File name: | 6748784799285248.zip |
Full analysis: | https://app.any.run/tasks/de1857d4-a419-4c5f-bd51-df8a09f57bf0 |
Verdict: | Malicious activity |
Analysis date: | February 22, 2020, 11:59:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 1D96324541643FA76DB00EEF242C8727 |
SHA1: | 6BB580B51B9B3013735DEC97F078D979FA18E244 |
SHA256: | D65C569C047982B2801987A371F1EC6905B88BF472E35DB4845727AF0B7E32B5 |
SSDEEP: | 192:euUlUy/87Dh7bFTqpQ3JXKxVBsw03TUOKeQDk+xaNN6VIt:el87DhdqpQ3JXG2B3wOKtcb |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:00:00 00:00:00 |
ZipCRC: | 0x8ca1c636 |
ZipCompressedSize: | 9004 |
ZipUncompressedSize: | 11760 |
ZipFileName: | d0b97ae8a6be8f1142ae78abc8d96a7401bb94434daedcff0b7b35f0654e3b4a |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1348 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6748784799285248.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 Modules
| |||||||||||||||
3560 | "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\admin\Desktop\asd.xml" | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: XML Editor Exit code: 0 Version: 14.0.4750.1000 Modules
| |||||||||||||||
2592 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | MSOXMLED.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2840 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2592 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3772 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2592 CREDAT:78849 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
956 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\as.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
3684 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\as.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
2704 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
548 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\asd.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1348.27960\d0b97ae8a6be8f1142ae78abc8d96a7401bb94434daedcff0b7b35f0654e3b4a | — | |
MD5:— | SHA256:— | |||
2592 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFD831BE33F0A8D150.TMP | — | |
MD5:— | SHA256:— | |||
2592 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFF957235AFB689CFA.TMP | — | |
MD5:— | SHA256:— | |||
2592 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF46F651F9EFF4C402.TMP | — | |
MD5:— | SHA256:— | |||
2592 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF070088AB240C508A.TMP | — | |
MD5:— | SHA256:— | |||
2592 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFE526C22779D76424.TMP | — | |
MD5:— | SHA256:— | |||
2592 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF14DB2CB672B1FA89.TMP | — | |
MD5:— | SHA256:— | |||
956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1689.tmp.cvr | — | |
MD5:— | SHA256:— | |||
956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{0F8DAE4A-9A5E-4F02-9B60-730410652F38} | — | |
MD5:— | SHA256:— | |||
956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{CCEF1B87-6D18-461C-AA74-FEB4E082418D} | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
824 | svchost.exe | OPTIONS | — | 192.169.69.25:80 | http://kung2globalinvestmentwsdygoogledngaddres.duckdns.org/office | US | — | — | malicious |
956 | WINWORD.EXE | HEAD | — | 192.169.69.25:80 | http://kung2globalinvestmentwsdygoogledngaddres.duckdns.org/office/invoice_11131.doc | US | — | — | malicious |
956 | WINWORD.EXE | OPTIONS | — | 192.169.69.25:80 | http://kung2globalinvestmentwsdygoogledngaddres.duckdns.org/office/ | US | — | — | malicious |
956 | WINWORD.EXE | GET | — | 192.169.69.25:80 | http://kung2globalinvestmentwsdygoogledngaddres.duckdns.org/office/invoice_11131.doc | US | — | — | malicious |
824 | svchost.exe | OPTIONS | — | 192.169.69.25:80 | http://kung2globalinvestmentwsdygoogledngaddres.duckdns.org/office | US | — | — | malicious |
2592 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3684 | WINWORD.EXE | HEAD | — | 192.169.69.25:80 | http://kung2globalinvestmentwsdygoogledngaddres.duckdns.org/office/invoice_11131.doc | US | — | — | malicious |
3684 | WINWORD.EXE | GET | — | 192.169.69.25:80 | http://kung2globalinvestmentwsdygoogledngaddres.duckdns.org/office/invoice_11131.doc | US | — | — | malicious |
2592 | iexplore.exe | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3684 | WINWORD.EXE | OPTIONS | — | 192.169.69.25:80 | http://kung2globalinvestmentwsdygoogledngaddres.duckdns.org/office/ | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2592 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
956 | WINWORD.EXE | 192.169.69.25:80 | kung2globalinvestmentwsdygoogledngaddres.duckdns.org | Wowrack.com | US | malicious |
2592 | iexplore.exe | 72.21.91.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3684 | WINWORD.EXE | 192.169.69.25:80 | kung2globalinvestmentwsdygoogledngaddres.duckdns.org | Wowrack.com | US | malicious |
824 | svchost.exe | 192.169.69.25:80 | kung2globalinvestmentwsdygoogledngaddres.duckdns.org | Wowrack.com | US | malicious |
Domain | IP | Reputation |
---|---|---|
kung2globalinvestmentwsdygoogledngaddres.duckdns.org |
| malicious |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |