analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MAERSK EXPRESS SCAN.ace

Full analysis: https://app.any.run/tasks/f4477620-5fbd-4565-8734-b67e93550f22
Verdict: Malicious activity
Analysis date: March 21, 2019, 09:25:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
MD5:

4ACD180BF428437BB03ACDEF2C606D32

SHA1:

1239667841D4AC66B22491D905BB9A62CA556F18

SHA256:

6F963DAB80059DD0596D69796BAD3D1E7F0581406495BF1118567ED93A2B03FF

SSDEEP:

3072:oa8iyy4GRavgcY/nva47AIu0z4pOXHkhNG79XSSu1EqFvgwSIaFO5iCwJqTSKd6k:oa8iHSgdvvaUAiz4pOam9XbCNgw7aFmN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MAERSK EXPRESS SCAN.scr (PID: 1916)
      • filename.scr (PID: 2684)
    • Changes the autorun value in the registry

      • WScript.exe (PID: 1296)
  • SUSPICIOUS

    • Starts itself from another location

      • MAERSK EXPRESS SCAN.scr (PID: 1916)
    • Executes scripts

      • MAERSK EXPRESS SCAN.scr (PID: 1916)
    • Executable content was dropped or overwritten

      • MAERSK EXPRESS SCAN.scr (PID: 1916)
      • WinRAR.exe (PID: 1048)
    • Starts application with an unusual extension

      • MAERSK EXPRESS SCAN.scr (PID: 1916)
      • WinRAR.exe (PID: 1048)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2084)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ace | ACE compressed archive (77.8)
.ini | Generic INI configuration (22.1)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe maersk express scan.scr winword.exe no specs wscript.exe filename.scr no specs

Process information

PID
CMD
Path
Indicators
Parent process
1048"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MAERSK EXPRESS SCAN.ace"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1916"C:\Users\admin\AppData\Local\Temp\Rar$DIa1048.36801\MAERSK EXPRESS SCAN.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIa1048.36801\MAERSK EXPRESS SCAN.scr
WinRAR.exe
User:
admin
Company:
lowmasted4
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.06.0006
2084"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\submittedred.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1296"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs" C:\Windows\System32\WScript.exe
MAERSK EXPRESS SCAN.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2684"C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr" /SC:\Users\admin\AppData\Local\Temp\subfolder\filename.scrMAERSK EXPRESS SCAN.scr
User:
admin
Company:
lowmasted4
Integrity Level:
MEDIUM
Version:
1.06.0006
Total events
1 671
Read events
1 309
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
2084WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE14E.tmp.cvr
MD5:
SHA256:
1916MAERSK EXPRESS SCAN.scrC:\Users\admin\AppData\Local\Temp\subfolder\filename.vbstext
MD5:2D1AC61553299818EF0BC34B3C8E0F33
SHA256:8D17CA415490AE95CD3472B4FCF221967F432EAED8B391473441A442A5286453
2084WINWORD.EXEC:\Users\admin\Desktop\~$bmittedred.rtfpgc
MD5:6FF8B7F1995B109476C27D50863E83C0
SHA256:2F8EE6084661575FE1144802F2E57CB8B5FB016B274D92CD315E390C0C6A2267
1048WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1048.36801\MAERSK EXPRESS SCAN.screxecutable
MD5:2D55649D67D45A8490BD3AA6D4256BC6
SHA256:0130D134ED8EA5E5C1D2879FFA05D4D1BA5A30619AC9A26BD58276213A33EA96
2084WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:211967F4A488FE880DDC5FC154C209C0
SHA256:579BFF0EBCD903622EC815F8D1ABF461651FDE894E95BD1ECE1200FA5684509C
1916MAERSK EXPRESS SCAN.scrC:\Users\admin\AppData\Local\Temp\subfolder\filename.screxecutable
MD5:2D55649D67D45A8490BD3AA6D4256BC6
SHA256:0130D134ED8EA5E5C1D2879FFA05D4D1BA5A30619AC9A26BD58276213A33EA96
2084WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\submittedred.rtf.LNKlnk
MD5:938D395FC229963DC4D32BCE4EFC65DD
SHA256:3581AFA9E90C43CC2C82A44CBAEECC9C1D9438B3F66FD7CD6A30DBBFDEFD6B95
2084WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D73518B4ED465461529CAE3D7F638C57
SHA256:4890687B981207FBE68DBFF6285964191CD9A4D364BB728E65A3BFD0FCA849FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info