analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Zip from AP 122.zip

Full analysis: https://app.any.run/tasks/9b140f55-868a-472a-89dc-3359c00d5019
Verdict: Malicious activity
Analysis date: December 02, 2019, 17:18:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-3
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FFCD9C782207C3D37BE6613E5305A936

SHA1:

86C78341D1A636A1A9468BBB72C1A5D94E945EFA

SHA256:

94C0552FB746CE3176DB5DEA8B72CC30C96EBE9DAEAAC8B3F7FDDC2198DD4CD2

SSDEEP:

768:uBD/zvwUCFUCsOjCuLjTxbx6f5QTOwz+efHz8PKmMl7JY9xQEFX8T6cK4rmpPVP6:M4JG8CIxof5QqGffzEBURYP6D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 1888)

    • Uses WMIC.EXE to invoke XSL script

      • WINWORD.EXE (PID: 2440)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2440)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 2440)

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 1888)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2440)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: info_12_02.doc
ZipUncompressedSize: 63892
ZipCompressedSize: 57694
ZipCRC: 0x204e235a
ZipModifyDate: 2019:12:02 12:59:11
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs wmic.exe

Process information

PID
CMD
Path
Indicators
Parent process
1888"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Zip from AP 122.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2440"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb1888.12190\info_12_02.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3992wmic process list /format:"c:\windows\temp\aLotuB.xsl"C:\Windows\System32\Wbem\wmic.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147500037
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 639
Read events
1 492
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD5D8.tmp.cvr
MD5:
SHA256:
2440WINWORD.EXEC:\windows\temp\aLotuB.xslxml
MD5:D9DCA30576A690B1CCBF14A87DD2AC84
SHA256:66C42900555965A0CFDB8AC07ACEEB62FD4D29D18E385C1ADD3E86074673785E
2440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb1888.12190\~$fo_12_02.docpgc
MD5:956E8F9F8AE52B767DD4722844E6DEFB
SHA256:A335AD121322125C19DA70A91366706D7E2754E05AE9F37416382D781222D041
2440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:15714E1417A519EAFB78F4453605B4C2
SHA256:B14C8459CB19581DFFAB6237A48FB48693E563330501963EA4403E86DD271237
2440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0AA345462BAECF495FBD64641B7DA49C
SHA256:55C50780D0822A5603CEBFBD9CA68DF226A01E36A64E90A92EAAE3D8FC79E376
1888WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb1888.12190\info_12_02.docdocument
MD5:48CAEC9DA53CB9E76AE1086F20F1540E
SHA256:DA85CEA6357760F0D149958BDAFD188CB7357B09CC5406A5D93D614CAB0EEE37
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3992
wmic.exe
GET
404
192.162.244.32:80
http://cativatnic.com/edgron/siloft.php?l=utowen4.cab
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3992
wmic.exe
192.162.244.32:80
cativatnic.com
RU
malicious

DNS requests

Domain
IP
Reputation
cativatnic.com
  • 192.162.244.32
suspicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Zip from AP 122.zip