File name: | JMLA.zip |
Full analysis: | https://app.any.run/tasks/0294dafd-569e-4288-a3f1-8fff31e41f9e |
Verdict: | Malicious activity |
Analysis date: | November 08, 2019, 16:34:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 984EFD0CAE93385F32004A1D134B3CD0 |
SHA1: | BEF43B474DB6C2A8529F1969F895E61482D36CC7 |
SHA256: | 871ACB3E2FB0DDA8525D5A24098D2E9C4CE4532EF13C246BEFAC027F8AB25CC0 |
SSDEEP: | 1536:AnF2Vk8Trunrz1CgJ0MGZ8Y3yYF3Qrx87IfttwEDcL6oi9wq06x0r+ccXhUwf:AnF2Vkskrz1CHM81Z3Qm7InxD9t9j0SJ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | info_11_08.doc |
---|---|
ZipUncompressedSize: | 81726 |
ZipCompressedSize: | 75459 |
ZipCRC: | 0x9757f1a8 |
ZipModifyDate: | 2019:11:08 12:33:10 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1940 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\JMLA.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1488 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb1940.42478\info_11_08.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2532 | "C:\windows\system32\wbem\wmic.exe" process list /format:"C:\Users\admin\AppData\Local\Temp\abi4dS" | C:\windows\system32\wbem\wmic.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147500037 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR264A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb1940.42478\~$fo_11_08.doc | pgc | |
MD5:7CAD00AEB4C35A715320E2ECC028ACFE | SHA256:D2798B4F4EB46E4E8E50E62A1FF264214F23354DFBD1FA477E200BE0FA3091EF | |||
1488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\abi4dS.xsl | xml | |
MD5:578CE7664172B621BD7CD3DB06695FE9 | SHA256:36091ED7A412EEC27D7B75EC8B24313BF78105742F4F5B65D86256968E20BA2B | |||
1488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:AD492FDD761902BAB8C86F9330F4374A | SHA256:851513096200D1ABB42CC3922A2578FC61DD1300077F6EE8EF5BC8A4B55ECF74 | |||
1488 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4186BF10E1147BDAABCFB9E77AEF8B5D | SHA256:74A270CB55B1A933A2073D771E163A967D128D281F6005F3B633FD7D84837B11 | |||
1940 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb1940.42478\info_11_08.doc | document | |
MD5:DDBDDF280408F9F84042E916BEBD8EC1 | SHA256:2FE68A1B776225628DD41FC746244DE04953ECD45C3FDF84FF0119429F43877D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2532 | wmic.exe | GET | 404 | 178.57.217.151:80 | http://amproswata.com/zepoli/ironak.php?l=slalel9.cab | RU | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2532 | wmic.exe | 178.57.217.151:80 | amproswata.com | Internet-Hosting Ltd | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
amproswata.com |
| suspicious |