analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

БП ТЭО ТБО.docx

Full analysis: https://app.any.run/tasks/6c197707-f3e7-4243-8cc4-f77f42903134
Verdict: Malicious activity
Analysis date: November 14, 2018, 10:04:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

0C34A03954C2C18E97F7FF300E5CE807

SHA1:

58010B8FA3ECFC40F0B882FD1A127D34349191D2

SHA256:

43F7EF17CB2B68FC4C745FABA8969566D8595EF4BD35114D13A3A7A780AD6E2E

SSDEEP:

49152:i+p0pWoKk4xQpAbFSwxt0jRInooxGccGj+RSeWL:FKrKgpAbF3t09cocFCSVL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 3112)
    • Reads internet explorer settings

      • WINWORD.EXE (PID: 3112)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3112)
      • iexplore.exe (PID: 2100)
      • iexplore.exe (PID: 2340)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2768)
    • Application launched itself

      • chrome.exe (PID: 3232)
      • iexplore.exe (PID: 684)
    • Reads settings of System Certificates

      • chrome.exe (PID: 3232)
      • iexplore.exe (PID: 3988)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3112)
    • Changes internet zones settings

      • iexplore.exe (PID: 684)
      • iexplore.exe (PID: 3988)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2100)
      • iexplore.exe (PID: 2340)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2100)
      • iexplore.exe (PID: 684)
      • iexplore.exe (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x34422d43
ZipCompressedSize: 493
ZipUncompressedSize: 2231
ZipFileName: [Content_Types].xml

XML

Template: Normal
TotalEditTime: 3.7 hours
Pages: 1
Words: 10977
Characters: 62571
Application: Microsoft Office Word
DocSecurity: None
Lines: 521
Paragraphs: 146
ScaleCrop: No
HeadingPairs:
  • Название
  • 1
TitlesOfParts: -
Company: Grizli777
LinksUpToDate: No
CharactersWithSpaces: 73402
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14
LastModifiedBy: Анатольевна
RevisionNumber: 14
LastPrinted: 2015:07:13 10:32:00Z
CreateDate: 2015:07:15 13:22:00Z
ModifyDate: 2018:11:02 14:08:00Z

XMP

Creator: Владимир
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
16
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe iexplore.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3112"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\БП ТЭО ТБО.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3232"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
68.0.3440.106
1476"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6c2100b0,0x6c2100c0,0x6c2100ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3828"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3168 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3600"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=892,18185949111417341966,13923202169781498760,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=AC5F95F170C13F5CF5A1AE2E5AFA3459 --mojo-platform-channel-handle=864 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3552"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=892,18185949111417341966,13923202169781498760,131072 --enable-features=PasswordImport --service-pipe-token=4168013179DC453C603C33A4386A53A6 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4168013179DC453C603C33A4386A53A6 --renderer-client-id=5 --mojo-platform-channel-handle=1912 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3984"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=892,18185949111417341966,13923202169781498760,131072 --enable-features=PasswordImport --service-pipe-token=8FED68DC2990C533CEC2D83364AB6098 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8FED68DC2990C533CEC2D83364AB6098 --renderer-client-id=3 --mojo-platform-channel-handle=2096 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2020"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=892,18185949111417341966,13923202169781498760,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=DD6B1276A5BEB6E149EF9852E89F1233 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=DD6B1276A5BEB6E149EF9852E89F1233 --renderer-client-id=6 --mojo-platform-channel-handle=1660 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
1688"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=892,18185949111417341966,13923202169781498760,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=B0A8D0133628BCC28B7D5EA962DA21D8 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=B0A8D0133628BCC28B7D5EA962DA21D8 --renderer-client-id=7 --mojo-platform-channel-handle=3820 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
544"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=892,18185949111417341966,13923202169781498760,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=A313E0DEC71F7BF092A3B85B601D0547 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=A313E0DEC71F7BF092A3B85B601D0547 --renderer-client-id=8 --mojo-platform-channel-handle=4024 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Total events
2 367
Read events
1 843
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
97
Text files
168
Unknown types
51

Dropped files

PID
Process
Filename
Type
3112WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B51.tmp.cvr
MD5:
SHA256:
3112WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso9E11.tmp
MD5:
SHA256:
3112WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7EF83293.gif
MD5:
SHA256:
3112WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\471C2378.gif
MD5:
SHA256:
3112WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49479D19.gif
MD5:
SHA256:
3112WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98ABF046.gif
MD5:
SHA256:
3112WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B94D178F.gif
MD5:
SHA256:
3112WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D442C44.gif
MD5:
SHA256:
3112WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8BD5775.gif
MD5:
SHA256:
3112WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CE30EF2.gif
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
142
DNS requests
85
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2100
iexplore.exe
GET
200
89.111.176.193:80
http://neroaera.com/fixpng.js
RU
text
648 b
unknown
3112
WINWORD.EXE
GET
200
89.111.176.193:80
http://neroaera.com/?p=71
RU
html
16.2 Kb
unknown
2100
iexplore.exe
GET
200
89.111.176.193:80
http://neroaera.com/index.css
RU
text
3.94 Kb
unknown
3232
chrome.exe
GET
200
2.16.186.56:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
54.4 Kb
whitelisted
3232
chrome.exe
GET
200
2.16.186.81:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
54.4 Kb
whitelisted
2100
iexplore.exe
GET
200
89.111.176.193:80
http://neroaera.com/up1_bg.jpg
RU
image
13.3 Kb
unknown
2100
iexplore.exe
GET
200
89.111.176.193:80
http://neroaera.com/left1.jpg
RU
image
5.30 Kb
unknown
2100
iexplore.exe
GET
200
89.111.176.193:80
http://neroaera.com/orel.png
RU
image
52.1 Kb
unknown
2100
iexplore.exe
GET
200
89.111.176.193:80
http://neroaera.com/upmenu_pset.png
RU
image
501 b
unknown
2100
iexplore.exe
GET
200
89.111.176.193:80
http://neroaera.com/up2_bg.jpg
RU
image
21.0 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3232
chrome.exe
216.58.215.227:443
www.gstatic.com
Google Inc.
US
whitelisted
3232
chrome.exe
185.72.229.13:80
rbcdaily.ru
Rosbusinessconsulting Cjsc
RU
unknown
3232
chrome.exe
216.58.215.228:443
www.google.com
Google Inc.
US
whitelisted
3232
chrome.exe
216.58.215.234:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3232
chrome.exe
185.72.229.3:443
www.rbc.ru
Rosbusinessconsulting Cjsc
RU
unknown
3232
chrome.exe
216.58.215.238:443
apis.google.com
Google Inc.
US
whitelisted
3232
chrome.exe
185.72.229.2:443
s.rbk.ru
Rosbusinessconsulting Cjsc
RU
unknown
3232
chrome.exe
172.217.168.3:443
www.google.de
Google Inc.
US
whitelisted
3232
chrome.exe
216.58.215.237:443
accounts.google.com
Google Inc.
US
whitelisted
3232
chrome.exe
172.217.168.35:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.de
  • 172.217.168.3
whitelisted
www.gstatic.com
  • 216.58.215.227
whitelisted
clientservices.googleapis.com
  • 216.58.215.227
whitelisted
safebrowsing.googleapis.com
  • 216.58.215.234
whitelisted
accounts.google.com
  • 216.58.215.237
shared
ssl.gstatic.com
  • 172.217.168.35
whitelisted
apis.google.com
  • 216.58.215.238
whitelisted
www.google.com
  • 216.58.215.228
whitelisted
rbcdaily.ru
  • 185.72.229.13
  • 80.68.253.13
whitelisted
www.rbc.ru
  • 185.72.229.3
  • 80.68.253.3
whitelisted

Threats

No threats detected
No debug info