File name: | MEM_Service.zip |
Full analysis: | https://app.any.run/tasks/d2aa12b3-4865-4632-9908-cd4be8472c93 |
Verdict: | Malicious activity |
Analysis date: | July 13, 2020, 06:30:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | B1EC6AE412930EDA1F176589DAAB01BF |
SHA1: | DF543EE4AB6743146FF62D4F7115F8562A84A74F |
SHA256: | 7C83978224F42374F19D62060527A54825EF63F4D2AE3236E2EE7576FE3FC489 |
SSDEEP: | 3072:fmQnmEyfhsoX/iq/PorPeh5hWj9A2M+mUOqcM8xHobb4Egvlnu1X8dkaDyI:oEyfhsUiq/PoTynWhvfmE6obb4vvRRl |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:07:08 17:06:08 |
ZipCRC: | 0xa6aaf229 |
ZipCompressedSize: | 129445 |
ZipUncompressedSize: | 137449 |
ZipFileName: | raccontare-07.08.2020.doc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1680 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MEM_Service.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3116 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb1680.20960\raccontare-07.08.2020.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1284 | regsvr32 c:\programdata\26785.jpg | C:\Windows\system32\regsvr32.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3116 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA3E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3116 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb1680.20960\~$ccontare-07.08.2020.doc | pgc | |
MD5:E5E7C4827026724638EED3401841BDDE | SHA256:B18B39ACE8FDD42DB92724F9E1A2F821C5BB7DE571AE07740EC70ED164A14EAE | |||
3116 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F6879B2D673C19D298E6CF85217490F5 | SHA256:2B2CA745BCC30B3F99453A13C9B77B0666C92B8EFDBE341DB4073DECBF08E77A | |||
1680 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb1680.20960\raccontare-07.08.2020.doc | document | |
MD5:CF9FF646B977466143B46C2D4B1FF1DB | SHA256:F9DBD5D9B660C35E06EAABE2F76A259BFF124910648F7068C6BA8E48BBB272E5 | |||
3116 | WINWORD.EXE | C:\programdata\26785.jpg | text | |
MD5:81051BCC2CF1BEDF378224B0A93E2877 | SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3116 | WINWORD.EXE | 93.189.41.227:80 | r0rfk.com | Limited Liability Company NTCOM | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
r0rfk.com |
| suspicious |