analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | contract.doc |
| Full analysis: | https://app.any.run/tasks/43457afa-8c79-4d10-8638-d8b9d1502ed3 |
| Verdict: | Malicious activity |
| Analysis date: | November 08, 2019, 13:13:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: JBrq, Subject: joHE, Author: U, Template: Normal, Last Saved By: J, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Nov 8 11:46:00 2019, Last Saved Time/Date: Fri Nov 8 11:46:00 2019, Number of Pages: 1, Number of Words: 6, Number of Characters: 37, Security: 0 |
| MD5: | C9449751C89B9DB16915737B4F765890 |
| SHA1: | 141783D0D9DDC75453972FD549733C391C08996E |
| SHA256: | 1753B2A7FC978A75FB08C92B902D3EC33A61D8AC5FD8B0F6F4E61E6324A363B3 |
| SSDEEP: | 12288:hRQ6X9GDapm47H+9vo4karcaXv2CAwz0NASBY196ID+9atk:hRQ6tlb/4kc/vAi0NASi650O |
MALICIOUS
Loads dropped or rewritten executable
- WINWORD.EXE (PID: 2428)
Executable content was dropped or overwritten
- WINWORD.EXE (PID: 2428)
SUSPICIOUS
No suspicious indicators.INFO
Reads settings of System Certificates
- WINWORD.EXE (PID: 2428)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2428)
Creates files in the user directory
- WINWORD.EXE (PID: 2428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Word 97-2003 Document |
|---|---|
| CompObjUserTypeLen: | 32 |
| AinKymSpB: | FX_d6g#l |
| BXUgMHcWsN: | m|]q=Xazho@cK)/23X?9 |
| SPaxICD: | mlrh^9HF3:Zg!DIpVf,a^MJ8 |
| NeBBRPnKd: | FnaD!ltE2Te.9E{^-w,3w8u |
| IkSYsxhy: | tY?FLPW|)w3/V]UH)Jt&Xv&cjR_AsZ |
| BzYMXfxC: | b(uf{#ofqr;vJYN#L~3mWtw]x: |
| EjldFL: | i}E%%]l6:_i(a.S@O5|jZV#i^ |
| MsDjXcKj: | -]pa){-(ccA$w |
| HEfJCyLh: | #$CUF~_,-(bA*R.OQ-]KY%J |
| CodePage: | Windows Latin 1 (Western European) |
| HeadingPairs: |
|
| TitleOfParts: | - |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| CharCountWithSpaces: | 42 |
| Paragraphs: | 1 |
| Lines: | 1 |
| Bytes: | 96851 |
| Company: | - |
| Security: | None |
| Characters: | 37 |
| Words: | 6 |
| Pages: | 1 |
| ModifyDate: | 2019:11:08 11:46:00 |
| CreateDate: | 2019:11:08 11:46:00 |
| TotalEditTime: | - |
| Software: | Microsoft Office Word |
| RevisionNumber: | 2 |
| LastModifiedBy: | J |
| Template: | Normal |
| Comments: | - |
| Keywords: | - |
| Author: | U |
| Subject: | joHE |
| Title: | JBrq |
Total processes
35
Monitored processes
1
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2428 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\contract.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
Total events
958
Read events
728
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
3
Text files
0
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA89E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0000.tmp | — | |
MD5:— | SHA256:— | |||
| 2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0001.tmp | — | |
MD5:— | SHA256:— | |||
| 2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\videmem.docx.zip | document | |
MD5:3239DEA8193FF9AE4A3ADD55C1A7C3AE | SHA256:DE11555E0F9060EE74CF00A06D8E194731922BF2FC6172B954B508B40609E65D | |||
| 2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$idemem.docx | pgc | |
MD5:E700CF51FC3FCC1342548082A374A8A7 | SHA256:5BF65C60A465916017B9ED892E9C1129F4B075BDBDEAE736AB922DA7F38EDC83 | |||
| 2428 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A8103093BF69FF41E5899A3A33A978CD | SHA256:B75ECD3A6940C0A6629A0A369C01E6C755013B1910480A417EEC7AD4D5C11EC4 | |||
| 2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3189EFFC.emf | emf | |
MD5:FB3981532125928BB4E7E59661FB0744 | SHA256:7B2D4BC5CE523C483E756AC65AAD9678CC1FCB6D183EBA4A9977EEE320ADD207 | |||
| 2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\oleObject1.bin | binary | |
MD5:D146162D6096A48C2A4EACE2ABD8697A | SHA256:138E2370CDCEAF9CF06A7F906A33831BB0C16523853864AF069FA473312D866B | |||
| 2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\videmem.docx | document | |
MD5:AF4D315FA0D23CB4A5B14FCEC7923E3F | SHA256:2117D3795EE852B0E03C49293ACDE1D8178A3F7612975E961484532BC3F3E9E9 | |||
| 2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ntract.doc | pgc | |
MD5:E54E221B4A1579A0FD0BE91FF588FB68 | SHA256:7CA1B3B1643857B41B2C0FD66B8416C5B40F00F0F24448F5ABEFE8B6EA2588A8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2428 | WINWORD.EXE | 195.123.246.12:443 | microsoft-hub-us.com | — | UA | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
microsoft-hub-us.com |
| unknown |