analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Darren-invoice.doc

Full analysis: https://app.any.run/tasks/fe6cb742-5fba-4d38-8b4e-0fdd53f7556c
Verdict: Malicious activity
Threats:

Dridex is a very evasive and technically complex banking trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.

Analysis date: July 11, 2019, 14:59:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
loader
dridex
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

DFE223AE910D4557CA356A775AB31251

SHA1:

636462F8A6A30F4ACF0A30597AF6A57EFE4E1193

SHA256:

12E8B18CAD0AC621C17959FD9BCAC2FE98DF5321904502449A046EDD855C0492

SSDEEP:

1536:ZjWwugEdx2BIDiFKleTuNMSln8w0rthFb3TzAI227gbT/IQvVPU/f0E+:ZDPEd+gQyNMRD5hFjAI4ION8fa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Invokes XSL script (Dridex's loader)

      • wmic.exe (PID: 3784)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 860)
  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 860)
    • Executed via COM

      • DllHost.exe (PID: 2796)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 1680)
      • iexplore.exe (PID: 3436)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 860)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 860)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3436)
      • iexplore.exe (PID: 2972)
    • Changes internet zones settings

      • iexplore.exe (PID: 3436)
    • Application launched itself

      • iexplore.exe (PID: 3436)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wmic.exe explorer.exe no specs Shell Security Editor no specs iexplore.exe iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
860"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Darren-invoice.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3784wmic os get /format:"C:\\Windows\\Temp\\aXwZvnt48.xsl"C:\Windows\System32\Wbem\wmic.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147614729
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1680"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2796C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3436"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2972"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3436 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2208"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3436 CREDAT:14337C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 999
Read events
1 253
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDAC5.tmp.cvr
MD5:
SHA256:
860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFCFFEE0120245EBBE.TMP
MD5:
SHA256:
860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFC01EA75604B5E03A.TMP
MD5:
SHA256:
860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF77B78E68D0D0211D.TMP
MD5:
SHA256:
860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFED5FA180A013D9A6.TMP
MD5:
SHA256:
860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF85F0B6F022DDF599.TMP
MD5:
SHA256:
860WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFA595A321DA407DD0.TMP
MD5:
SHA256:
860WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2FA228D6.png
MD5:
SHA256:
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3436iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3436
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3784
wmic.exe
147.75.79.172:443
carmelavalles.com
Packet Host, Inc.
US
suspicious
3436
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
carmelavalles.com
  • 147.75.79.172
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info