analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

43eecf22e8f914d44df3da16c23dcc2e076a8753.zip

Full analysis: https://app.any.run/tasks/4278aa9d-527d-41ca-a5c0-1b5cce046e79
Verdict: Malicious activity
Analysis date: June 27, 2022, 12:04:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cve-2022-30190
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A8E41B10354D07800FA16FFB8247D4AA

SHA1:

4CF5BBB099F33F30A5A95520B3184E3C9D9870A5

SHA256:

F8BD28F38B64BD952D05F83069328FD7F38E7DA2B4E59F787CE27DB467D180B3

SSDEEP:

192:tU+GRY6E1fjWDOvZ/FQfTS1/CCVGDhwUJm7Yhbe0EKtXvWIg2bkALm/6ceEbbsX2:RL6sfjN/wTSdVGDhrJmSb7pWnRh/UEUm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • CVE-2022-30190 detected

      • WINWORD.EXE (PID: 3476)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 1000)
    • Checks supported languages

      • WinRAR.exe (PID: 1000)
    • Reads default file associations for system extensions

      • WINWORD.EXE (PID: 3476)
  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 3476)
    • Reads the computer name

      • WINWORD.EXE (PID: 3476)
    • Manual execution by user

      • WINWORD.EXE (PID: 3476)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3476)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: sample/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2022:06:01 17:02:16
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1000"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\43eecf22e8f914d44df3da16c23dcc2e076a8753.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3476"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\sample\sample.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
5 164
Read events
4 267
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
3476WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDBB1.tmp.cvr
MD5:
SHA256:
3476WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:4FEF4BE38B5DE9E284D3AF7690F8C998
SHA256:7E0F9D0F27EFB4A9F871758EFF77387157AB2EE983A2E9F0CE767B4C88C633B1
3476WINWORD.EXEC:\Users\admin\Desktop\sample\~$sample.docpgc
MD5:831261F3D1561D70DC212D18098540B4
SHA256:6E17C9CC1F48B642C0555E19CA32D20DC04339753653E51D431A6DEADA2D28B5
3476WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:3265101EDECCA53C96C57D1AADEF0028
SHA256:8FDE1E2A85B3D192629CA73344F457ABD34847480503169C662F6A2693877AAC
3476WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{BB198DFD-932C-4996-8B76-F08C4E5B41C9}binary
MD5:92E8347389A35EB761124426D645E125
SHA256:EA32DF7E9B1B4C8A8B094A018E30890CB8DAA1B78E31E4FB6BEEE0223B0473EB
3476WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{99D53EAA-AECD-4AEF-9CA7-90CD9F53A508}binary
MD5:4FEF4BE38B5DE9E284D3AF7690F8C998
SHA256:7E0F9D0F27EFB4A9F871758EFF77387157AB2EE983A2E9F0CE767B4C88C633B1
3476WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{075EE302-1D29-46E3-ADF9-1907A5E04E31}.FSDbinary
MD5:063A88E97540C4363A90FFA62C77A695
SHA256:FA4A4780BEABBF6B3AE0AD453C6478DEBCC526164E8D76B3D1AEEA30E825E841
3476WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:92E8347389A35EB761124426D645E125
SHA256:EA32DF7E9B1B4C8A8B094A018E30890CB8DAA1B78E31E4FB6BEEE0223B0473EB
3476WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\sample.doc.LNKlnk
MD5:FD5AC2CF81346854AF9167102DBCDB70
SHA256:5FF8833650169425064974B84720C303887F4DFAC3B4BD6FC5C1984F24D2265C
3476WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:D471A0BB5F0B8A9AC834E0172491B7F9
SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
www.xmlformats.com
malicious

Threats

No threats detected
No debug info