analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BLACKBAND_DESIGN.zip

Full analysis: https://app.any.run/tasks/e51da624-9715-43c2-b6cd-8a575dfdb99f
Verdict: Malicious activity
Analysis date: May 30, 2020, 13:04:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-51
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

10C64CE83F42CEBD4D65DE8B67F1C307

SHA1:

5ADD6AA30BD6C5B2785B170B135DD3A548D76F49

SHA256:

E9EF6EFB211529D11D1CF02FF293DD5C2047B58DC48157129A8E3A14CEEA8D56

SSDEEP:

1536:JcYTFSpBzpcDBOhnRbPUgMHIJWaWu1SKZreP/iHt:JcYp4VZPnY7LuMX/K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2764)
    • Registers / Runs the DLL via REGSVR32.EXE

      • WINWORD.EXE (PID: 2764)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 812)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2764)
    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2764)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: legislate.05.20.doc
ZipUncompressedSize: 75399
ZipCompressedSize: 63717
ZipCRC: 0x953c69fd
ZipModifyDate: 2020:05:27 02:13:26
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
812"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BLACKBAND_DESIGN.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2764"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb812.25109\legislate.05.20.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
840Regsvr32 c:\programdata\60556589.datC:\Windows\system32\Regsvr32.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 439
Read events
1 381
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2764WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB9AA.tmp.cvr
MD5:
SHA256:
2764WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:2DB0F9D3E9E00B41673EB3CE5AE887D6
SHA256:9273D6A67D49290AF02E2F5C0FEE8FB2B2919C0BB7B1AC14A765AC7FD979BDFD
812WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb812.25109\legislate.05.20.docdocument
MD5:3196D7CADF32762A129993AD6EFFE898
SHA256:D5B377692A10355944E8E77BF1A2EBA829498BE1D154E32AFFE989D880713FAE
2764WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb812.25109\~$gislate.05.20.docpgc
MD5:1BF7B5EFA2974A1E2F744ADFB72FAA1B
SHA256:4FCB05D101A8B81ACC374D3EB0F67400E2743E20B57820B3F4F069DCF46E020E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
nrs2wjke0t2vz9.com
malicious

Threats

No threats detected
No debug info