analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

JMLA.zip

Full analysis: https://app.any.run/tasks/0294dafd-569e-4288-a3f1-8fff31e41f9e
Verdict: Malicious activity
Analysis date: November 08, 2019, 16:34:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-3
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

984EFD0CAE93385F32004A1D134B3CD0

SHA1:

BEF43B474DB6C2A8529F1969F895E61482D36CC7

SHA256:

871ACB3E2FB0DDA8525D5A24098D2E9C4CE4532EF13C246BEFAC027F8AB25CC0

SSDEEP:

1536:AnF2Vk8Trunrz1CgJ0MGZ8Y3yYF3Qrx87IfttwEDcL6oi9wq06x0r+ccXhUwf:AnF2Vkskrz1CHM81Z3Qm7InxD9t9j0SJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 1940)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1488)
  • SUSPICIOUS

    • Uses WMIC.EXE to obtain a system information

      • WINWORD.EXE (PID: 1488)
    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 1940)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1488)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: info_11_08.doc
ZipUncompressedSize: 81726
ZipCompressedSize: 75459
ZipCRC: 0x9757f1a8
ZipModifyDate: 2019:11:08 12:33:10
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs wmic.exe

Process information

PID
CMD
Path
Indicators
Parent process
1940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\JMLA.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1488"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb1940.42478\info_11_08.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2532"C:\windows\system32\wbem\wmic.exe" process list /format:"C:\Users\admin\AppData\Local\Temp\abi4dS"C:\windows\system32\wbem\wmic.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147500037
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 691
Read events
1 531
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
1488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR264A.tmp.cvr
MD5:
SHA256:
1488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb1940.42478\~$fo_11_08.docpgc
MD5:7CAD00AEB4C35A715320E2ECC028ACFE
SHA256:D2798B4F4EB46E4E8E50E62A1FF264214F23354DFBD1FA477E200BE0FA3091EF
1488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\abi4dS.xslxml
MD5:578CE7664172B621BD7CD3DB06695FE9
SHA256:36091ED7A412EEC27D7B75EC8B24313BF78105742F4F5B65D86256968E20BA2B
1488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:AD492FDD761902BAB8C86F9330F4374A
SHA256:851513096200D1ABB42CC3922A2578FC61DD1300077F6EE8EF5BC8A4B55ECF74
1488WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:4186BF10E1147BDAABCFB9E77AEF8B5D
SHA256:74A270CB55B1A933A2073D771E163A967D128D281F6005F3B633FD7D84837B11
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb1940.42478\info_11_08.docdocument
MD5:DDBDDF280408F9F84042E916BEBD8EC1
SHA256:2FE68A1B776225628DD41FC746244DE04953ECD45C3FDF84FF0119429F43877D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2532
wmic.exe
GET
404
178.57.217.151:80
http://amproswata.com/zepoli/ironak.php?l=slalel9.cab
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2532
wmic.exe
178.57.217.151:80
amproswata.com
Internet-Hosting Ltd
RU
suspicious

DNS requests

Domain
IP
Reputation
amproswata.com
  • 178.57.217.151
suspicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info