks proxy server information

      • wscript.exe (PID: 2880)
      • wscript.exe (PID: 3896)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3536)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3536)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2017:12:14 18:48:30
ZipCRC: 0xe3896c67
ZipCompressedSize: 35850
ZipUncompressedSize: 40596
ZipFileName: Black Friday.docx
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs wscript.exe schtasks.exe no specs wscript.exe schtasks.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Black Friday.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1172"C:\Windows\System32\schtasks.exe" /create /tn Cclenears /SC HOURLY /MO 3 /tr "C:\Users\admin\AppData\Roaming\sys.exe"C:\Windows\System32\schtasks.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2452"C:\Windows\System32\schtasks.exe" /create /tn Cclenears /SC HOURLY /MO 3 /tr "C:\Users\admin\AppData\Roaming\sys.exe"C:\Windows\System32\schtasks.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2880"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Voucer.vbs" C:\Windows\System32\wscript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3536"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3828"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa668.8802\Black Friday.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3896"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Voucer.vbs" C:\Windows\System32\wscript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
13 730
Read events
12 837
Write events
629
Delete events
264

Modification events

(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(668) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Black Friday.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
0
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3828WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE878.tmp.cvr
MD5:
SHA256:
3828WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Voucer.vbs:Zone.Identifier
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa668.8802\Black Friday.docxdocument
MD5:D2C54126B71A2439DFC384930580786C
SHA256:A7447DB99BA60C2F7BFD9E9BCFADFB05A4FC0EA214450B76EA85D386DB1F727B
3828WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIa668.8802\~$ack Friday.docxpgc
MD5:0CC88CD96B89A066BA6254A6A0288343
SHA256:804E31C92D4A4A4070B9A2B65B7D035FF341CFAF05E7F7BF223B03478CDFF383
3828WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:01382D8CD815C969E64D2EFE288CA2A2
SHA256:0F79E5435496DD8C28ADE1E8351940934FB5BCB09CBF6BB13DFA1E534C849097
3828WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Voucer.vbstext
MD5:BBB378AEC999760C29F973B32B252534
SHA256:F67A2DE79ED8B4DA056619DC29E16824478EE028EFB86F53AAA94536F77EF742
3828WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7571F81E.emfemf
MD5:FB813ED34231B6DE535CB1D3222B5656
SHA256:A98E291138500445FC9829AA24AE87F1EDF056947321F7023F7B67F924F049F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
2
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
2880
wscript.exe
49.13.77.253:443
forum.cryptopia.gdn
Hetzner Online GmbH
DE
unknown
3896
wscript.exe
49.13.77.253:443
forum.cryptopia.gdn
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
forum.cryptopia.gdn
  • 49.13.77.253
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .gdn Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Black Friday.zip