analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

contract.doc.zip

Full analysis: https://app.any.run/tasks/4c450ea5-12ee-48ad-b28d-1f755bdf0b43
Verdict: Malicious activity
Analysis date: November 08, 2019, 14:47:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ta505
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

45866B1F7B671618CD1ADBE02EB4327D

SHA1:

D9AD19154F9A94E76D77E27634C6C0C9426758F2

SHA256:

969B6102A7F6C971336D6FE1F9492A63DDB6BF21FD59F43A0A7ECB46D70E2883

SSDEEP:

12288:t4WR+MU+6K6/+dzRMkgPi+F9aMZiBIE5AmWaDzrUyEcT:tTU+jbLMkI10TUyR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • explorer.exe (PID: 352)
      • WINWORD.EXE (PID: 2488)

    • Runs app for hidden code execution

      • explorer.exe (PID: 352)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2488)

  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 352)
      • notepad++.exe (PID: 2028)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 352)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 352)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 352)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2512)
      • WINWORD.EXE (PID: 2488)

    • Starts Microsoft Office Application

      • explorer.exe (PID: 352)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2488)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: contract.doc
ZipUncompressedSize: 776192
ZipCompressedSize: 526546
ZipCRC: 0x1b0487f7
ZipModifyDate: 2019:11:08 12:52:27
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs explorer.exe no specs winword.exe explorer.exe notepad++.exe gup.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2300"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\contract.doc.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2512"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2488"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\contract.doc\contract.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2028"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dll"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
3228"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
3440"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
4 026
Read events
2 887
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
8
Unknown types
17

Dropped files

PID
Process
Filename
Type
2488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR17F2.tmp.cvr
MD5:
SHA256:
2488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~WRD0000.tmp
MD5:
SHA256:
2488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~WRD0001.tmp
MD5:
SHA256:
352explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\contract.doc.lnklnk
MD5:0B811F39E6DEF785561F387F15852256
SHA256:9989A2F49CAC44843A676946B35DAECD0B57E686F231B28A0EF725E45A46EA54
2488WINWORD.EXEC:\Users\admin\Downloads\contract.doc\~$ntract.docpgc
MD5:27E2C35A6C40FC4458127E629015E1AA
SHA256:F957376E702CEDE4811DB6FD7637D1FBDC727CBA810BB4C2478373CDD9F53942
2488WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5F72627B.emfemf
MD5:FB3981532125928BB4E7E59661FB0744
SHA256:7B2D4BC5CE523C483E756AC65AAD9678CC1FCB6D183EBA4A9977EEE320ADD207
2300WinRAR.exeC:\Users\admin\Downloads\contract.doc\contract.docdocument
MD5:8E0429B1A5174D8DACB732681B4E8480
SHA256:578C90D677DBCB14B514440A7A328936DF6A2627408C9D651B184E073A5B1920
352explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:0FA9C57DB71A07405699B3B74E0711C6
SHA256:0D517D1ACAC3402885ED81CE5E51864306FA947D378DEE9664939027C3A57049
2488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$demem.docx.zippgc
MD5:6AB3DFC77ABF4B27E92104B01415A48A
SHA256:209F9CD16D3B8BA13DFC8B029263F6AA2853E9AA3EBBA2B8E370CEBDAA1F3DF2
2488WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:30742B1A262D655F6D7B031B3B06398E
SHA256:3EB1DD8D97A78A4C787ECFCD4850C8735347E0397D022094FDF5AE30AA551C9E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3228
gup.exe
104.31.88.28:443
notepad-plus-plus.org
Cloudflare Inc
US
shared
2488
WINWORD.EXE
195.123.246.12:443
microsoft-hub-us.com
UA
unknown

DNS requests

Domain
IP
Reputation
microsoft-hub-us.com
  • 195.123.246.12
unknown
notepad-plus-plus.org
  • 104.31.88.28
  • 104.31.89.28
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
contract.doc.zip