File name: | Zip from AP 122.zip |
Full analysis: | https://app.any.run/tasks/9b140f55-868a-472a-89dc-3359c00d5019 |
Verdict: | Malicious activity |
Analysis date: | December 02, 2019, 17:18:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | FFCD9C782207C3D37BE6613E5305A936 |
SHA1: | 86C78341D1A636A1A9468BBB72C1A5D94E945EFA |
SHA256: | 94C0552FB746CE3176DB5DEA8B72CC30C96EBE9DAEAAC8B3F7FDDC2198DD4CD2 |
SSDEEP: | 768:uBD/zvwUCFUCsOjCuLjTxbx6f5QTOwz+efHz8PKmMl7JY9xQEFX8T6cK4rmpPVP6:M4JG8CIxof5QqGffzEBURYP6D |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | info_12_02.doc |
---|---|
ZipUncompressedSize: | 63892 |
ZipCompressedSize: | 57694 |
ZipCRC: | 0x204e235a |
ZipModifyDate: | 2019:12:02 12:59:11 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1888 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Zip from AP 122.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2440 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb1888.12190\info_12_02.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3992 | wmic process list /format:"c:\windows\temp\aLotuB.xsl" | C:\Windows\System32\Wbem\wmic.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147500037 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD5D8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2440 | WINWORD.EXE | C:\windows\temp\aLotuB.xsl | xml | |
MD5:D9DCA30576A690B1CCBF14A87DD2AC84 | SHA256:66C42900555965A0CFDB8AC07ACEEB62FD4D29D18E385C1ADD3E86074673785E | |||
2440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb1888.12190\~$fo_12_02.doc | pgc | |
MD5:956E8F9F8AE52B767DD4722844E6DEFB | SHA256:A335AD121322125C19DA70A91366706D7E2754E05AE9F37416382D781222D041 | |||
2440 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:15714E1417A519EAFB78F4453605B4C2 | SHA256:B14C8459CB19581DFFAB6237A48FB48693E563330501963EA4403E86DD271237 | |||
2440 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0AA345462BAECF495FBD64641B7DA49C | SHA256:55C50780D0822A5603CEBFBD9CA68DF226A01E36A64E90A92EAAE3D8FC79E376 | |||
1888 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb1888.12190\info_12_02.doc | document | |
MD5:48CAEC9DA53CB9E76AE1086F20F1540E | SHA256:DA85CEA6357760F0D149958BDAFD188CB7357B09CC5406A5D93D614CAB0EEE37 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3992 | wmic.exe | GET | 404 | 192.162.244.32:80 | http://cativatnic.com/edgron/siloft.php?l=utowen4.cab | RU | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3992 | wmic.exe | 192.162.244.32:80 | cativatnic.com | — | RU | malicious |
Domain | IP | Reputation |
---|---|---|
cativatnic.com |
| suspicious |