analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | contract.doc |
| Full analysis: | https://app.any.run/tasks/5bd9c431-6b2c-4224-96ff-d24445596dfd |
| Verdict: | Malicious activity |
| Analysis date: | November 08, 2019, 15:05:35 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: IWUQl, Subject: gGNYFTR, Author: wTcKVPU, Template: Normal, Last Saved By: J, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Nov 8 11:46:00 2019, Last Saved Time/Date: Fri Nov 8 11:46:00 2019, Number of Pages: 1, Number of Words: 6, Number of Characters: 37, Security: 0 |
| MD5: | 47B3585D5B7465B451D04AFC8AE241B9 |
| SHA1: | E171EB73986B98350215AB43B6FBEC1CE984A8A6 |
| SHA256: | 2FA134336458C86C41DA48106693CF8460FBE47321CDCA10FDB0884309DB79EA |
| SSDEEP: | 12288:ZRQ6X9GDapm47H+9vo4karcaXv2CAwz0NASBY196ID+9rtQ:ZRQ6tlr/4kc/vAi0NASi65BS |
MALICIOUS
Loads dropped or rewritten executable
- WINWORD.EXE (PID: 2200)
Executable content was dropped or overwritten
- WINWORD.EXE (PID: 2200)
SUSPICIOUS
No suspicious indicators.INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2200)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Word 97-2003 Document |
|---|---|
| CompObjUserTypeLen: | 32 |
| VpuYWBwOpv: | fvU7I&b)t7e@P8|_c-A|uP |
| TgCXdVR: | Q)98uJqT7L],Kf/-.CNp;4&*HEp0 |
| NdQvu: | D)&bwQ]5dv$sjI! |
| TcvoCqLTOa: | c,f&C%sgoG/{RK~_/r |
| BhrouMg: | EaH^7Sx0x?~R4:A |
| YYxCPuw: | oyEsh|XLp#05a9Lk(/2 |
| KfawYF: | &IsHP719 |
| GvkzAvd: | ^zvAx].t@,/#bmL@,~a4K2b|iqiE&X |
| LNadKFiV: | z=KgHm2s2SM |
| AnbsuzhPRp: | ):3.5+/s0u&5T/;G~2F^I%d)3JV |
| CodePage: | Windows Latin 1 (Western European) |
| HeadingPairs: |
|
| TitleOfParts: | - |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| CharCountWithSpaces: | 42 |
| Paragraphs: | 1 |
| Lines: | 1 |
| Bytes: | 34759 |
| Company: | - |
| Security: | None |
| Characters: | 37 |
| Words: | 6 |
| Pages: | 1 |
| ModifyDate: | 2019:11:08 11:46:00 |
| CreateDate: | 2019:11:08 11:46:00 |
| TotalEditTime: | - |
| Software: | Microsoft Office Word |
| RevisionNumber: | 2 |
| LastModifiedBy: | J |
| Template: | Normal |
| Comments: | - |
| Keywords: | - |
| Author: | wTcKVPU |
| Subject: | gGNYFTR |
| Title: | IWUQl |
Total processes
36
Monitored processes
1
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2200 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\contract.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
Total events
949
Read events
714
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
3
Text files
0
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA802.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0000.tmp | — | |
MD5:— | SHA256:— | |||
| 2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$demem.docx.zip | — | |
MD5:— | SHA256:— | |||
| 2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0001.tmp | — | |
MD5:— | SHA256:— | |||
| 2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ntract.doc | pgc | |
MD5:DDDAD01179C52A2C15C3A3ABDA602F69 | SHA256:BFE0E6616E18F2B85E1CBF764084DC0924E6AC0A00DEA7BD420B67E7B5AC7F45 | |||
| 2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\videmem.docx | document | |
MD5:D22FB34197DCD74952825271CB772A3A | SHA256:9DD8E1D389D0C2770F0F15342BEB4A2D12D90E5EA10FC03D48B13D3DC21A72DC | |||
| 2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:BEDDCE21A81E4AE9AD6A5066C407B9EA | SHA256:0E6A5B1A458E1F18A9D6658BCB575AFB7FBEE1C896678806B839926B13A46188 | |||
| 2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\oleObject1.bin | binary | |
MD5:D146162D6096A48C2A4EACE2ABD8697A | SHA256:138E2370CDCEAF9CF06A7F906A33831BB0C16523853864AF069FA473312D866B | |||
| 2200 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C34C1DDD839C2A0232FC5E3F81A8AFDF | SHA256:9294C8C13A505FBABE20E846186AA03AD23D0A8728B641B98C23D2EBFCD8DC60 | |||
| 2200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$idemem.docx | pgc | |
MD5:6EF02CCBDD080DDDB12F27DEB940950F | SHA256:F6666A382CDCF80880489741C7DDD92A434F3B6F11AE49657EC5E71AEA108C03 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
4
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2200 | WINWORD.EXE | 195.123.246.12:443 | microsoft-hub-us.com | — | UA | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
microsoft-hub-us.com |
| unknown |
dns.msftncsi.com |
| shared |