analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RFP_AllianxMexico_2022.doc

Full analysis: https://app.any.run/tasks/05f14cf5-7297-4f7b-8a96-37ad859ab8c2
Verdict: Malicious activity
Analysis date: January 24, 2022, 22:40:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Keywords: 16, Comments: 4, Thumbnail: 2362, 0x17: 1048576CDFV2 Microsoft Word
MD5:

B371E1C2CA2E5718E151760BC4664366

SHA1:

73457D23E5235DF0FCFBF6547AAF26CCCC765011

SHA256:

3542078FD524E3CB141D5BEBF96AEA73467505A07AE72FC58395AFA14F22E8A3

SSDEEP:

24576:/HS4AwARd+X+i4Ht5O9SD++vxRC05yU3LahYcVy7eK+OuQAoKsn7uqb/H:fRyCpG/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 392)

  • SUSPICIOUS

    • Checks supported languages

      • DW20.EXE (PID: 3832)

    • Reads default file associations for system extensions

      • WINWORD.EXE (PID: 392)

  • INFO

    • Checks supported languages

      • dwwin.exe (PID: 3272)
      • WINWORD.EXE (PID: 392)

    • Reads the computer name

      • dwwin.exe (PID: 3272)
      • WINWORD.EXE (PID: 392)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 392)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserTypeLen: 36
CompObjUserType: Documento de Microsoft Word 97-2003
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 16
Paragraphs: 4
CharCountWithSpaces: 2362
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Título
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs dw20.exe no specs dwwin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
392"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\RFP_AllianxMexico_2022.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3832"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1420C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Application Error Reporting
Exit code:
0
Version:
14.0.6015.1000
3272C:\Windows\system32\dwwin.exe -x -s 1420C:\Windows\system32\dwwin.exeDW20.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Watson Client
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 378
Read events
1 262
Write events
80
Delete events
36

Modification events

(PID) Process:(392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:cy<
Value:
63793C0088010000010000000000000000000000
(PID) Process:(392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
2
Text files
1
Unknown types
7

Dropped files

PID
Process
Filename
Type
392WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR1B4.tmp.cvr
MD5:
SHA256:
3272dwwin.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_WINWORD.EXE_5925cffacf343a3c93e92254daaac1d4b3aeb_0cdf08ba\Report.wer
MD5:
SHA256:
392WINWORD.EXEC:\Users\admin\Desktop\~$P_AllianxMexico_2022.docpgc
MD5:C89003727589CBCC535F15DE1AE22235
SHA256:3CB4D74FD52868B8F7AA0BD5508D0988BFC36AC7F7FDD77435D66E8D108F75E8
392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\RFP_AllianxMexico_2022.doc.LNKlnk
MD5:F654AF38858198C6BF688DD803F4D468
SHA256:103FA1A070A80A607C5FD667C21CCDF52B56E2EF7F6FC4997A40A0963DA774C1
392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:824DF79CF8278B9AE50C1016923E5D2D
SHA256:4B3CF0C099BC9F4252726CDFADD2E8BD85F90F970E4E5FB68DF9550A95656DBC
392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:9869625432E97779171B56FB18E46494
SHA256:981DBAA638129F6C5282A835ABDCC3404A2F62B2197F95F1C0BD9BECDD1EBCCF
392WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7284319B-1821-42F1-9C1E-DF2052B1CF57}.tmpbinary
MD5:B3F2F524109214EB5DC98D9E3EDD0193
SHA256:7D3FFD7B9039C552E8C96047C183A2FB28A18E948DBE5BD5DB72EEB1A4243847
392WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1251C8DF-08AC-47B8-AB98-BE4F7C180CE1}.tmpbinary
MD5:D5D8E5E0E7E822A8536164B311472724
SHA256:CF530E0F013F46CF2B24236002FDC69CCBE4C34DA6A478BBAF5B4421CD24583F
392WINWORD.EXEC:\Users\admin\AppData\Local\Temp\1313828.cvrsqm
MD5:35E87E9165A1C958FB6817B4AA98B550
SHA256:A3D75FED3083892719C3661FA64836F5F5282DD82F1FC09778EAB4BBF4EEA5EE
392WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B8017934-9CB0-44A3-B49C-7F140DAAD751}.tmpsmt
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RFP_AllianxMexico_2022.doc