analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample_87.zip

Full analysis: https://app.any.run/tasks/d3b92c04-66df-47fd-9b2a-414d3650c546
Verdict: Malicious activity
Analysis date: June 12, 2019, 10:06:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5458EA676CA12EF88E9C24C75B43AD74

SHA1:

0B2A21265789F2C5CF6FABC28E7FE80E87D23630

SHA256:

674FDE1E944F7C9FDB326B9EFF8238367ACE792468EF8B733C3070E030D29A9C

SSDEEP:

3072:XG6nCWU08mFeqegIUyfk9H8/jPYISBm5zxRBuiXUV6cMAviIeC:26CWUzwnzJ9cclIuDVEIeC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • sample_87.exe (PID: 3548)
      • mdm.exe (PID: 2984)

    • Changes the autorun value in the registry

      • mdm.exe (PID: 2984)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • sample_87.exe (PID: 3548)
      • WinRAR.exe (PID: 2832)

    • Starts itself from another location

      • sample_87.exe (PID: 3548)

    • Uses NETSH.EXE for network configuration

      • mdm.exe (PID: 2984)

  • INFO

    • Manual execution by user

      • sample_87.exe (PID: 3548)
      • WINWORD.EXE (PID: 3860)
      • explorer.exe (PID: 3228)
      • WINWORD.EXE (PID: 3132)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3860)
      • WINWORD.EXE (PID: 3132)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3860)
      • WINWORD.EXE (PID: 3132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: sample_87/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2018:05:01 18:48:23
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe sample_87.exe mdm.exe netsh.exe no specs explorer.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2832"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample_87.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3548"C:\Users\admin\Desktop\sample_87.exe" C:\Users\admin\Desktop\sample_87.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2984c:\users\public\mdm.exec:\users\public\mdm.exe
sample_87.exe
User:
admin
Integrity Level:
MEDIUM
2216netsh firewall add allowedprogram "c:\users\public\mdm.exe" "MSN Messenger" ENABLEC:\Windows\system32\netsh.exemdm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3228"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3860"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\builttelevision.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3132"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\stopna.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
1 719
Read events
1 551
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
4
Unknown types
7

Dropped files

PID
Process
Filename
Type
3860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRC1ED.tmp.cvr
MD5:
SHA256:
3860WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{580ADA8C-2DD4-45AE-B99B-7EA1004733C0}.tmp
MD5:
SHA256:
3860WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1DC98E4D-8E93-45FE-8967-F70525FEAF54}.tmp
MD5:
SHA256:
3132WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDDD2.tmp.cvr
MD5:
SHA256:
3132WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9116FA58-F92E-4CC9-8DA8-32C95E2B0E50}.tmp
MD5:
SHA256:
3132WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{027155DD-8D94-41A5-BA4B-C3002C50F9F7}.tmp
MD5:
SHA256:
3132WINWORD.EXEC:\Users\admin\Desktop\~$stopna.rtfpgc
MD5:27918803BA0111985C9C890058B236C8
SHA256:59D0C4842082E41CF46D9BFD447B88A92A141037B4F8041BA7E074BE662D3549
3860WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\builttelevision.rtf.LNKlnk
MD5:F9CD783967241B9B3B9952265EA03E21
SHA256:82645EEE34A01E550282F977B31F04708FDF9C8A35E485A947A175238B2C0177
3132WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:13C94546A04987A8B74FD07A1FF347CD
SHA256:29FE4035953F56D59BBC7A17A7BF8BC4865BC994362C199FE5F79576B57DA9E2
3132WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\stopna.rtf.LNKlnk
MD5:C28969C1819316AE983F995DA7C2D9F7
SHA256:506C5ABB2FA7A54D723C1F5250B86265257F2E9003D2F505A9148E031A068BA4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
hd.hidbiz.ru
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample_87.zip