analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

myCV.doc

Full analysis: https://app.any.run/tasks/20f5679f-47d3-4b5c-a90f-cb0e856d2199
Verdict: Malicious activity
Analysis date: January 17, 2020, 18:03:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Author: JULIET MAYNARD, Template: Normal.dotm, Last Saved By: Mark1, Revision Number: 125, Name of Creating Application: Microsoft Office Word, Total Editing Time: 4d+19:37:00, Create Time/Date: Tue Oct 29 02:36:00 2019, Last Saved Time/Date: Wed Jan 15 22:51:00 2020, Number of Pages: 52, Number of Words: 12094, Number of Characters: 68939, Security: 0
MD5:

A175B3B4579368979FD5B3636DE21C87

SHA1:

E440F67CA7D34BE0F7346013D078072F64774E8C

SHA256:

331308E689132C43D8FA6D8E290254F7A51525F99AFEECEBF212CA1C7EA24F17

SSDEEP:

3072:TeYBwnR4b2Jv8LYmeT3GkNuGyN600YsTyorToWpbl0+x+4g9r:TeYBwnR4bav8LYNT3G+FbTHou06Gr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2168)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2168)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2168)

    • Loads dropped or rewritten executable

      • WINWORD.EXE (PID: 2168)
      • 15d0a3bd.exe (PID: 3040)
      • endocarp.exe (PID: 1704)

    • Runs app for hidden code execution

      • WINWORD.EXE (PID: 2168)
      • endocarp.exe (PID: 1704)

    • Application was dropped or rewritten from another process

      • 15d0a3bd.exe (PID: 3040)
      • endocarp.exe (PID: 1704)
      • cmd.exe (PID: 3000)
      • cmd.exe (PID: 2820)
      • cmd.exe (PID: 2524)

    • Writes to a start menu file

      • DllHost.exe (PID: 3472)

  • SUSPICIOUS

    • Creates files in the user directory

      • cmd.exe (PID: 3000)
      • DllHost.exe (PID: 3472)
      • cmd.exe (PID: 2524)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3000)
      • 15d0a3bd.exe (PID: 3040)
      • DllHost.exe (PID: 3472)
      • cmd.exe (PID: 2524)

    • Starts CMD.EXE for commands execution

      • endocarp.exe (PID: 1704)
      • cmd.exe (PID: 2820)

    • Application launched itself

      • cmd.exe (PID: 2820)

    • Executed via COM

      • DllHost.exe (PID: 3472)

    • Connects to unusual port

      • WerFault.exe (PID: 2800)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2168)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: JULIET MAYNARD
Keywords: -
Template: Normal.dotm
LastModifiedBy: Mark1
RevisionNumber: 125
Software: Microsoft Office Word
TotalEditTime: 4.8 days
CreateDate: 2019:10:29 02:36:00
ModifyDate: 2020:01:15 22:51:00
Pages: 52
Words: 12094
Characters: 68939
Security: None
CodePage: Windows Latin 1 (Western European)
Company: University of Bradford
Lines: 574
Paragraphs: 161
CharCountWithSpaces: 80872
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
8
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe cmd.exe 15d0a3bd.exe endocarp.exe no specs cmd.exe no specs cmd.exe Copy/Move/Rename/Delete/Link Object werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
2168"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\myCV.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3000"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3040"C:\Users\admin\AppData\Local\Temp\15d0a3bd.exe"C:\Users\admin\AppData\Local\Temp\15d0a3bd.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
1704C:\Users\admin\AppData\Local\Temp\endocarp.exeC:\Users\admin\AppData\Local\Temp\endocarp.exe15d0a3bd.exe
User:
admin
Company:
Intel Corporation.
Integrity Level:
MEDIUM
Description:
ippchv8-6.1.dll is an ippCH dynamic library
Exit code:
0
Version:
6,1,137,768
2820"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exeendocarp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2524C:\Windows\system32\cmd.exe /c "COPY /Y /B "C:\Users\admin\AppData\Local\Temp\15d0a3bd.exe" "C:\Users\admin\AppData\Roaming\Adobe\Headlights\WUDFHost.exe""C:\Windows\system32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3472C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2800"C:\Windows\System32\WerFault.exe"C:\Windows\System32\WerFault.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 594
Read events
1 821
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
2
Text files
33
Unknown types
6

Dropped files

PID
Process
Filename
Type
2168WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA8FC.tmp.cvr
MD5:
SHA256:
2168WINWORD.EXEC:\Users\admin\AppData\Local\Temp\ssh2_poll.dll
MD5:
SHA256:
304015d0a3bd.exeC:\Users\admin\AppData\Local\Temp\rd\websphere\shoutbox\sites\voter\.ldata2.i35.me3abr
MD5:984B28FEE8ACAC920AA7F718E7381DC4
SHA256:DC612F5564D14B3B75A6EFE76738493516FB0FE2464B8D8D62C378B1D5C64BAB
3000cmd.exeC:\Users\admin\AppData\Local\Temp\15d0a3bd.exeexecutable
MD5:A668759D41F32F03E968A329EAEBCF9E
SHA256:96E8A6DBFBE69E05E9AFD5CB1DEDD440321BCCAA3E9ED6E2D3622EE37351293A
304015d0a3bd.exeC:\Users\admin\AppData\Local\Temp\rd\websphere\shoutbox\sites\voter\jpverb207.gifimage
MD5:700C9671D1B9E607D705E474C008BE25
SHA256:B4B6468E4FBD056623491F249D2C90ABAF808F4C7D96810DCA2F5D259DFCCA78
304015d0a3bd.exeC:\Users\admin\AppData\Local\Temp\rd\websphere\shoutbox\sites\voter\msenv2p.dllexecutable
MD5:E9901E71FFC4F98DE9B6B8B869A291BC
SHA256:0C05924313A73DE2FCF8D90FD463D6875A32C479BEAD45AE266E74CABBEEFE49
304015d0a3bd.exeC:\Users\admin\AppData\Local\Temp\Frequencybinary
MD5:D99D41DBAE2877C9BBEA2CFF1483BE6C
SHA256:C2522E86705664F2E8696A13FD4E04FB245BF337F6EABC6C8671860345E78631
3000cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txttext
MD5:7F81172EFBDB747804CD130C2BD98D83
SHA256:596EB56EB02FD51AAA0423C923FF0E4ECF05C7D528C3BA7D058730BB91469196
2168WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D3E45E9E34C71A48C10FD945E9620BAF
SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F
304015d0a3bd.exeC:\Users\admin\AppData\Local\Temp\phpMyAdmin\wpau-backup\art\rtc-m41t93.koo
MD5:B8659E01C591977D47587225A280DBD4
SHA256:B84D35F2AC60C9FC22F02B65B1A45FAD5672777F3B67DC2D5A16815C49D9AAD0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2800
WerFault.exe
194.5.99.206:4181
roboticsnetwork.duckdns.org
FR
malicious
3000
cmd.exe
104.20.68.143:443
pastebin.com
Cloudflare Inc
US
malicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.68.143
  • 104.20.67.143
shared
roboticsnetwork.duckdns.org
  • 194.5.99.206
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
myCV.doc