analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DOC0014541ENTEL1599521346.zip

Full analysis: https://app.any.run/tasks/0b5114c8-86bd-48c7-ae7c-f5e785f93ffd
Verdict: Malicious activity
Analysis date: January 10, 2019, 20:23:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

D1365FA05AFAF4FAA1ECA1E5D56B0210

SHA1:

BBDBC9F2441E4E604536FD1E33D1BFC4D608226D

SHA256:

8FC4B8C40A6108C69191711BE2C295CAB1ADEABE2F37D9B2FB87C4DD218876F3

SSDEEP:

48:NS5/NtJXZhbw7UxxWXqvNSs+1pa9gjZkrfTmVIgXiX9AsHSPz:05/NDbw3XqvN9ea9gjaeVwexb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2484)
    • Application was dropped or rewritten from another process

      • DLY_755.exe (PID: 3948)
    • Loads dropped or rewritten executable

      • DLY_755.exe (PID: 3948)
    • Changes settings of System certificates

      • wscript.exe (PID: 3684)
    • Changes the autorun value in the registry

      • DLY_755.exe (PID: 3948)
  • SUSPICIOUS

    • Creates files in the program directory

      • wscript.exe (PID: 3684)
    • Disables Form Suggestion in IE

      • DLY_755.exe (PID: 3948)
    • Executes scripts

      • cmd.exe (PID: 2484)
    • Executable content was dropped or overwritten

      • wscript.exe (PID: 3684)
    • Uses TASKKILL.EXE to kill Browsers

      • DLY_755.exe (PID: 3948)
    • Uses TASKKILL.EXE to kill process

      • DLY_755.exe (PID: 3948)
    • Creates files in the user directory

      • notepad++.exe (PID: 3456)
    • Adds / modifies Windows certificates

      • wscript.exe (PID: 3684)
    • Reads Environment values

      • DLY_755.exe (PID: 3948)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-8 encoded (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs cmd.exe ping.exe no specs wscript.exe cmd.exe no specs dly_755.exe notepad++.exe gup.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DOC0014541ENTEL1599521346.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2484"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\DOC0014541ENTEL.cmd" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3176ping 127.0.0.1 -n 1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3684wscript //Nologo "C:\Users\Public\admin\admin.vbs" MwR9TOC5YPMHAWKfNDA0xgNNYbPqiDhSXRwirvtLL8nhm4TN C:\Windows\system32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3768cmd /c ""C:\Users\admin\Desktop\DOC0014541ENTEL.cmd" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3948"C:\ProgramData\DLY_755\DLY_755.exe" C:\ProgramData\DLY_755\DLY_755.exe
wscript.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
HIGH
Description:
VMware NAT Service
Version:
12.5.6 build-5528349
3456"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\DOC0014541ENTEL.cmd"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
2692"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
2452TASKKILL /F /IM chrome.exeC:\Windows\system32\TASKKILL.exeDLY_755.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2572TASKKILL /F /IM firefox.exeC:\Windows\system32\TASKKILL.exeDLY_755.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
719
Read events
650
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
70
Unknown types
0

Dropped files

PID
Process
Filename
Type
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35724\DOC0014541ENTEL.cmd
MD5:
SHA256:
2484cmd.exeC:\Users\Public\admin\admin.vbstext
MD5:56CDD5A9E1EDBCD94C5EA92B8F0A3161
SHA256:45D97820C6C4A789D7A9EC6D9E8CED0C2EE3F9145A3BAD96577566006CF496D4
3684wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\Archivo[1].txt
MD5:
SHA256:
3684wscript.exeC:\ProgramData\DLY_755\O007VLVNH1OCH0NU3WM6K3VBN9GCC95N
MD5:
SHA256:
3684wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\y121[1].zipcompressed
MD5:9CA18555F80A801CC605A6A020EC4C72
SHA256:C041F5C03CEDEE735F65C1DA25A60258D696A3AAA6BECEE20CA725609FB2FED2
3684wscript.exeC:\ProgramData\md.zipcompressed
MD5:9CA18555F80A801CC605A6A020EC4C72
SHA256:C041F5C03CEDEE735F65C1DA25A60258D696A3AAA6BECEE20CA725609FB2FED2
3684wscript.exeC:\ProgramData\i.dattext
MD5:3B27312CB44FE3AB5785BF01142890D8
SHA256:FDB5840EED18F6B885FAC4B2DE118731A145721B3BFE8C00FD2CD594934A0F6D
3684wscript.exeC:\ProgramData\DLY_755\shfolder.dllexecutable
MD5:ECE36DF929FC2C263C2357EF4EB8CD80
SHA256:C0B519ADA091002CA73018084724F7617D79B86D4968C699E0F8E922FEE8627A
3456notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\langs.xmlxml
MD5:E792264BEC29005B9044A435FBA185AB
SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624
3456notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xmltext
MD5:AD21A64014891793DD9B21D835278F36
SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.107.210.17:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D
NL
der
727 b
whitelisted
GET
200
104.107.210.17:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
NL
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2692
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
3684
wscript.exe
162.241.2.223:443
securesdocs.com
CyrusOne LLC
US
unknown
3948
DLY_755.exe
162.241.3.14:443
cadsecuredoc.com
CyrusOne LLC
US
suspicious
104.107.210.17:80
ocsp.usertrust.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
securesdocs.com
  • 162.241.2.223
unknown
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
ocsp.usertrust.com
  • 104.107.210.17
  • 104.107.210.34
whitelisted
cadsecuredoc.com
  • 162.241.3.14
suspicious

Threats

No threats detected
Process
Message
DLY_755.exe
CodeSet_Init: no ICU
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093