analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

test.zip

Full analysis: https://app.any.run/tasks/a265d5d3-31e7-46bf-847d-3fd26bf30e44
Verdict: Malicious activity
Analysis date: December 03, 2019, 00:41:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-3
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2EE6734A6B60A77D1E18513B8AAFA806

SHA1:

BDAB40544CCF0DCC1A727BA906C23C0C95DB96BD

SHA256:

69EDE6A7A990FBE167FCEB48DCD161E7CC71295537CD77CF82A2627C1707946A

SSDEEP:

1536:VAQ5Obyml26EYD6JGtvYRkPf1Z0aSwtQjdS:VAQYbj2ZYD64h0kBSvdS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses WMIC.EXE to invoke XSL script

      • WINWORD.EXE (PID: 3812)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3812)

    • Drops known malicious document

      • WinRAR.exe (PID: 1576)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 3812)

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 1576)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3812)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: info_12_02.doc
ZipUncompressedSize: 62580
ZipCompressedSize: 56372
ZipCRC: 0xe4f82e3b
ZipModifyDate: 2019:12:02 12:57:29
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs wmic.exe

Process information

PID
CMD
Path
Indicators
Parent process
1576"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\test.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3812"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb1576.21712\info_12_02.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2212wmic process list /format:"c:\windows\temp\aFM47o.xsl"C:\Windows\System32\Wbem\wmic.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147500037
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 820
Read events
1 605
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3812WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF09.tmp.cvr
MD5:
SHA256:
1576WinRAR.exeC:\Users\admin\AppData\Local\Temp\test\info_12_02.docdocument
MD5:AE1A4AD73F74480A84958AA4C7FFEB61
SHA256:1CE65C53745E78A876583FE44C8751B168134B70388497E5D3CC42633FB10612
3812WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:4501CDC87F13FE6C20C853B1266D13FC
SHA256:B195971997A3D8D2560CE4A7B6AF7B8BBE8C8CBDF3144539B92ED23F08C60888
3812WINWORD.EXEC:\windows\temp\aFM47o.xslxml
MD5:57B25B2FF1F8A1E62341DEA4452D2F60
SHA256:59576B0F9BA4DC6F4EE0FDE10498624EB48449F49DE018F521203E98C1657510
3812WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:87F378A56D5071E702F648C9CCD820FD
SHA256:5D309D89EFE1BB2B0EDE157A4E00261B29190E44EAC962BCD7542E308B6B7DD4
3812WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb1576.21712\~$fo_12_02.docpgc
MD5:58001DFA34772A5C46DDBEF42C868638
SHA256:80D2FBE52795FFC46AAC1DA3C92670B1CBD547890E498CF7F1F53C15B562B943
1576WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb1576.21712\info_12_02.docdocument
MD5:AE1A4AD73F74480A84958AA4C7FFEB61
SHA256:1CE65C53745E78A876583FE44C8751B168134B70388497E5D3CC42633FB10612
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2212
wmic.exe
GET
404
95.213.224.83:80
http://qadenetene.com/edgron/siloft.php?l=utowen1.cab
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2212
wmic.exe
95.213.224.83:80
qadenetene.com
OOO Network of data-centers Selectel
RU
suspicious

DNS requests

Domain
IP
Reputation
qadenetene.com
  • 95.213.224.83
suspicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
test.zip