analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

GalaxyM63.zip

Full analysis: https://app.any.run/tasks/9419ae1d-d1e7-4cd6-8768-c9ef158173d8
Verdict: Malicious activity
Analysis date: November 08, 2019, 15:50:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-3
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

101357E79A95471EE76A6406A9A20FE9

SHA1:

1A0EC4DF090F3D347E35859527E8840CD7051FD5

SHA256:

C38FD1ACD0C805C3C1C204C26AA7ECBAE0DC01E0BC106378EC68428569EB9DE4

SSDEEP:

1536:ozpwdfyCKM4RmRNlaG71p+Sps/gG+6IAaDlu3AsIiJR3z0oEyuQnASQWWH:iq1XTJN31pLps/gGN+Dk3AsIaFuIASk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 2828)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3524)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3524)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2828)

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 3348)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3524)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: info_11_07.doc
ZipUncompressedSize: 83362
ZipCompressedSize: 76428
ZipCRC: 0x2fc39932
ZipModifyDate: 2019:11:07 03:37:17
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2828"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\GalaxyM63.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3524"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2828.23650\info_11_07.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3348"C:\Windows\System32\cmd.exe" /c wmic process list /format:"C:\Users\admin\AppData\Local\Temp\aWtKUm"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2147614729
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2868wmic process list /format:"C:\Users\admin\AppData\Local\Temp\aWtKUm"C:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147614729
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1976"C:\Windows\System32\cmd.exe" /c wmic process list /format:"C:\Users\admin\AppData\Local\Temp\aWtKUm"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
2 813
Read events
1 600
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDFEB.tmp.cvr
MD5:
SHA256:
3524WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:4186BF10E1147BDAABCFB9E77AEF8B5D
SHA256:74A270CB55B1A933A2073D771E163A967D128D281F6005F3B633FD7D84837B11
3524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:092C8B60F34A46A192CDBBF50519BCCA
SHA256:39023344E6130C3FFE7392FD459340C1136300FC4FDDC374EC6AA3A5FFB15730
3524WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1049.aclbinary
MD5:39552AC789199AC5A30EDCFC3DA8785A
SHA256:BF48DA40215410D7DD88D21A259FD0324E936E138CE6BF95CBD188470136765D
3524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\aWtKUm.xslxml
MD5:6C2C11F3E26CF94B03A7C5FB34410DAF
SHA256:B0641E4A54D842E5DC149F26B6B9DC5B5D0B16663DE9192B396C7603654C284F
2828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2828.23650\info_11_07.docdocument
MD5:4488A89ABCA0B75E7D484164179E5923
SHA256:366D4175022BBEBDB8252B6B868D52E77EC02F7EB5EE9BDFDB76E456EA0777CC
3524WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb2828.23650\~$fo_11_07.docpgc
MD5:EADFEF3A780F031B9A2CFDA5EA016FAE
SHA256:7316EEEEDA78F5FBF8881CC0EF1513A900BEC712B8BC349F21E98C6E42EAE784
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
xvobvgcssb.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
GalaxyM63.zip