| File name: | malware.zip |
| Full analysis: | https://app.any.run/tasks/8d1b4127-6e4b-4f10-ae5b-0c63e893bfd6 |
| Verdict: | Malicious activity |
| Analysis date: | December 06, 2022, 01:16:15 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | A8E41B10354D07800FA16FFB8247D4AA |
| SHA1: | 4CF5BBB099F33F30A5A95520B3184E3C9D9870A5 |
| SHA256: | F8BD28F38B64BD952D05F83069328FD7F38E7DA2B4E59F787CE27DB467D180B3 |
| SSDEEP: | 192:tU+GRY6E1fjWDOvZ/FQfTS1/CCVGDhwUJm7Yhbe0EKtXvWIg2bkALm/6ceEbbsX2:RL6sfjN/wTSdVGDhrJmSb7pWnRh/UEUm |
MALICIOUS
CVE-2022-30190 detected
- WINWORD.EXE (PID: 3692)
SUSPICIOUS
Detected use of alternative data streams (AltDS)
- WINWORD.EXE (PID: 3692)
INFO
Reads default file associations for system extensions
- WinRAR.exe (PID: 2308)
Checks proxy server information
- WINWORD.EXE (PID: 3692)
Reads Microsoft Office registry keys
- WinRAR.exe (PID: 2308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2308 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\malware.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 3692 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb2308.37009\sample.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
Total events
5 279
Read events
4 494
Write events
616
Delete events
169
Modification events
| (PID) Process: | (2308) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2308) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2308) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2308) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2308) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2308) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\malware.zip | |||
| (PID) Process: | (2308) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2308) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2308) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2308) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
0
Suspicious files
9
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR85EA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3692 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 3692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIb2308.37009\~$sample.doc | pgc | |
MD5:— | SHA256:— | |||
| 3692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:— | SHA256:— | |||
| 3692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{F6317D4C-0B4F-4F23-9E9F-DD28B46EEA8E} | binary | |
MD5:— | SHA256:— | |||
| 3692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{61C399C8-56D7-4FE5-9FD2-738FAD537FC7}.FSD | binary | |
MD5:— | SHA256:— | |||
| 3692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{69114CDB-96A9-4705-B6BE-247D0DD46C5E} | binary | |
MD5:— | SHA256:— | |||
| 3692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:— | SHA256:— | |||
| 2308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2308.37009\sample.doc | document | |
MD5:52945AF1DEF85B171870B31FA4782E52 | SHA256:4A24048F81AFBE9FB62E7A6A49ADBD1FAF41F266B5F9FEECDCEB567AEC096784 | |||
| 3692 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:D471A0BB5F0B8A9AC834E0172491B7F9 | SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.xmlformats.com |
| malicious |