analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Fiesta_Plastics.zip

Full analysis: https://app.any.run/tasks/51e45ff0-7a14-4ec9-af54-1955cb8d1fd2
Verdict: Malicious activity
Analysis date: December 03, 2019, 02:00:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-3
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

782ED07C36E32338D514E554238C0A89

SHA1:

97307A590F9F50255305FE17C200B09EA05AAD5C

SHA256:

70B50CCE3DFC72328B9076AE32B25429ECC78DB3EDB706E41893C01A418485F9

SSDEEP:

1536:qVr9YzKNWf5ixjKpf/zPhdj8faSARpHg8JC:MWsJKpf/zJdjpHg8c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 504)
    • Uses WMIC.EXE to invoke XSL script

      • WINWORD.EXE (PID: 1780)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1780)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 504)
    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 1780)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1780)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: info_12_02.doc
ZipUncompressedSize: 63199
ZipCompressedSize: 56990
ZipCRC: 0xbca0d982
ZipModifyDate: 2019:12:02 13:00:15
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs wmic.exe

Process information

PID
CMD
Path
Indicators
Parent process
504"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Fiesta_Plastics.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1780"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb504.46260\info_12_02.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3084wmic process list /format:"c:\windows\temp\a5ZWQP.xsl"C:\Windows\System32\Wbem\wmic.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147500037
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 265
Read events
1 506
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
1780WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD23F.tmp.cvr
MD5:
SHA256:
1780WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:0F768A47C1DEE7623052942189907D51
SHA256:766A504C19E2E2D0FE682A02FA66D2E1F13357429B86B8BC00027D4F6ECDC6D1
1780WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D1F9B9506BA1FF376B6718DE339C48E9
SHA256:90BA669D84851D9CBDC6CB3CB8959FFB4BF569EA5233F9FD8B42C407915EE3B3
1780WINWORD.EXEC:\windows\temp\a5ZWQP.xslxml
MD5:EAA644B5A53762C511E4FD27B916FD87
SHA256:D765A5761E0B8F58C84F2D3BE5FF04D460A597AF63002757D7BA9BC1518A6BD1
504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb504.46260\info_12_02.docdocument
MD5:9AE473ABC2741BB3DAF4CAC02FA76103
SHA256:120CC3D2140A4E630EE3948C4B37F12674A2238785AAF7F417E50F9D60C4DE5E
1780WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb504.46260\~$fo_12_02.docpgc
MD5:A9A4E331905B200C1544FB6743210643
SHA256:F4B7A49F052651C4159F7E78EF99D667D7B0D85DF798A53AB4E52EDFC096CBD3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3084
wmic.exe
GET
404
81.90.181.69:80
http://maddoridas.com/edgron/siloft.php?l=utowen7.cab
unknown
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3084
wmic.exe
81.90.181.69:80
maddoridas.com
suspicious

DNS requests

Domain
IP
Reputation
maddoridas.com
  • 81.90.181.69
suspicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info