Malware analysis 0b22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec.docx Malicious activity

Add for printing

File name:	0b22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec.docx
Full analysis:	https://app.any.run/tasks/e9eb4ab8-7882-4240-92f9-4c48d460cd72
Verdict:	Malicious activity
Threats:	Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus. Malware Trends Tracker >>>
Analysis date:	August 19, 2024, 00:19:32
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc macros ole-embedded macros-on-open evasion ip-check hancitor
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: MyPc, Template: Normal.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon May 24 12:32:00 2021, Last Saved Time/Date: Mon May 24 12:32:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0
MD5:	14F4C470C207E22C3B0A4EFA7B4200E8
SHA1:	21180195396580A9ADE32B589490CF3BC94D3B5B
SHA256:	0B22278DDB598D63F07EB983BCF307E0852CD3005C5BC15D4A4F26455562C8EC
SSDEEP:	24576:nEIjrPUaphvGvGUZ93/semhXp7AsWIKHaY8k5faaboEy6r8zz1w:n/jhvGvGU93097AFIKbv0WY/1w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executable content was dropped or overwritten
  - WINWORD.EXE (PID: 6624)
- Unusual execution from MS Office
  - WINWORD.EXE (PID: 6624)
- HANCITOR has been detected (YARA)
  - rundll32.exe (PID: 6888)
SUSPICIOUS
- Drops the executable file immediately after the start
  - WINWORD.EXE (PID: 6624)
- Detected use of alternative data streams (AltDS)
  - WINWORD.EXE (PID: 6624)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - WINWORD.EXE (PID: 6624)
- Uses RUNDLL32.EXE to load library
  - WINWORD.EXE (PID: 6624)
- Runs shell command (SCRIPT)
  - WINWORD.EXE (PID: 6624)
- There is functionality for taking screenshot (YARA)
  - rundll32.exe (PID: 6888)
- There is functionality for capture public ip (YARA)
  - rundll32.exe (PID: 6888)
- Checks for external IP
  - rundll32.exe (PID: 6888)
INFO
- Reads security settings of Internet Explorer
  - splwow64.exe (PID: 6168)
  - rundll32.exe (PID: 6888)
- The process uses the downloaded file
  - WINWORD.EXE (PID: 6624)
- Checks proxy server information
  - rundll32.exe (PID: 6888)
- Reads the computer name
  - TextInputHost.exe (PID: 6308)
- Checks supported languages
  - TextInputHost.exe (PID: 6308)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Hancitor

(PID) Process(6888) rundll32.exe

Hosts (3)http://thowerteigime.com/8/forum.php

http://euvereginumet.ru/8/forum.php

http://rhopulforopme.ru/8/forum.php

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Identification:	Word 8.0
LanguageCode:	English (US)
DocFlags:	Has picture, 1Table, ExtChar
System:	Windows
Word97:	No
Title:	-
Subject:	-
Author:	MyPc
Keywords:	-
Comments:	-
Template:	Normal.dotm
LastModifiedBy:	MyPc
Software:	Microsoft Office Word
CreateDate:	2021:05:24 12:32:00
ModifyDate:	2021:05:24 12:32:00
Security:	None
CodePage:	Windows Latin 1 (Western European)
Company:	-
CharCountWithSpaces:	23
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Title 1
CompObjUserTypeLen:	32
CompObjUserType:	Microsoft Word 97-2003 Document
LastPrinted:	0000:00:00 00:00:00
RevisionNumber:	2
TotalEditTime:	-
Words:	3
Characters:	21
Pages:	1
Paragraphs:	1
Lines:	1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

133

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6168

C:\WINDOWS\splwow64.exe 8192

C:\Windows\splwow64.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Print driver host for applications

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\splwow64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

6308

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

6400

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "5836929E-A0A0-49DC-AE75-3BF5C7BEA264" "2574B09B-C614-41BC-9578-E799FF373DD0" "6624"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ucrtbase.dll

6624

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\0b22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec.docx.doc /o ""

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6888

rundll32.exe c:\users\admin\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

Hancitor

(PID) Process(6888) rundll32.exe

Hosts (3)http://thowerteigime.com/8/forum.php

http://euvereginumet.ru/8/forum.php

http://rhopulforopme.ru/8/forum.php

7028

rundll32.exe c:\users\admin\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX

C:\Windows\System32\rundll32.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

Add for printing

Total events

19 338

Read events

18 936

Write events

376

Delete events

Modification events


(PID) Process:	(6624) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:	(6624) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete value	Name:	0
Value: ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:	(6624) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6624) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6624
Operation:	write	Name:	0
Value: 0B0E101CD73608FA45414B9E5808F8CFD9A0522300468CABD9DBD7B9BCED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511E033D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(6624) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(6624) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(6624) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(6624) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(6624) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2
(PID) Process:	(6624) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 2

Add for printing

Executable files

Suspicious files

124

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6624	WINWORD.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9		binary
		MD5:214F9632C96A59BCCCBA182115DA3E5B	SHA256:D2BB300077C960C6874C99142558FE79C23B6D1D0BAB9AE41F98D74C87658AED
6624	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:27F2DA79349A164FBEDBEF1941F80830	SHA256:522F94296A52D054566071CBAC7CC72436CDDED423C381074D5A33A2323AC551
6624	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\{094967F4-B2BC-47E3-AE16-D122E98E15BA}\{50BBEDB9-3661-43F1-8844-C5D8202BECCB}\jax.k		executable
		MD5:9DC6F214FC82D637DE2F68F3C519D339	SHA256:2A8B737A4752060A308C4312B7C0CF6C05CDE5B370906286DEA9CDD36F5AA613
6624	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:FEE66DABBBA3F6DCDD8F011B0BA90243	SHA256:A7E792B4720723E396EFFBD72B6D71A0AED24FCB7E6A196E7C993B3FBC871A66
6624	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\{094967F4-B2BC-47E3-AE16-D122E98E15BA}\{50BBEDB9-3661-43F1-8844-C5D8202BECCB}\jax.k:Zone.Identifier		text
		MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B	SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
6624	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec.docx.doc		binary
		MD5:4974151E4F99CB7EC6FFC080BE65E4C1	SHA256:E0BAD476A159391DE39FC947C62C17D77965D334B73BC8EE95AB42FC0D9AE8B0
6624	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin		text
		MD5:CC90D669144261B198DEAD45AA266572	SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
6624	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C960DDDF.emf		emf
		MD5:511EF60E1F58994DE2F954FAECE5383F	SHA256:5F9B76346C88E6AA464B68E994DD0F9EDD321C40B7937233C589EC8751F4FB97
6624	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin		text
		MD5:9B98739CB4A3B848D3A7CD9DBEBE35F4	SHA256:5A4BEDF20A1EF946348085C63F521F0A68F1727FBB0D8465F026A1FD7B51C5DD
6624	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF616E1943C4A5725C.TMP		gmc
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1568	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6652	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6888	rundll32.exe	GET	200	104.26.13.205:80	http://api.ipify.org/	unknown	—	—	whitelisted
6624	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
6624	WINWORD.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3376	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6624	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	—	—	whitelisted
6624	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	—	—	whitelisted
6624	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	unknown	—	—	whitelisted
6624	WINWORD.EXE	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2472	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3260	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1568	svchost.exe	40.126.32.140:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
1568	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6624	WINWORD.EXE	52.109.76.240:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6624	WINWORD.EXE	52.113.194.132:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	216.58.206.46	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
login.live.com	40.126.32.140 40.126.32.76 40.126.32.74 20.190.160.14 20.190.160.22 40.126.32.68 40.126.32.138 40.126.32.72	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
ecs.office.com	52.113.194.132	whitelisted
roaming.officeapps.live.com	52.109.89.19	whitelisted
omex.cdn.office.net	23.48.23.18 23.48.23.30	whitelisted
arc.msn.com	20.103.156.88	whitelisted

Threats

PID	Process	Class	Message
6888	rundll32.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup api.ipify.org
6888	rundll32.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
2256	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6888	rundll32.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

0b22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec.docx

14F4C470C207E22C3B0A4EFA7B4200E8

21180195396580A9ADE32B589490CF3BC94D3B5B

0B22278DDB598D63F07EB983BCF307E0852CD3005C5BC15D4A4F26455562C8EC

24576:nEIjrPUaphvGvGUZ93/semhXp7AsWIKHaY8k5faaboEy6r8zz1w:n/jhvGvGU93097AFIKbv0WY/1w

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executable content was dropped or overwritten

Unusual execution from MS Office

HANCITOR has been detected (YARA)

SUSPICIOUS

Drops the executable file immediately after the start

Detected use of alternative data streams (AltDS)

Creates FileSystem object to access computer's file system (SCRIPT)

Uses RUNDLL32.EXE to load library

Runs shell command (SCRIPT)

There is functionality for taking screenshot (YARA)

There is functionality for capture public ip (YARA)

Checks for external IP

INFO

Reads security settings of Internet Explorer

The process uses the downloaded file

Checks proxy server information

Reads the computer name

Checks supported languages

Malware configuration

Hancitor

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Hancitor

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings