File name: | malware.zip |
Full analysis: | https://app.any.run/tasks/f2226c31-5166-4042-84f1-83dc95859791 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2022, 01:25:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | A8E41B10354D07800FA16FFB8247D4AA |
SHA1: | 4CF5BBB099F33F30A5A95520B3184E3C9D9870A5 |
SHA256: | F8BD28F38B64BD952D05F83069328FD7F38E7DA2B4E59F787CE27DB467D180B3 |
SSDEEP: | 192:tU+GRY6E1fjWDOvZ/FQfTS1/CCVGDhwUJm7Yhbe0EKtXvWIg2bkALm/6ceEbbsX2:RL6sfjN/wTSdVGDhrJmSb7pWnRh/UEUm |
.zip | | | ZIP compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2308 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\malware.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
3652 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\sample\sample.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
1756 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /i "C:\Users\admin\Desktop\sample\sample.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
2188 | C:\Windows\system32\printfilterpipelinesvc.exe -Embedding | C:\Windows\system32\printfilterpipelinesvc.exe | — | svchost.exe | |||||||||||
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Print Filter Pipeline Host Version: 6.1.7601.24537 (win7sp1_ldr_escrow.191114-1547) Modules
| |||||||||||||||
3728 | /insertdoc "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{0471DADE-CF66-408C-9FF1-2A97D26A3DA2}.xps" 133147636062280000 | C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE | — | printfilterpipelinesvc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneNote Exit code: 0 Version: 14.0.6022.1000 Modules
| |||||||||||||||
124 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\sample\sample.doc" | C:\Program Files\Notepad++\notepad++.exe | Explorer.EXE | ||||||||||||
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3652 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3B15.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1756 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFCDF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3652 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:DA8B8E198018F1334E10516C9646BE75 | SHA256:EA77D8A914778CF1BECB2CAB5F7064A048B14D70384261A7B42571E2DDA6CD9B | |||
3652 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{9354B9E5-35CF-46B9-B856-B99BC5793E50} | binary | |
MD5:DA8B8E198018F1334E10516C9646BE75 | SHA256:EA77D8A914778CF1BECB2CAB5F7064A048B14D70384261A7B42571E2DDA6CD9B | |||
3652 | WINWORD.EXE | C:\Users\admin\Desktop\sample\~$sample.doc | pgc | |
MD5:E7AF1F13B481E2E1DF84939D7A973CDD | SHA256:16E25C08CC54190B88AEB23384A9B392A11092550456D1F4314710492EA97D90 | |||
3652 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F25816CE9F33B45CF0EE79C3880A8CDD | SHA256:04B9CE5751C1E1E921DA170DC74D6471526958BD3D437A07B1A976F342BD1064 | |||
3652 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:8039886AF3F0060A4591DACD95A75F88 | SHA256:9CDCECAAD174690B117B0D81FE5B15F793AB7FEB3D1F61EC65FE0B4D06EA00E8 | |||
3652 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{34ECC793-6113-4986-A2FF-18CDA2FA36B7}.FSD | binary | |
MD5:975F19FF6E221E5A82055E3D0C19BBF4 | SHA256:7C22626FC0D7C0CEAC1AA631376F001FEA240C1BE045B88861EA698648E70445 | |||
3652 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{94EBF077-91A9-47F9-B5DD-D0C8345015B9} | binary | |
MD5:8039886AF3F0060A4591DACD95A75F88 | SHA256:9CDCECAAD174690B117B0D81FE5B15F793AB7FEB3D1F61EC65FE0B4D06EA00E8 | |||
3652 | WINWORD.EXE | C:\Users\admin\Desktop\sample\sample.doc | document | |
MD5:9A7ED8710C596F488C817E22C75318F8 | SHA256:A8309D3FD26F796B3295EC2831A96D882BDCCA310032C60A8182BD1D6E6E0970 |
Domain | IP | Reputation |
---|---|---|
www.xmlformats.com |
| malicious |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|