analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Italiano_bat.zip

Full analysis: https://app.any.run/tasks/644445fe-e1c8-480e-9004-09b4e218d272
Verdict: Malicious activity
Analysis date: May 15, 2019, 07:48:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
maldoc-5
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D705FD9F8A005183B0DB5F30FDAA82A8

SHA1:

FC8E96D8C4ADFED051C0694A514A8D674BABD6CA

SHA256:

FD1F9FE5C53D54CB7FBC79182B7313BFE7EA633265283E410BDE34B117591585

SSDEEP:

768:d+QWf7GzA2bzBjvVF6wi7xyK8z60qhiVKsL3t1i5loj9DNniaD/EQLMTIzKwNu1O:dI7G/bVuURIiRztgloj9UaDNMTIzGO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1128)
      • EXCEL.EXE (PID: 2084)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • rundll32.exe (PID: 1760)
      • DllHost.exe (PID: 1724)
      • DllHost.exe (PID: 2300)
      • rundll32.exe (PID: 3048)
      • powERSHELl.exe (PID: 2872)
      • NOTEPAD.EXE (PID: 3060)
      • powERSHELl.exe (PID: 616)
    • Uses RUNDLL32.EXE to load library

      • control.exe (PID: 2500)
      • rundll32.exe (PID: 3048)
    • Creates files in the Windows directory

      • DllHost.exe (PID: 2300)
    • Application launched itself

      • rundll32.exe (PID: 3048)
    • Uses WMIC.EXE to create a new process

      • EXCEL.EXE (PID: 1128)
      • EXCEL.EXE (PID: 2084)
    • Creates files in the user directory

      • powERSHELl.exe (PID: 2872)
      • powERSHELl.exe (PID: 616)
    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 1980)
  • INFO

    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 1416)
      • EXCEL.EXE (PID: 1128)
      • EXCEL.EXE (PID: 2084)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 1416)
      • EXCEL.EXE (PID: 1128)
      • EXCEL.EXE (PID: 2084)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1416)
      • EXCEL.EXE (PID: 1128)
      • EXCEL.EXE (PID: 2084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 2019_EmailCliente_0000096799_Allegato1_20190515021748.xls
ZipUncompressedSize: 75776
ZipCompressedSize: 49389
ZipCRC: 0xc29137d5
ZipModifyDate: 2019:05:15 09:43:20
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
33
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs winrar.exe no specs excel.exe no specs cmd.exe no specs tzutil.exe no specs certutil.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe control.exe no specs rundll32.exe no specs timedate.cpl no specs COpenControlPanel no specs rundll32.exe no specs %systemroot%\system32\intl.cpl no specs rundll32.exe no specs excel.exe no specs wmic.exe no specs powershell.exe no specs ping.exe no specs cmd.exe no specs ipconfig.exe no specs rundll32.exe no specs notepad.exe no specs excel.exe no specs wmic.exe no specs powershell.exe no specs ping.exe no specs ping.exe no specs rundll32.exe no specs notepad.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1376"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Italiano_bat.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2252"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Italiano_bat.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2672"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Italiano_bat.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1416"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.4756.1000
2036C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\italiano.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1724tzutil /s "W. Europe Standard Time"C:\Windows\system32\tzutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Zone Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2504certutil /decode "C:\Users\admin\AppData\Local\Temp\b64" "C:\Users\admin\AppData\Local\Temp\decoded" C:\Windows\system32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7601.18151 (win7sp1_gdr.130512-1533)
2652regedit.exe /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2392"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3052"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
7 463
Read events
6 035
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
27
Unknown types
4

Dropped files

PID
Process
Filename
Type
1416EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR2C4D.tmp.cvr
MD5:
SHA256:
1416EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF7A1E8030FAA5A274.TMP
MD5:
SHA256:
1416EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFBD8854A566EE3765.TMP
MD5:
SHA256:
1128EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRC79.tmp.cvr
MD5:
SHA256:
1128EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2019_EmailCliente_0000096799_Allegato1_20190515021748.LNK
MD5:
SHA256:
2872powERSHELl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VYJO8H6HWUM7SJGKKBL2.temp
MD5:
SHA256:
1128EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF506FF7A77F7471E5.TMP
MD5:
SHA256:
1128EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF38E013BB22FA3398.TMP
MD5:
SHA256:
2084EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR9BF9.tmp.cvr
MD5:
SHA256:
616powERSHELl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R8HZ77R66NL0N4KT4NUH.temp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted

Threats

No threats detected
No debug info