analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Month Statement.doc

Full analysis: https://app.any.run/tasks/2c9a9a4f-a98b-4ba9-993f-0f7bb0e09df6
Verdict: Malicious activity
Analysis date: October 09, 2019, 13:22:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: adm, Template: Normal, Last Saved By: YJO, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 55:00, Create Time/Date: Tue Sep 5 10:03:00 2017, Last Saved Time/Date: Wed Oct 9 10:30:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

A98E37C827BC4A9ACADD4D374D7EDD00

SHA1:

DB6CF6B126A48D0E86CBFDD39C58C4FFC0D0B5C2

SHA256:

07BD8255F34529A7A027DB88DC7A90310D2E407357CB5EA67A5BA55BD255F248

SSDEEP:

24576:nXpcuPW7kgAuMTxw5dxsIk4aKpZJZhyPr:XpF5u5dS4PpZJZsPr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Colors.exe (PID: 2932)
    • Changes settings of System certificates

      • WScript.exe (PID: 3928)
      • Colors.exe (PID: 2932)
    • Loads the Task Scheduler COM API

      • WINWORD.EXE (PID: 3228)
      • WScript.exe (PID: 3928)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3928)
    • Executed via Task Scheduler

      • WScript.exe (PID: 3928)
      • Colors.exe (PID: 2932)
    • Adds / modifies Windows certificates

      • WScript.exe (PID: 3928)
      • Colors.exe (PID: 2932)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3228)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: ???????? Microsoft Word 97-2003
CompObjUserTypeLen: 32
HeadingPairs:
  • Название
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Cyrillic
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2019:10:09 09:30:00
CreateDate: 2017:09:05 09:03:00
TotalEditTime: 55.0 minutes
Software: Microsoft Office Word
RevisionNumber: 4
LastModifiedBy: YJO
Template: Normal
Comments: -
Keywords: -
Author: adm
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wscript.exe colors.exe

Process information

PID
CMD
Path
Indicators
Parent process
3228"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Month Statement.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3928C:\Windows\System32\WScript.exe "C:\Users\admin\AppData\Local\Temp\error_log.vbe"C:\Windows\System32\WScript.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2932C:\Users\admin\AppData\Local\Temp\Colors.exe C:\Users\admin\AppData\Local\Temp\Colors.exe
taskeng.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 141
Read events
751
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3228WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF25.tmp.cvr
MD5:
SHA256:
3228WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0DA97163FDEBFAEF04B4154A5B8216B7
SHA256:9229E2C97B8BF46154BD3D26D9F3941F89975DE2735A7B46F86690505905C540
3228WINWORD.EXEC:\Users\admin\AppData\Local\Temp\error_log.vbevbe
MD5:20713396556441F6F04C8D7ABD28B165
SHA256:F198812396D9A282EEFC40544FCD3F8F84C5AA09AB02E100DB4D276188AE51FC
3928WScript.exeC:\Users\admin\AppData\Local\Temp\Colors.exeexecutable
MD5:AB2C0D36529119E91FA84562A03307F7
SHA256:1D772438392B1E84D3CE800E181603646AE675E8572F7F741184B83537C5451F
2932Colors.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ihpupuqluretbwqo[1].txthtml
MD5:5C77E0972313D366AD324C76324CC500
SHA256:D3E60E71F845A6B217A38797DD8C5497EA0EAFB64CAD44BC2B4A09EAD15F5C84
3228WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$nth Statement.docpgc
MD5:AEC958E03165B4A38DD70FB3552B344F
SHA256:6526D66E052E1C596C3CA9D84628F7582D167CBE14D3B47F6C05E7A144AA43B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2932
Colors.exe
45.90.32.34:443
5571875.info
malicious
3928
WScript.exe
192.185.195.77:443
cafeestereo.com
CyrusOne LLC
US
suspicious

DNS requests

Domain
IP
Reputation
cafeestereo.com
  • 192.185.195.77
suspicious
5571875.info
  • 45.90.32.34
malicious

Threats

No threats detected
No debug info