analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad

Full analysis: https://app.any.run/tasks/c81adfe4-fe83-42bc-92a1-70c0483892d6
Verdict: Malicious activity
Analysis date: May 15, 2019, 09:45:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Babak Amiri, Template: Normal, Last Saved By: jack, Revision Number: 19, Name of Creating Application: Microsoft Office Word, Total Editing Time: 33:00, Create Time/Date: Tue Apr 23 22:18:00 2019, Last Saved Time/Date: Thu May 2 15:26:00 2019, Number of Pages: 1, Number of Words: 118, Number of Characters: 678, Security: 0
MD5:

036F4400BABDAA314AB5AA4A2C378E2F

SHA1:

319CBD82A2B64BDA4715F9690E2E02EDBDB076F0

SHA256:

0F3CABC7F1E69D4A09856CC0135F7945850C1EB6AEECD010F788B3B8B4D91CAD

SSDEEP:

6144:nxgVouPfhvgAQB2QGVofCleAwZnNc+Q3sSB2LljR02VS:xgVoQhoAQoIfClb2nQ3DmjTVS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • WINWORD.EXE (PID: 3376)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2544)
  • SUSPICIOUS

    • Creates files in the program directory

      • WINWORD.EXE (PID: 3376)
    • Creates files in the user directory

      • powershell.exe (PID: 1928)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3376)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 795
Paragraphs: 1
Lines: 5
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 678
Words: 118
Pages: 1
ModifyDate: 2019:05:02 14:26:00
CreateDate: 2019:04:23 21:18:00
TotalEditTime: 33.0 minutes
Software: Microsoft Office Word
RevisionNumber: 19
LastModifiedBy: jack
Template: Normal
Comments: -
Keywords: -
Author: Babak Amiri
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs regedit.exe no specs regedit.exe cmd.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3376"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2648"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2736"C:\Windows\regedit.exe" C:\Windows\regedit.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3528"C:\Windows\regedit.exe" C:\Windows\regedit.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2544"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nologo -w 1 -exec bypass -c "$ste=gc c:\programdata\SysTextEnc.ini;iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($ste)))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 321
Read events
896
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
3376WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREE83.tmp.cvr
MD5:
SHA256:
3376WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7A98D2E3D1388CB5.TMP
MD5:
SHA256:
1928powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CEYBVOR97RK7JYWQPVUK.temp
MD5:
SHA256:
3376WINWORD.EXEC:\Users\admin\Desktop\~$3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad.docpgc
MD5:05E40F81265F95F5F7EAD33F1EFF3F62
SHA256:359400D93378BA4E0C40249A107AF9E0542181873DA06E18B012616A1EA147A3
3376WINWORD.EXEC:\Users\admin\Desktop\0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad.docdocument
MD5:2180643CEE008A67C6E2D89A235C5800
SHA256:777003C0361353B37CEDAE377D6EB4B87693B3B1DF895F9EE22D01D2BEA51E37
3376WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1DBF94C52019F3FA68C5F190CC8E718C
SHA256:D3BE336F578B31B1E3E6BD5ABD73B111AB652DB1A9E30959ED3E7F3480EC098E
3376WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad.doc.LNKlnk
MD5:8748AAE709AB1FB1A7AF888CCB724BFA
SHA256:3F1DFEF6458913BF33C2B495A7DA067175216CCB405E2E4CCE66BD8BDB07285D
3376WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:358CBFEB32E53F906502BC1377A1F64D
SHA256:B3735A5C81D001635DB72D1BCE98A411B19A08C514379E05FB0F7C7EB2EB94FB
3376WINWORD.EXEC:\Users\admin\Desktop\~WRD0000.tmpdocument
MD5:924E138192609FA03B84802D3CEBF78C
SHA256:495A2CF2C761D40CA6D961CB27F418944C17D0350F597B0306083FF3FB2B365C
1928powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:CFCC2302AE96577C0F000A7AE3D87EBD
SHA256:C9A01D9A29ADF26A17994352A90FB28871F2FF1CB9FE7FB61664433D42BF0BF8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1928
powershell.exe
GET
38.132.99.167:80
http://38.132.99.167/crf.txt
US
suspicious
1928
powershell.exe
GET
38.132.99.167:80
http://38.132.99.167/crf.txt
US
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
38.132.99.167:80
M247 Ltd
US
suspicious

DNS requests

No data

Threats

No threats detected
No debug info