analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

UDS 2019 Current Agenda.doc

Full analysis: https://app.any.run/tasks/fb0b934d-0c0f-4576-98fd-26abef527e06
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: January 10, 2019, 17:18:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Last Saved By: user, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Tue Dec 11 14:17:00 2018, Last Saved Time/Date: Wed Dec 12 19:30:00 2018, Number of Pages: 22, Number of Words: 6339, Number of Characters: 36134, Security: 0
MD5:

F8A778D21003098075C9AEF8ED58C6C3

SHA1:

845576452DEF12B28CBD76FF07D7B5CCCE779225

SHA256:

04BD6C3D9FA30B4D9410B89BA44C9E29AAB22A1345115E8EEF9CDDC86D1EEA25

SSDEEP:

6144:kNT9uYN/TEed/yqXIWBxsxiOH60YhlZioXSBHfM5NkM5Dlol+yI8WF:GT9DAed6lWkQ/XSBH34NyIf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2984)
      • msconfig.exe (PID: 3616)

    • Changes the autorun value in the registry

      • WINWORD.EXE (PID: 3004)

    • Changes settings of System certificates

      • rundll32.exe (PID: 2984)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3004)

  • SUSPICIOUS

    • Creates files in the program directory

      • WINWORD.EXE (PID: 3004)

    • Low-level read access rights to disk partition

      • msconfig.exe (PID: 3616)

    • Adds / modifies Windows certificates

      • rundll32.exe (PID: 2984)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3004)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Hyperlinks:
  • #page21
  • #page21
  • #page20
  • #page20
  • #page19
  • #page19
  • #page18
  • #page18
  • #page17
  • #page17
  • #page16
  • #page16
  • #page14
  • #page14
  • #page11
  • #page11
  • #page8
  • #page8
  • #page5
  • #page5
  • #page2
  • #page2
CodePage: Windows Latin 1 (Western European)
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 14
CharCountWithSpaces: 42389
Paragraphs: 84
Lines: 301
Company: -
Security: None
Characters: 36134
Words: 6339
Pages: 22
ModifyDate: 2018:12:12 19:30:00
CreateDate: 2018:12:11 14:17:00
TotalEditTime: 2.0 minutes
Software: Microsoft Office Word
RevisionNumber: 7
LastModifiedBy: user
Template: Normal.dotm
Keywords: -
Author: -
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe rundll32.exe msconfig.exe no specs msconfig.exe

Process information

PID
CMD
Path
Indicators
Parent process
3004"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\UDS 2019 Current Agenda.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2984rundll32.exe "C:\Users\admin\AppData\Local\Temp\clnb.dat", #1C:\Windows\system32\rundll32.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3628"C:\Windows\system32\msconfig.exe" C:\Windows\system32\msconfig.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Configuration Utility
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3616"C:\Windows\system32\msconfig.exe" C:\Windows\system32\msconfig.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
System Configuration Utility
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 160
Read events
799
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREAB2.tmp.cvr
MD5:
SHA256:
3004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$S 2019 Current Agenda.docpgc
MD5:043C20D257F0E1E5D4AC35FF1DF1B578
SHA256:E2BE0F36448B9E39F49680ED303E950E79497AFAF847A34FC1B85B73A380CF8E
3004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\clnb.datexecutable
MD5:EBDC6098C733B23E99DAA60E55CF858B
SHA256:7CB0BB528DCA188AE73D66D8739BD9D2BF04A6C7E5C805E9B3B92858EB118BF4
3004WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D512D016B6D8FC09C9D73080393CD633
SHA256:E12CC561D707114629B3DAA016753E27BBF4954359B14694E71C0926457DABF5
3004WINWORD.EXEC:\ProgramData\adobe.dllexecutable
MD5:EBDC6098C733B23E99DAA60E55CF858B
SHA256:7CB0BB528DCA188AE73D66D8739BD9D2BF04A6C7E5C805E9B3B92858EB118BF4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2984
rundll32.exe
216.58.207.46:443
Google Inc.
US
whitelisted
2984
rundll32.exe
185.86.150.193:443
photopoststories.com
Makonix SIA
SE
unknown

DNS requests

Domain
IP
Reputation
photopoststories.com
  • 185.86.150.193
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
UDS 2019 Current Agenda.doc