analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MEM_Service.zip

Full analysis: https://app.any.run/tasks/d2aa12b3-4865-4632-9908-cd4be8472c93
Verdict: Malicious activity
Analysis date: July 13, 2020, 06:30:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B1EC6AE412930EDA1F176589DAAB01BF

SHA1:

DF543EE4AB6743146FF62D4F7115F8562A84A74F

SHA256:

7C83978224F42374F19D62060527A54825EF63F4D2AE3236E2EE7576FE3FC489

SSDEEP:

3072:fmQnmEyfhsoX/iq/PorPeh5hWj9A2M+mUOqcM8xHobb4Egvlnu1X8dkaDyI:oEyfhsUiq/PoTynWhvfmE6obb4vvRRl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • WINWORD.EXE (PID: 3116)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3116)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 1680)

    • Creates files in the program directory

      • WINWORD.EXE (PID: 3116)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3116)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3116)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2020:07:08 17:06:08
ZipCRC: 0xa6aaf229
ZipCompressedSize: 129445
ZipUncompressedSize: 137449
ZipFileName: raccontare-07.08.2020.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1680"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MEM_Service.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3116"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb1680.20960\raccontare-07.08.2020.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1284regsvr32 c:\programdata\26785.jpgC:\Windows\system32\regsvr32.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 456
Read events
1 408
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3116WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA3E.tmp.cvr
MD5:
SHA256:
3116WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb1680.20960\~$ccontare-07.08.2020.docpgc
MD5:E5E7C4827026724638EED3401841BDDE
SHA256:B18B39ACE8FDD42DB92724F9E1A2F821C5BB7DE571AE07740EC70ED164A14EAE
3116WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:F6879B2D673C19D298E6CF85217490F5
SHA256:2B2CA745BCC30B3F99453A13C9B77B0666C92B8EFDBE341DB4073DECBF08E77A
1680WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb1680.20960\raccontare-07.08.2020.docdocument
MD5:CF9FF646B977466143B46C2D4B1FF1DB
SHA256:F9DBD5D9B660C35E06EAABE2F76A259BFF124910648F7068C6BA8E48BBB272E5
3116WINWORD.EXEC:\programdata\26785.jpgtext
MD5:81051BCC2CF1BEDF378224B0A93E2877
SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3116
WINWORD.EXE
93.189.41.227:80
r0rfk.com
Limited Liability Company NTCOM
RU
suspicious

DNS requests

Domain
IP
Reputation
r0rfk.com
  • 93.189.41.227
suspicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MEM_Service.zip