analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

__rg[1].htm.zip

Full analysis: https://app.any.run/tasks/46564ebe-9aa5-424c-9892-0404d6dfb745
Verdict: Malicious activity
Analysis date: July 17, 2019, 12:43:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

A0D20C2E1AAFBCD416FADF572AB5CAED

SHA1:

CDE3F91CEDC4CF97B432287FE53931B5194F4567

SHA256:

B5E4F67980519F135127E21C0FE0FFB38E52721C47AA1371D89045A29B939635

SSDEEP:

48:iL7BJ2tehSVHeqtm81/oCTHP20qTLghvWVXDcfSEy/xNrpCRAf0qcw+IaLqK:iL7/QehctmQACTTKKvM2SjrpJ+Xr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3828)

  • SUSPICIOUS

    • Executed via COM

      • AcroRd32.exe (PID: 3716)
      • AcroRd32.exe (PID: 2744)
      • AcroRd32.exe (PID: 3904)
      • AcroRd32.exe (PID: 1772)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 3828)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3828)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 2976)
      • WINWORD.EXE (PID: 3828)
      • AcroRd32.exe (PID: 3716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:07:17 09:40:21
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Nuevo Documento de Microsoft Word.docx
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs acrord32.exe no specs acrord32.exe no specs taskmgr.exe no specs acrord32.exe no specs acrord32.exe no specs acrord32.exe no specs acrord32.exe no specs acrord32.exe no specs acrord32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\__rg[1].htm.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3828"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Nuevo Documento de Microsoft Word.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3716"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -EmbeddingC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
2900"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer -embeddingC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
2276"C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2744"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -EmbeddingC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
2240"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer -embeddingC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
1772"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -EmbeddingC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3036"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer -embeddingC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3904"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -EmbeddingC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
Total events
4 184
Read events
3 352
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
2976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2976.43575\__rg[1].htm
MD5:
SHA256:
3828WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR1C6E.tmp.cvr
MD5:
SHA256:
3828WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:E948E3B0BE16E03BF2A1D29AC8F36194
SHA256:CD94FA436624AC1F79511459CFDAD9AEEEB279D2D957C0CDC899AC4318044184
3828WINWORD.EXEC:\Users\admin\Desktop\~$evo Documento de Microsoft Word.docxpgc
MD5:7C5777A913ADE4AF151ACFDA1AE23081
SHA256:5641963A4BB0BD130208A5AAA49AB825DD5F87BD3A292253D734AD8FB5DFB518
3828WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Nuevo Documento de Microsoft Word.docx.LNKlnk
MD5:A181381CC48B31BB6D00862E4E183E40
SHA256:9E75BED1720CEC61F8AA08FB824BECCD4BD0658CA5FBDE2F229B75405384782C
3828WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:57147206E0702B7673ED516F1D44EFA8
SHA256:74441E2748CA9A6609F124B5DF8844E820FEF4BC4B78BD72F1BBAA02DB58A65B
3716AcroRd32.exeC:\Users\admin\Desktop\__rg[1].xmlxml
MD5:BF2EB346D3B42D9EA5AC1DE637936948
SHA256:1EA594CABA42C2E48FC6782CF32691464111C4D8AFCC013D390EBAF24CFCEF69
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
__rg[1].htm.zip