analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

N-0678305782019.doc

Full analysis: https://app.any.run/tasks/d6345745-9b82-4bff-8664-0a608d5f1a52
Verdict: Malicious activity
Analysis date: June 18, 2019, 19:00:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

EA151D0A1534D19C096395892FD07C73

SHA1:

B860BDAA94DA1A129B8B527E1362118293FB2BEA

SHA256:

0A588FFE984C4C5FB76EB7C0FAC4747928DA26BB48FB94FC4BC79D9FD3B0DB68

SSDEEP:

1536:Ki8TDG58In7EwXX0FNi/u1eMFoVbjHRYAsYPdV:b8TQ8Sow0FNl4MCV/HmAhPdV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2796)

    • Application was dropped or rewritten from another process

      • awMiOFl.exe (PID: 2956)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 2796)
      • wmic.exe (PID: 2276)

    • Executable content was dropped or overwritten

      • wmic.exe (PID: 2276)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2796)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2796)

    • Dropped object may contain Bitcoin addresses

      • wmic.exe (PID: 2276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs wmic.exe wmic.exe awmiofl.exe

Process information

PID
CMD
Path
Indicators
Parent process
2796"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\N-0678305782019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1660wmic os get /format:"C:\\Windows\\Temp\\aXwZvnt48.xsl"C:\Windows\System32\Wbem\wmic.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147614729
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2276wmic os get /format:"C:\\Windows\\Temp\\aXwZvnt48.xsl"C:\Windows\System32\Wbem\wmic.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147614729
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2956"C:\Windows\Temp\awMiOFl.exe" C:\Windows\Temp\awMiOFl.exe
wmic.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 801
Read events
1 089
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF98.tmp.cvr
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF2A890B686B0041E6.TMP
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF0753C2E075F4838D.TMP
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF60E5213D8AE4452B.TMP
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF202ECC7780B6F50A.TMP
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFB9C87D357E205F16.TMP
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFD610B7F344B34548.TMP
MD5:
SHA256:
2796WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:5AB8FDB550CEF33A41135907EDACEA21
SHA256:B313EC3B7731E49E8197F3027D1E9BB7650F7DE250BEC72E876D9FBE7B5D72C8
2276wmic.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\servicewn[1].exeexecutable
MD5:A8BE64EA37DEDE9CE99D9CD8D36979C9
SHA256:BE3463AC44E1F86798F3A6DAE95DA06A5F1E187D775B71C601EE08D8E48349A4
2276wmic.exeC:\windows\temp\awMiOFl.exeexecutable
MD5:A8BE64EA37DEDE9CE99D9CD8D36979C9
SHA256:BE3463AC44E1F86798F3A6DAE95DA06A5F1E187D775B71C601EE08D8E48349A4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2276
wmic.exe
49.51.12.195:443
tor2net.com
Tencent Building, Kejizhongyi Avenue
CN
suspicious
1660
wmic.exe
49.51.12.195:443
tor2net.com
Tencent Building, Kejizhongyi Avenue
CN
suspicious

DNS requests

Domain
IP
Reputation
tor2net.com
  • 49.51.12.195
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
Process
Message
awMiOFl.exe
Installing...
awMiOFl.exe
Installing...
awMiOFl.exe
Installing...
awMiOFl.exe
Installing...
awMiOFl.exe
Installing...
awMiOFl.exe
Installing...
awMiOFl.exe
Installing...
awMiOFl.exe
Installing...
awMiOFl.exe
Installing...
awMiOFl.exe
Installing...
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
N-0678305782019.doc