File name: | test.zip |
Full analysis: | https://app.any.run/tasks/a265d5d3-31e7-46bf-847d-3fd26bf30e44 |
Verdict: | Malicious activity |
Analysis date: | December 03, 2019, 00:41:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2EE6734A6B60A77D1E18513B8AAFA806 |
SHA1: | BDAB40544CCF0DCC1A727BA906C23C0C95DB96BD |
SHA256: | 69EDE6A7A990FBE167FCEB48DCD161E7CC71295537CD77CF82A2627C1707946A |
SSDEEP: | 1536:VAQ5Obyml26EYD6JGtvYRkPf1Z0aSwtQjdS:VAQYbj2ZYD64h0kBSvdS |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | info_12_02.doc |
---|---|
ZipUncompressedSize: | 62580 |
ZipCompressedSize: | 56372 |
ZipCRC: | 0xe4f82e3b |
ZipModifyDate: | 2019:12:02 12:57:29 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1576 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\test.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3812 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb1576.21712\info_12_02.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2212 | wmic process list /format:"c:\windows\temp\aFM47o.xsl" | C:\Windows\System32\Wbem\wmic.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147500037 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF09.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1576 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\test\info_12_02.doc | document | |
MD5:AE1A4AD73F74480A84958AA4C7FFEB61 | SHA256:1CE65C53745E78A876583FE44C8751B168134B70388497E5D3CC42633FB10612 | |||
3812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:4501CDC87F13FE6C20C853B1266D13FC | SHA256:B195971997A3D8D2560CE4A7B6AF7B8BBE8C8CBDF3144539B92ED23F08C60888 | |||
3812 | WINWORD.EXE | C:\windows\temp\aFM47o.xsl | xml | |
MD5:57B25B2FF1F8A1E62341DEA4452D2F60 | SHA256:59576B0F9BA4DC6F4EE0FDE10498624EB48449F49DE018F521203E98C1657510 | |||
3812 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:87F378A56D5071E702F648C9CCD820FD | SHA256:5D309D89EFE1BB2B0EDE157A4E00261B29190E44EAC962BCD7542E308B6B7DD4 | |||
3812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb1576.21712\~$fo_12_02.doc | pgc | |
MD5:58001DFA34772A5C46DDBEF42C868638 | SHA256:80D2FBE52795FFC46AAC1DA3C92670B1CBD547890E498CF7F1F53C15B562B943 | |||
1576 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb1576.21712\info_12_02.doc | document | |
MD5:AE1A4AD73F74480A84958AA4C7FFEB61 | SHA256:1CE65C53745E78A876583FE44C8751B168134B70388497E5D3CC42633FB10612 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2212 | wmic.exe | GET | 404 | 95.213.224.83:80 | http://qadenetene.com/edgron/siloft.php?l=utowen1.cab | RU | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2212 | wmic.exe | 95.213.224.83:80 | qadenetene.com | OOO Network of data-centers Selectel | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
qadenetene.com |
| suspicious |