analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

05eee81f198fcf6628ff9e20896cdd15bf1524ceffe6308cd7312bcf63d7e772

Full analysis: https://app.any.run/tasks/ea6d1dd1-0d16-43f0-b6e5-ce779c53cbf4
Verdict: Malicious activity
Analysis date: November 14, 2018, 12:48:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

1CB1A5EA1A3F064E471C5AA1AB70A476

SHA1:

AFA42118ADF1E9FD5826E54BE5C399620291B1C9

SHA256:

05EEE81F198FCF6628FF9E20896CDD15BF1524CEFFE6308CD7312BCF63D7E772

SSDEEP:

12288:dirCN1PGGp3Q9OCN3b+7NWQhYAiBvgXwAct:ArCN4Q+n3b+FhNiZgXwzt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • gupchrome.exe (PID: 3608)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3508)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3508)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 2172)
    • Uses WMIC.EXE to create a new process

      • cmd.exe (PID: 3032)
    • Starts CertUtil for decode files

      • cmd.exe (PID: 3032)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3508)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x881ac2c5
ZipCompressedSize: 437
ZipUncompressedSize: 1900
ZipFileName: [Content_Types].xml

XMP

Title: Protected document
Subject: -
Creator: Paranoid Ninja
Description: -

XML

Keywords: -
LastModifiedBy: Paranoid Ninja
RevisionNumber: 217
CreateDate: 2018:08:22 09:56:00Z
ModifyDate: 2018:09:24 03:47:00Z
Template: Normal.dotm
TotalEditTime: 2.2 hours
Pages: 22
Words: 10771
Characters: 61401
Application: Microsoft Office Word
DocSecurity: None
Lines: 511
Paragraphs: 144
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: Protected document
Company: -
LinksUpToDate: No
CharactersWithSpaces: 72028
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs certutil.exe wmic.exe no specs gupchrome.exe

Process information

PID
CMD
Path
Indicators
Parent process
3508"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\05eee81f198fcf6628ff9e20896cdd15bf1524ceffe6308cd7312bcf63d7e772.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3032cmd /c certutil.exe -decodehex %temp%\gupchrome.txt %temp%\gupchrome.exe & wmic path win32_process call create %temp%\gupchrome.exeC:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2172certutil.exe -decodehex C:\Users\admin\AppData\Local\Temp\gupchrome.txt C:\Users\admin\AppData\Local\Temp\gupchrome.exe C:\Windows\system32\certutil.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2688wmic path win32_process call create C:\Users\admin\AppData\Local\Temp\gupchrome.exeC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3608C:\Users\admin\AppData\Local\Temp\gupchrome.exeC:\Users\admin\AppData\Local\Temp\gupchrome.exe
wmiprvse.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 247
Read events
621
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
3508WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR944C.tmp.cvr
MD5:
SHA256:
3508WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso995E.tmp
MD5:
SHA256:
3508WINWORD.EXEC:\Users\admin\AppData\Local\Temp\gupchrome.txttext
MD5:309D4A79D690171B3A0156575281998A
SHA256:E3B038DFC636C7222D660D111A07300B2BE61E963DB2F80438F3A21465FBCE5F
2172certutil.exeC:\Users\admin\AppData\Local\Temp\gupchrome.exeexecutable
MD5:E10220425D7F0CFE6ABCADE0A54CABCA
SHA256:D31E0A028DB02B3BB21A850B852BFF4D4B247CEBE0178FFE55C844CA8730A8F9
3508WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:D9B7795331ECF80D40BEC490DCCE7695
SHA256:711D0F1BD0EB73BC53EAA2C0C62C97D8310AB3BFC6FABE92A0DD021CD01B3554
3508WINWORD.EXEC:\Users\admin\Desktop\~$eee81f198fcf6628ff9e20896cdd15bf1524ceffe6308cd7312bcf63d7e772.docmpgc
MD5:CDD5680A9A52411B7F235289157A464F
SHA256:4244FC79B579E595B6D211569C018B99862BF50C9A9259806A6E3A68D3BF0635
3508WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\05eee81f198fcf6628ff9e20896cdd15bf1524ceffe6308cd7312bcf63d7e772.docm.LNKlnk
MD5:34E145B5539C8957067F6EA3020C796C
SHA256:0A9E3848B58CB27002AD7E978A18F5C9CD4D31E50E7F4112F8CF7F2A9BF2AFEE
3508WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:DCD1A1D609085711D09A71C82062BE47
SHA256:58802616E28A33FDCC4CC9AE40F1D34E7F8DC4D5C18BC2531431084AC7E58DBB
3508WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
emiratesnbdegypt.com
  • 127.0.0.1
unknown

Threats

No threats detected
No debug info