analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

24c11a0db1dcf69755be9ea83f51a613.doc

Full analysis: https://app.any.run/tasks/fa7b400b-49d8-40d5-8a3e-52f1fa206235
Verdict: Malicious activity
Analysis date: January 11, 2019, 02:33:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: Protected document, Author: Paranoid Ninja, Template: Normal.dotm, Last Saved By: ParanoidNinja, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jan 10 04:52:00 2019, Last Saved Time/Date: Thu Jan 10 04:52:00 2019, Number of Pages: 23, Number of Words: 10723, Number of Characters: 61127, Security: 0
MD5:

24C11A0DB1DCF69755BE9EA83F51A613

SHA1:

89D084B94D470EEF1B7BF264EB07A8A46B8B574D

SHA256:

2CE82E141E186409F2B26F9915ACC7C35A95D97FB296245612CB0EC7E4EC878D

SSDEEP:

12288:GoLRmNWLfuZKMI8rpvsIrk/5i/UJGXrL03WVZXsGH389KFy5mEo8qOF3sIv/Q9:5LRmNeWI8rpHk/5uX4WVZ6KCmGqOFbU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • gupchrome.exe (PID: 2964)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2872)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2872)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 2488)
    • Starts CertUtil for decode files

      • cmd.exe (PID: 3912)
    • Uses WMIC.EXE to create a new process

      • cmd.exe (PID: 3912)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2872)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (35.9)
.xls | Microsoft Excel sheet (33.7)
.doc | Microsoft Word document (old ver.) (21.3)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Hyperlinks:
CodePage: Windows Latin 1 (Western European)
HeadingPairs:
  • Title
  • 1
TitleOfParts: Protected document
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 71707
Paragraphs: 143
Lines: 509
Company: -
Security: None
Characters: 61127
Words: 10723
Pages: 23
ModifyDate: 2019:01:10 04:52:00
CreateDate: 2019:01:10 04:52:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 2
LastModifiedBy: ParanoidNinja
Template: Normal.dotm
Comments: -
Keywords: -
Author: Paranoid Ninja
Subject: -
Title: Protected document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs certutil.exe wmic.exe no specs gupchrome.exe

Process information

PID
CMD
Path
Indicators
Parent process
2872"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\24c11a0db1dcf69755be9ea83f51a613.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3912cmd /c certutil.exe -decodehex %temp%\gupchrome.txt %temp%\gupchrome.exe & wmic path win32_process call create %temp%\gupchrome.exeC:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2488certutil.exe -decodehex C:\Users\admin\AppData\Local\Temp\gupchrome.txt C:\Users\admin\AppData\Local\Temp\gupchrome.exe C:\Windows\system32\certutil.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3524wmic path win32_process call create C:\Users\admin\AppData\Local\Temp\gupchrome.exeC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2964C:\Users\admin\AppData\Local\Temp\gupchrome.exeC:\Users\admin\AppData\Local\Temp\gupchrome.exe
wmiprvse.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
1 092
Read events
749
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRECC5.tmp.cvr
MD5:
SHA256:
2872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$c11a0db1dcf69755be9ea83f51a613.docpgc
MD5:26E10B169F89FE577AE67DC52A1C98E9
SHA256:9BB6933D1EA76E52FFDCD8DBFDDDBD1F3C59C4043FE4E4EA42F53DE6B71AA037
2872WINWORD.EXEC:\Users\admin\AppData\Local\Temp\gupchrome.txttext
MD5:4166BB3E767D23790A52085B506C0A99
SHA256:00B7D32DA6360D1A39D8EFB45FE1B0B8FD23928DE9C7D36131D8D2FC0A4778EB
2488certutil.exeC:\Users\admin\AppData\Local\Temp\gupchrome.exeexecutable
MD5:851009E4F6A6B1D614E407B11257AC42
SHA256:0F760B5951709C6299DA5C467C07B4B77722FDA60DED3C8D050DFA824DD37174
2872WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:CA520998CE694C844B1FE8C3635EF2C7
SHA256:A64C55E65AA999414E5773AE0C4B7B6676F20976C3C6BF80941EBF85BA65A013
2872WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2964
gupchrome.exe
23.101.8.251:443
musicfestivity.com
Microsoft Corporation
HK
unknown

DNS requests

Domain
IP
Reputation
musicfestivity.com
  • 23.101.8.251
unknown

Threats

No threats detected
No debug info