analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Month Statement.doc

Full analysis: https://app.any.run/tasks/d08eacf2-9db3-4882-8d9d-cbc3f749971d
Verdict: Malicious activity
Analysis date: October 09, 2019, 13:27:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: adm, Template: Normal, Last Saved By: YJO, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 55:00, Create Time/Date: Tue Sep 5 10:03:00 2017, Last Saved Time/Date: Wed Oct 9 10:30:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

A98E37C827BC4A9ACADD4D374D7EDD00

SHA1:

DB6CF6B126A48D0E86CBFDD39C58C4FFC0D0B5C2

SHA256:

07BD8255F34529A7A027DB88DC7A90310D2E407357CB5EA67A5BA55BD255F248

SSDEEP:

24576:nXpcuPW7kgAuMTxw5dxsIk4aKpZJZhyPr:XpF5u5dS4PpZJZsPr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 4064)
      • Colors.exe (PID: 3372)
    • Loads the Task Scheduler COM API

      • WScript.exe (PID: 4064)
      • WINWORD.EXE (PID: 3092)
    • Application was dropped or rewritten from another process

      • Colors.exe (PID: 3372)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 4064)
    • Adds / modifies Windows certificates

      • WScript.exe (PID: 4064)
      • Colors.exe (PID: 3372)
    • Executed via Task Scheduler

      • WScript.exe (PID: 4064)
      • Colors.exe (PID: 3372)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3092)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: ???????? Microsoft Word 97-2003
CompObjUserTypeLen: 32
HeadingPairs:
  • Название
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Cyrillic
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2019:10:09 09:30:00
CreateDate: 2017:09:05 09:03:00
TotalEditTime: 55.0 minutes
Software: Microsoft Office Word
RevisionNumber: 4
LastModifiedBy: YJO
Template: Normal
Comments: -
Keywords: -
Author: adm
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wscript.exe colors.exe

Process information

PID
CMD
Path
Indicators
Parent process
3092"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Month Statement.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4064C:\Windows\System32\WScript.exe "C:\Users\admin\AppData\Local\Temp\error_log.vbe"C:\Windows\System32\WScript.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3372C:\Users\admin\AppData\Local\Temp\Colors.exe C:\Users\admin\AppData\Local\Temp\Colors.exe
taskeng.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 162
Read events
770
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3092WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF05.tmp.cvr
MD5:
SHA256:
3372Colors.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ihpupuqluretbwqo[1].txthtml
MD5:228FDCBCC56F157748D09B8C92878CD5
SHA256:2B16AF0CCD67F46F960D5B209E0EAA521BDAC09C57503BA0F69215E45C1BE7CE
3092WINWORD.EXEC:\Users\admin\AppData\Local\Temp\error_log.vbevbe
MD5:20713396556441F6F04C8D7ABD28B165
SHA256:F198812396D9A282EEFC40544FCD3F8F84C5AA09AB02E100DB4D276188AE51FC
4064WScript.exeC:\Users\admin\AppData\Local\Temp\Colors.exeexecutable
MD5:AB2C0D36529119E91FA84562A03307F7
SHA256:1D772438392B1E84D3CE800E181603646AE675E8572F7F741184B83537C5451F
3092WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:0DA97163FDEBFAEF04B4154A5B8216B7
SHA256:9229E2C97B8BF46154BD3D26D9F3941F89975DE2735A7B46F86690505905C540
3092WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$nth Statement.docpgc
MD5:89286348A6EA57DB45EA03926B491B6D
SHA256:57C8EC82900681EB91C67DE5B4204CC6F5579FFBB45D0AE4B386D69C2A07D0C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4064
WScript.exe
192.185.195.77:443
cafeestereo.com
CyrusOne LLC
US
suspicious
3372
Colors.exe
45.90.32.34:443
5571875.info
malicious

DNS requests

Domain
IP
Reputation
cafeestereo.com
  • 192.185.195.77
suspicious
5571875.info
  • 45.90.32.34
malicious

Threats

No threats detected
No debug info