analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

docus_39386.doc

Full analysis: https://app.any.run/tasks/1846edad-f6eb-4a29-b83a-8393dbf65075
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 18:27:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
generated-doc
evasion
trojan
hancitor
pony
fareit
cobaltstrike
gozi
ursnif
terdot
zloader
maldoc-42
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

34D0636684F0577CB9C2C3F701C0E8F8

SHA1:

B584590C206CD4F67C5CA054C1B3EC02E6699867

SHA256:

36448DE9A48210F85E5FD61329BBCE4D86173BA705FCA75D0DFECDF2002D1684

SSDEEP:

3072:5vvvvvvvvvvvvvvvvvvvvvv/ZRynrChbtCY8QOjnX3Npkv4wTh6ivbiFuzRmDPrE:5vvvvvvvvvvvvvvvvvvvvvv/KnrChbs8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2428)

    • Writes file to Word startup folder

      • WINWORD.EXE (PID: 2428)

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 1172)

    • Detected Pony/Fareit Trojan

      • svchost.exe (PID: 2072)

    • Uses SVCHOST.EXE for hidden code execution

      • regsvr32.exe (PID: 1172)
      • svchost.exe (PID: 2072)

    • HANCITOR was detected

      • svchost.exe (PID: 2072)

    • Actions looks like stealing of personal data

      • svchost.exe (PID: 2072)
      • svchost.exe (PID: 2564)

    • Connects to CnC server

      • svchost.exe (PID: 2072)
      • IEXPLORE.EXE (PID: 1616)
      • svchost.exe (PID: 2564)
      • IEXPLORE.EXE (PID: 2256)

    • Application was dropped or rewritten from another process

      • BNFA78.tmp (PID: 280)
      • BNF883.tmp (PID: 1980)

    • COBALTSTRIKE was detected

      • BNF883.tmp (PID: 1980)

    • URSNIF was detected

      • IEXPLORE.EXE (PID: 1616)
      • IEXPLORE.EXE (PID: 2256)

    • PONY was detected

      • svchost.exe (PID: 2564)

  • SUSPICIOUS

    • Executed via COM

      • iexplore.exe (PID: 1260)

    • Executed via WMI

      • regsvr32.exe (PID: 2224)

    • Checks for external IP

      • svchost.exe (PID: 2072)

    • Application launched itself

      • svchost.exe (PID: 2072)

    • Starts CMD.EXE for commands execution

      • svchost.exe (PID: 2072)

    • Executable content was dropped or overwritten

      • svchost.exe (PID: 2072)

    • Starts application with an unusual extension

      • svchost.exe (PID: 2072)

  • INFO

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2428)
      • iexplore.exe (PID: 1260)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 1952)
      • IEXPLORE.EXE (PID: 1616)
      • IEXPLORE.EXE (PID: 2256)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1260)

    • Changes internet zones settings

      • iexplore.exe (PID: 1260)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2428)
      • iexplore.exe (PID: 1260)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2428)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1260)

    • Reads the hosts file

      • BNFA78.tmp (PID: 280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XML

AppVersion: 16
HyperlinksChanged: No
HyperlinkBase: -
SharedDoc: No
CharactersWithSpaces: 1
LinksUpToDate: No
Company: -
Manager: -
TitlesOfParts: -
HeadingPairs:
  • Title
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 1
Words: -
Pages: 1
TotalEditTime: -
Template: Normal.dotm
Category: -
ModifyDate: 2019:10:09 14:41:00Z
CreateDate: 2019:10:09 14:41:00Z
RevisionNumber: 2
LastModifiedBy: onx
Keywords: -

XMP

Description: generated by python-docx
Creator: python-docx
Subject: -
Title: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1769
ZipCompressedSize: 440
ZipCRC: 0x0eab7932
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
14
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winword.exe iexplore.exe iexplore.exe regsvr32.exe no specs regsvr32.exe no specs #HANCITOR svchost.exe cmd.exe no specs #PONY svchost.exe #COBALTSTRIKE bnf883.tmp bnfa78.tmp #URSNIF iexplore.exe iexplore.exe no specs iexplore.exe no specs #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2428"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\docus_39386.doc.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
1260"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1952"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2224regsvr32.exe -s C:\Users\admin\AppData\Roaming\Microsoft\Word\Startup\55F.wllC:\Windows\system32\regsvr32.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1172 -s C:\Users\admin\AppData\Roaming\Microsoft\Word\Startup\55F.wllC:\Windows\SysWOW64\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2072C:\Windows\System32\svchost.exeC:\Windows\SysWOW64\svchost.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1956cmd /KC:\Windows\SysWOW64\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2564C:\Windows\System32\svchost.exeC:\Windows\SysWOW64\svchost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1980C:\Users\admin\AppData\Local\Temp\BNF883.tmpC:\Users\admin\AppData\Local\Temp\BNF883.tmp
svchost.exe
User:
admin
Company:
THQ Canada Inc.
Integrity Level:
MEDIUM
Version:
1, 4, 0, 0
280C:\Users\admin\AppData\Local\Temp\BNFA78.tmpC:\Users\admin\AppData\Local\Temp\BNFA78.tmp
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Total events
4 064
Read events
3 455
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
46
Text files
63
Unknown types
3

Dropped files

PID
Process
Filename
Type
2428WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8130.tmp.cvr
MD5:
SHA256:
2428WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso8670.tmp
MD5:
SHA256:
1260iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[2].ico
MD5:
SHA256:
1260iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2428WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF9723338A48D58E12.TMP
MD5:
SHA256:
2428WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF91F09CE257B2ACD2.TMP
MD5:
SHA256:
2428WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFE5D56EFC56402A75.TMP
MD5:
SHA256:
1260iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF4E324E3FAFB9DDBC.TMP
MD5:
SHA256:
2428WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$cus_39386.doc.docmpgc
MD5:7BC77D5371AB55D66BBA809344850BE8
SHA256:6842FDB58A971279DFFF5DDDF86CF828B7A39E0362396854698446D2139DF741
1260iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xmlxml
MD5:7C0E98813A48D3D9D55C1037A6D2FA68
SHA256:5B8274093F4B5529F6F7B0977167FD202C1D6FC1A7A9D3931A1B04C3EE8B8CAD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
104
DNS requests
58
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2072
svchost.exe
GET
200
173.201.96.128:80
http://kylemarketing.com/wp-includes/widgets/1
US
binary
45.2 Kb
malicious
2072
svchost.exe
POST
95.169.181.133:80
http://avantusthea.com/mlu/forum.php
DE
malicious
2072
svchost.exe
GET
200
192.254.233.200:80
http://domainnamesexpert.info/wp-content/plugins/iSEO/a
US
binary
33.7 Kb
malicious
1952
IEXPLORE.EXE
GET
200
47.74.181.177:80
http://elitefireandsafety.com/download.html
US
html
45.0 Kb
whitelisted
1980
BNF883.tmp
GET
31.44.184.123:80
http://31.44.184.123/CjnA
RU
malicious
2072
svchost.exe
GET
200
173.201.96.128:80
http://kylemarketing.com/wp-includes/widgets/2
US
binary
46.2 Kb
malicious
1980
BNF883.tmp
GET
200
31.44.184.123:80
http://31.44.184.123/pixel.gif
RU
malicious
1980
BNF883.tmp
GET
200
31.44.184.123:80
http://31.44.184.123/pixel.gif
RU
malicious
1980
BNF883.tmp
GET
200
31.44.184.123:80
http://31.44.184.123/pixel.gif
RU
malicious
1980
BNF883.tmp
GET
200
31.44.184.123:80
http://31.44.184.123/pixel.gif
RU
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1260
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2072
svchost.exe
95.169.181.133:80
avantusthea.com
Keyweb AG
DE
malicious
2564
svchost.exe
95.169.181.133:80
avantusthea.com
Keyweb AG
DE
malicious
1952
IEXPLORE.EXE
47.74.181.177:80
elitefireandsafety.com
Alibaba (China) Technology Co., Ltd.
US
malicious
2072
svchost.exe
23.23.229.94:80
api.ipify.org
Amazon.com, Inc.
US
malicious
2072
svchost.exe
192.254.233.200:80
domainnamesexpert.info
Unified Layer
US
malicious
1260
iexplore.exe
47.74.181.177:80
elitefireandsafety.com
Alibaba (China) Technology Co., Ltd.
US
malicious
2072
svchost.exe
173.201.96.128:80
kylemarketing.com
GoDaddy.com, LLC
US
malicious
280
BNFA78.tmp
8.8.8.8:53
Google Inc.
US
whitelisted
1980
BNF883.tmp
31.44.184.123:80
Petersburg Internet Network ltd.
RU
malicious

DNS requests

Domain
IP
Reputation
elitefireandsafety.com
  • 47.74.181.177
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
api.ipify.org
  • 23.23.229.94
  • 54.243.198.12
  • 23.23.243.154
  • 23.23.73.124
  • 23.23.83.153
  • 50.19.218.16
  • 54.243.147.226
  • 107.22.193.167
shared
avantusthea.com
  • 95.169.181.133
malicious
kylemarketing.com
  • 173.201.96.128
malicious
domainnamesexpert.info
  • 192.254.233.200
malicious
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
has.votaritar.at
  • 47.254.144.71
unknown

Threats

PID
Process
Class
Message
1952
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] Hex Encoded PE EXE or DLL Windows file download
2072
svchost.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
2072
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Hancitor POST Data send
2072
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus)
2072
svchost.exe
A Network Trojan was detected
ET TROJAN Fareit/Pony Downloader Checkin 2
2072
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus)
2072
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus)
1980
BNF883.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Cobalt
1980
BNF883.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Cobalt Strike Beacon Observed
2072
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus)
73 ETPRO signatures available at the full report
Process
Message
BNF883.tmp
yfpT4m
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
docus_39386.doc