analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Sample1.zip

Full analysis: https://app.any.run/tasks/eeaf93ca-fd56-4549-ab3a-42c1ce8b51cd
Verdict: Malicious activity
Analysis date: August 13, 2019, 18:24:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-3
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8AD556C4C812EE26B292781455F9D10C

SHA1:

D571C861BCB4E64BD407452066674EF91D8F8CCA

SHA256:

9186846918AFFF4DE7365241CCF02893D70BD1B9B8A42833D5FDA1B38B04A165

SSDEEP:

1536:yYSLP6Q9T/auGpohF7j9pHESg+UzieXHWBJ9v5yEC:yVLPJT/auGqY+eXHWBBC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like Ransomware

      • WINWORD.EXE (PID: 3504)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3504)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain a system information

      • WINWORD.EXE (PID: 3504)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3504)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3504)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: aac8a6719be8a2a521ebbdce6ae8e8b628864a2240b8be81c5093f1fdaa6d2f4.bin
ZipUncompressedSize: 105984
ZipCompressedSize: 54336
ZipCRC: 0x40180e1b
ZipModifyDate: 2019:08:13 18:22:02
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3504"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ayy.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3564"C:\Windows\System32\wbem\wmic.exe" process list /format:"aRyZUbk.pdf"C:\Windows\System32\wbem\wmic.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147614729
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 508
Read events
1 071
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
5

Dropped files

PID
Process
Filename
Type
2976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2976.19322\aac8a6719be8a2a521ebbdce6ae8e8b628864a2240b8be81c5093f1fdaa6d2f4.bin
MD5:
SHA256:
3504WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3E17.tmp.cvr
MD5:
SHA256:
3504WINWORD.EXEC:\Users\admin\Desktop\aRyZUbk.pdf
MD5:
SHA256:
3504WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:BF5190F8289D6BF67AD3F1DFC9FFC77C
SHA256:7C4163D0118D50C17F74FBB366E9FDEB063E1DE71C5137F36D4A89468E2C3217
3504WINWORD.EXEC:\Users\admin\Desktop\~$ayy.docpgc
MD5:3D36AC74873831F3E90372AB53967D49
SHA256:6A52340BA6A42E7A310A847751D55A6D9E6221F8DAFD2FECD5747EEC41B043AF
3504WINWORD.EXEC:\Users\admin\Desktop\aRyZUbk.pdf.xslxml
MD5:DDA3B796A206B3E0212AC72CBA846DAE
SHA256:503F162805AE5BD6FDA0F4EAB8173A06169D8D568B103172BB6329A3B67F051A
3504WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:DF0D0B8620CE4D0B09A7EFA5FD1EB4D6
SHA256:2E184D863A647956A98D572FF7B00910AF25E9D5252FDD8CF12E30DFB5214CF7
3504WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:884C4F83359ACA01DB7C4FC4C9CFAA9B
SHA256:906877644AFFCC24531FAD0059E6B368BED2EB8616D8F69DA0F03E6B7291DE9D
3504WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ayy.doc.LNKlnk
MD5:73F42408C6C6A11D0A2ED52A0F5C522A
SHA256:559D58CFAED8EC4C79A5C9069656589EF38436C01ECADC7A63D23E54FC7B51BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
m2048javon18.com
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Sample1.zip