analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Scan_20190517_392_8748.doc

Full analysis: https://app.any.run/tasks/302f4617-036f-4ca0-9352-21b8615d8f1b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 06:12:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
opendir
loader
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

D8AC307EAE4A3D932CF5E6F96A9EBD3A

SHA1:

FD96AC62F48859A9588A91A5815566BF9EE7250D

SHA256:

2E8B0F4FFD11F50F3921035ECD95AC4D03F7590E1C1A61BB77DC7A848D7666E0

SSDEEP:

3072:oHrXcikuHezHgG8qXcikuHezHgG8qXcikuHezHgG8qXcikuHezHgG8qXcikuHeza:wdGHRdGHRdGHRdGHRdGH6HIS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 776)
      • EXCEL.EXE (PID: 2408)
      • EXCEL.EXE (PID: 2860)
      • EXCEL.EXE (PID: 3640)
      • EXCEL.EXE (PID: 3232)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 776)
      • EXCEL.EXE (PID: 2408)
      • EXCEL.EXE (PID: 2860)
      • EXCEL.EXE (PID: 3640)
      • EXCEL.EXE (PID: 3232)

    • Application was dropped or rewritten from another process

      • g7b25.exe (PID: 1344)
      • g7b25.exe (PID: 2148)
      • g7b25.exe (PID: 1704)
      • g7b25.exe (PID: 1904)
      • g7b25.exe (PID: 2232)
      • g7b25.exe (PID: 3200)
      • g7b25.exe (PID: 2124)
      • g7b25.exe (PID: 2176)
      • g7b25.exe (PID: 3468)
      • g7b25.exe (PID: 2056)
      • g7b25.exe (PID: 2428)
      • g7b25.exe (PID: 2132)
      • g7b25.exe (PID: 2904)
      • g7b25.exe (PID: 3428)
      • g7b25.exe (PID: 2316)
      • g7b25.exe (PID: 2412)
      • g7b25.exe (PID: 3136)
      • g7b25.exe (PID: 3956)
      • g7b25.exe (PID: 2480)
      • g7b25.exe (PID: 2796)

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 776)
      • EXCEL.EXE (PID: 2408)
      • EXCEL.EXE (PID: 2860)
      • EXCEL.EXE (PID: 3640)
      • EXCEL.EXE (PID: 3232)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2408)
      • EXCEL.EXE (PID: 2860)
      • EXCEL.EXE (PID: 3640)
      • EXCEL.EXE (PID: 3232)

    • Application was injected by another process

      • explorer.exe (PID: 2044)

    • Runs injected code in another process

      • g7b25.exe (PID: 2232)

    • Runs app for hidden code execution

      • g7b25.exe (PID: 2232)
      • g7b25.exe (PID: 2124)
      • g7b25.exe (PID: 2176)
      • g7b25.exe (PID: 3468)
      • g7b25.exe (PID: 2056)

    • Connects to CnC server

      • g7b25.exe (PID: 2232)
      • g7b25.exe (PID: 2124)
      • g7b25.exe (PID: 2176)
      • g7b25.exe (PID: 3468)
      • g7b25.exe (PID: 2056)

    • Loads dropped or rewritten executable

      • dism.exe (PID: 3524)
      • dism.exe (PID: 3988)
      • dism.exe (PID: 1860)
      • dism.exe (PID: 2676)
      • dism.exe (PID: 2372)

  • SUSPICIOUS

    • Executed via COM

      • EXCEL.EXE (PID: 776)
      • EXCEL.EXE (PID: 2408)
      • EXCEL.EXE (PID: 2860)
      • EXCEL.EXE (PID: 3640)
      • EXCEL.EXE (PID: 3232)
      • excelcnv.exe (PID: 1892)
      • DllHost.exe (PID: 2488)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3360)
      • cmd.exe (PID: 3824)
      • cmd.exe (PID: 3876)
      • cmd.exe (PID: 2684)
      • cmd.exe (PID: 2600)
      • cmd.exe (PID: 560)
      • cmd.exe (PID: 2740)
      • cmd.exe (PID: 1012)
      • cmd.exe (PID: 1224)
      • DllHost.exe (PID: 2488)
      • cmd.exe (PID: 3360)
      • cmd.exe (PID: 756)
      • cmd.exe (PID: 2648)
      • cmd.exe (PID: 1660)
      • cmd.exe (PID: 2440)

    • Application launched itself

      • g7b25.exe (PID: 1344)
      • g7b25.exe (PID: 2148)
      • g7b25.exe (PID: 1704)
      • g7b25.exe (PID: 1904)
      • g7b25.exe (PID: 3200)
      • g7b25.exe (PID: 2316)

    • Reads the machine GUID from the registry

      • g7b25.exe (PID: 2232)
      • g7b25.exe (PID: 2124)
      • g7b25.exe (PID: 2176)
      • g7b25.exe (PID: 3468)
      • g7b25.exe (PID: 2056)

    • Starts CMD.EXE for commands execution

      • g7b25.exe (PID: 2232)
      • g7b25.exe (PID: 2124)
      • g7b25.exe (PID: 3468)
      • g7b25.exe (PID: 2176)
      • g7b25.exe (PID: 2056)

    • Creates files in the Windows directory

      • pkgmgr.exe (PID: 3164)

  • INFO

    • Starts Microsoft Office Application

      • explorer.exe (PID: 2044)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3564)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 776)
      • WINWORD.EXE (PID: 3564)
      • EXCEL.EXE (PID: 2408)
      • EXCEL.EXE (PID: 2860)
      • EXCEL.EXE (PID: 3640)
      • EXCEL.EXE (PID: 3232)
      • excelcnv.exe (PID: 1892)

    • Application was crashed

      • g7b25.exe (PID: 2232)
      • g7b25.exe (PID: 2124)
      • g7b25.exe (PID: 2176)
      • cmd.exe (PID: 756)
      • g7b25.exe (PID: 3468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: Admin
LastModifiedBy: Admin
CreateDate: 2019:01:07 23:54:00
ModifyDate: 2019:01:07 23:54:00
RevisionNumber: 1
TotalEditTime: -
Pages: 1
Words: -
Characters: 4
CharactersWithSpaces: 4
InternalVersionNumber: 57435
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
58
Malicious processes
16
Suspicious processes
9

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start inject drop and start drop and start winword.exe no specs excel.exe cmd.exe g7b25.exe excel.exe cmd.exe g7b25.exe excel.exe cmd.exe g7b25.exe excel.exe g7b25.exe cmd.exe g7b25.exe excel.exe cmd.exe explorer.exe cmd.exe g7b25.exe cmd.exe g7b25.exe cmd.exe g7b25.exe cmd.exe excelcnv.exe no specs Copy/Move/Rename/Delete/Link Object cmd.exe pkgmgr.exe no specs g7b25.exe cmd.exe pkgmgr.exe no specs pkgmgr.exe no specs cmd.exe g7b25.exe cmd.exe pkgmgr.exe pkgmgr.exe pkgmgr.exe dism.exe no specs dism.exe no specs dism.exe no specs cmd.exe g7b25.exe no specs g7b25.exe no specs g7b25.exe no specs pkgmgr.exe no specs pkgmgr.exe no specs pkgmgr.exe dism.exe no specs pkgmgr.exe g7b25.exe no specs dism.exe no specs g7b25.exe no specs g7b25.exe g7b25.exe no specs g7b25.exe no specs g7b25.exe no specs g7b25.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3564"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Scan_20190517_392_8748.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
776"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3360"C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\g7b25.png" "g7b25.exe" &start "" "C:\Users\admin\AppData\Local\Temp\g7b25.exe" C:\Windows\System32\cmd.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1344"C:\Users\admin\AppData\Local\Temp\g7b25.exe" C:\Users\admin\AppData\Local\Temp\g7b25.exe
cmd.exe
User:
admin
Company:
overflexion
Integrity Level:
MEDIUM
Description:
monomania
Exit code:
0
Version:
6.2.4.1
2408"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3824"C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\g7b25.png" "g7b25.exe" &start "" "C:\Users\admin\AppData\Local\Temp\g7b25.exe" C:\Windows\System32\cmd.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2148"C:\Users\admin\AppData\Local\Temp\g7b25.exe" C:\Users\admin\AppData\Local\Temp\g7b25.exe
cmd.exe
User:
admin
Company:
overflexion
Integrity Level:
MEDIUM
Description:
monomania
Exit code:
0
Version:
6.2.4.1
2860"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3876"C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\g7b25.png" "g7b25.exe" &start "" "C:\Users\admin\AppData\Local\Temp\g7b25.exe" C:\Windows\System32\cmd.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1704"C:\Users\admin\AppData\Local\Temp\g7b25.exe" C:\Users\admin\AppData\Local\Temp\g7b25.exe
cmd.exe
User:
admin
Company:
overflexion
Integrity Level:
MEDIUM
Description:
monomania
Exit code:
0
Version:
6.2.4.1
Total events
5 556
Read events
5 295
Write events
0
Delete events
0

Modification events

No data
Executable files
19
Suspicious files
0
Text files
15
Unknown types
3

Dropped files

PID
Process
Filename
Type
3564WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR40F4.tmp.cvr
MD5:
SHA256:
776EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4941.tmp.cvr
MD5:
SHA256:
776EXCEL.EXEC:\Users\admin\AppData\Local\Temp\g7b25.png
MD5:
SHA256:
2408EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA849.tmp.cvr
MD5:
SHA256:
2860EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRB26B.tmp.cvr
MD5:
SHA256:
3640EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRBB35.tmp.cvr
MD5:
SHA256:
3232EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRC631.tmp.cvr
MD5:
SHA256:
3564WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$an_20190517_392_8748.docpgc
MD5:BAA52F7A12A8DD83797B9B1745BBF1C5
SHA256:F1840993DAF7927CDFC5C8380423D5C07FA2A0068A0BF5047CF981853610A217
3876cmd.exeC:\Users\admin\AppData\Local\Temp\g7b25.exeexecutable
MD5:52A5CA95825BB372EDF7EC5BDB37D472
SHA256:BC59A84D9BB22A261BFE2CB4B2FE970A65D551F328A480A3445DF78E3E156978
1892excelcnv.exeC:\Users\admin\AppData\Local\Temp\CVRDFF3.tmp.cvr
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
11
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2408
EXCEL.EXE
GET
200
104.28.17.192:80
http://www.cohu.live/cloud/corporate/download.php?file=MzgxOTg4OTYxNV9fX19jYW50ZW1heW8uZXhl
US
executable
369 Kb
suspicious
3232
EXCEL.EXE
GET
200
104.28.17.192:80
http://www.cohu.live/cloud/corporate/download.php?file=MzgxOTg4OTYxNV9fX19jYW50ZW1heW8uZXhl
US
executable
369 Kb
suspicious
2860
EXCEL.EXE
GET
200
104.28.17.192:80
http://www.cohu.live/cloud/corporate/download.php?file=MzgxOTg4OTYxNV9fX19jYW50ZW1heW8uZXhl
US
executable
369 Kb
suspicious
776
EXCEL.EXE
GET
200
104.28.16.192:80
http://www.cohu.live/cloud/corporate/download.php?file=MzgxOTg4OTYxNV9fX19jYW50ZW1heW8uZXhl
US
executable
369 Kb
suspicious
3640
EXCEL.EXE
GET
200
104.28.17.192:80
http://www.cohu.live/cloud/corporate/download.php?file=MzgxOTg4OTYxNV9fX19jYW50ZW1heW8uZXhl
US
executable
369 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
776
EXCEL.EXE
104.28.16.192:80
www.cohu.live
Cloudflare Inc
US
shared
776
EXCEL.EXE
104.28.17.192:80
www.cohu.live
Cloudflare Inc
US
shared
2232
g7b25.exe
37.120.159.243:21204
aidsweden.serveblog.net
Secure Data Systems SRL
RO
malicious
3640
EXCEL.EXE
104.28.17.192:80
www.cohu.live
Cloudflare Inc
US
shared
2408
EXCEL.EXE
104.28.17.192:80
www.cohu.live
Cloudflare Inc
US
shared
2860
EXCEL.EXE
104.28.17.192:80
www.cohu.live
Cloudflare Inc
US
shared
3232
EXCEL.EXE
104.28.17.192:80
www.cohu.live
Cloudflare Inc
US
shared
2124
g7b25.exe
37.120.159.243:21204
aidsweden.serveblog.net
Secure Data Systems SRL
RO
malicious
3468
g7b25.exe
37.120.159.243:21204
aidsweden.serveblog.net
Secure Data Systems SRL
RO
malicious
2176
g7b25.exe
37.120.159.243:21204
aidsweden.serveblog.net
Secure Data Systems SRL
RO
malicious

DNS requests

Domain
IP
Reputation
www.cohu.live
  • 104.28.17.192
  • 104.28.16.192
suspicious
aidsweden.serveblog.net
  • 37.120.159.243
unknown

Threats

PID
Process
Class
Message
776
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
776
EXCEL.EXE
Misc activity
ET INFO Packed Executable Download
776
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
776
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
776
EXCEL.EXE
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2408
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
2408
EXCEL.EXE
Misc activity
ET INFO Packed Executable Download
2408
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2408
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
2408
EXCEL.EXE
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Scan_20190517_392_8748.doc