analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Danh sach khach hang dien may khu vuc HCM.rar

Full analysis: https://app.any.run/tasks/86752e19-20a8-4149-a8ac-e83811d6f018
Verdict: Malicious activity
Analysis date: October 20, 2020, 10:17:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

14164D213CC365BE86CE2A1277932FEE

SHA1:

1535BFA1009C3E368282A6241303BD74C6364031

SHA256:

7B4006D56E6BE16572BD796D47064644EE45251DE40178CB40E6071DD4932FAF

SSDEEP:

49152:L0y7N0Tz+v/kPbzD4CbunENVf9PshSESgx5XAlvZ:aT6U3cCbv/EhSELx6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler COM API

      • Danh sach khach hang dien may khu vuc HCM.exe (PID: 2720)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3092)
      • Danh sach khach hang dien may khu vuc HCM.exe (PID: 2720)

    • Application was dropped or rewritten from another process

      • Danh sach khach hang dien may khu vuc HCM.exe (PID: 2720)

  • SUSPICIOUS

    • Reads Environment values

      • Danh sach khach hang dien may khu vuc HCM.exe (PID: 2720)

    • Starts Microsoft Office Application

      • explorer.exe (PID: 4008)

    • Executable content was dropped or overwritten

      • Danh sach khach hang dien may khu vuc HCM.exe (PID: 2720)

    • Creates files in the program directory

      • Danh sach khach hang dien may khu vuc HCM.exe (PID: 2720)

    • Executed via COM

      • explorer.exe (PID: 4008)

  • INFO

    • Manual execution by user

      • Danh sach khach hang dien may khu vuc HCM.exe (PID: 2720)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2584)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs danh sach khach hang dien may khu vuc hcm.exe explorer.exe no specs explorer.exe no specs winword.exe no specs searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2740"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Danh sach khach hang dien may khu vuc HCM.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2720"C:\Users\admin\Desktop\Danh sach khach hang dien may khu vuc HCM\Danh sach khach hang dien may khu vuc HCM.exe" C:\Users\admin\Desktop\Danh sach khach hang dien may khu vuc HCM\Danh sach khach hang dien may khu vuc HCM.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Word
Exit code:
0
Version:
12.0.4518.1014
3780explorer.exe "Danh sach khach hang dien may khu vuc HCM.docx"C:\Windows\explorer.exeDanh sach khach hang dien may khu vuc HCM.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4008C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2584"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Danh sach khach hang dien may khu vuc HCM\Danh sach khach hang dien may khu vuc HCM.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3092"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 694
Read events
1 627
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.41492\Danh sach khach hang dien may khu vuc HCM\Danh sach khach hang dien may khu vuc HCM.exe
MD5:
SHA256:
2740WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2740.41492\Danh sach khach hang dien may khu vuc HCM\wwlib.dll
MD5:
SHA256:
2584WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR96C6.tmp.cvr
MD5:
SHA256:
2584WINWORD.EXEC:\Users\admin\Desktop\Danh sach khach hang dien may khu vuc HCM\~$nh sach khach hang dien may khu vuc HCM.docxpgc
MD5:B487BD4D37C5C08C9E363C23D2E3FE23
SHA256:8B7988F01FAE8A995315F719A22BBBCED40F36B8A3461E4665D6E497C0CABAED
2720Danh sach khach hang dien may khu vuc HCM.exeC:\Users\admin\Desktop\Danh sach khach hang dien may khu vuc HCM\Danh sach khach hang dien may khu vuc HCM.docxdocument
MD5:1A222128AC2BA752D6D80ED33604C274
SHA256:8105F28099A68F70CB1099565D869410051B59FD8A0304037F7B4DE7DD820975
2720Danh sach khach hang dien may khu vuc HCM.exeC:\ProgramData\Notepad\config\dienmay\43322037578455514834\wwlib.dllexecutable
MD5:864EACE6E6F67B77163D7ED5DA4498C8
SHA256:30C13F55E48D260E025555D03CB9E8F39453387374B50B5EA539CF9493D395B2
2584WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:80B3D50498E77C04FD4D8CCF428B1ED6
SHA256:941A91DEC2F24A3260945C72ED94BA15BB7E5F583C230D0AFEEB48CDAAF0BA2C
2584WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Danh sach khach hang dien may khu vuc HCM.docx.LNKlnk
MD5:5CAE17806E48B78F852918DB51C44EDF
SHA256:1764067D18F17E9B662A398874DBC2488D433CBDCBDAB819321302F8A434102D
2584WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B1FEDE6267459B21E048BB0FCE75A53D
SHA256:AC73C803DD18FC4B9185D04103C2C9846418B1D712A9F929A43E8AAFB8986AE1
2584WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2720
Danh sach khach hang dien may khu vuc HCM.exe
185.161.210.189:443
node.podzone.org
Serverius Holding B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
node.podzone.org
  • 185.161.210.189
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Danh sach khach hang dien may khu vuc HCM.rar