File name:

Litigation.doc

Full analysis: https://app.any.run/tasks/826e6485-9011-4566-b38b-17db5c8dece0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 15, 2018, 10:19:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
nymaim
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Locale ID: 1033, Author: xedct, Subject: otwoqyrp
MD5:

AA401E9719475DA39222B08F76A809E5

SHA1:

C93C0BBD8356CB3EB53A74AE8986F2A32F80E8B3

SHA256:

4EDAF02747BD9FE6D5B9CC3EDC7461E6F2129CDDD522CC7959B91625DD787FB3

SSDEEP:

768:tlDmYQIbWwT+WW5+umDdvGJ5HE48F5lhhDgI55DE:ttce+IuwvGJ5kX/jgII

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2108)

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 2108)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2108)

    • Application was dropped or rewritten from another process

      • qwerty2.exe (PID: 2452)

    • Downloads executable files from IP

      • WINWORD.EXE (PID: 2108)

    • NYMAIM was detected

      • wmpenc.exe (PID: 3656)

    • Connects to CnC server

      • wmpenc.exe (PID: 3656)

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2108)

    • Creates files in the program directory

      • wmpenc.exe (PID: 3656)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2108)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
LocaleIndicator: 1033
Author: xedct
Subject: otwoqyrp
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe qwerty2.exe no specs #NYMAIM wmpenc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2108"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Litigation.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2452C:\Users\admin\AppData\Local\Temp\qwerty2.exeC:\Users\admin\AppData\Local\Temp\qwerty2.exeWINWORD.EXE
User:
admin
Company:
E-mErGE gmbh
Integrity Level:
MEDIUM
Description:
E-mErGE gmbh
Exit code:
0
Version:
7.07.0006
Modules
Images
c:\users\admin\appdata\local\temp\qwerty2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3656-wdC:\Program Files\Windows Media Player\wmpenc.exe
qwerty2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Encoder Helper
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpenc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 102
Read events
694
Write events
401
Delete events
7

Modification events

(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:nci
Value:
6E6369003C080000010000000000000000000000
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2108) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1299120143
(PID) Process:(2108) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1299120256
(PID) Process:(2108) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1299120257
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
3C080000364AF7B8CC7CD40100000000
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:5ei
Value:
356569003C08000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:5ei
Value:
356569003C08000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2108) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
2
Text files
3
Unknown types
5

Dropped files

PID
Process
Filename
Type
2108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9BCE.tmp.cvr
MD5:
SHA256:
2108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFB563FD3FCF81DA4E.TMP
MD5:
SHA256:
2108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF6FF366D92F35AFEF.TMP
MD5:
SHA256:
2108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF9B48B3F36F5F6D35.TMP
MD5:
SHA256:
2108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF27F3FE5CDF09919D.TMP
MD5:
SHA256:
2108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\msoC511.tmp
MD5:
SHA256:
2108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFB8DBD3DDB39EC74F.TMP
MD5:
SHA256:
2108WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF27E7A8426CCAA990.TMP
MD5:
SHA256:
2108WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BFD46447.png
MD5:
SHA256:
2108WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\28AC619C.png
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
16
DNS requests
4
Threats
49

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2108
WINWORD.EXE
GET
200
209.141.60.230:80
http://209.141.60.230/516.exe
US
executable
1.34 Mb
malicious
3656
wmpenc.exe
POST
200
178.48.154.38:80
http://carfax.com/0lmdgvkcw/index.php
HU
binary
1.05 Kb
malicious
3656
wmpenc.exe
POST
200
94.190.187.35:80
http://carfax.com/0lmdgvkcw/index.php
BG
binary
527 b
malicious
3656
wmpenc.exe
POST
200
193.33.1.18:80
http://carfax.com/0lmdgvkcw/index.php
PL
malicious
3656
wmpenc.exe
POST
200
37.143.160.70:80
http://carfax.com/0lmdgvkcw/index.php
RO
malicious
3656
wmpenc.exe
POST
200
47.254.192.56:80
http://zepter.com/0lmdgvkcw/index.php
US
binary
577 b
malicious
3656
wmpenc.exe
POST
200
86.127.253.176:80
http://carfax.com/0lmdgvkcw/index.php
RO
binary
387 b
malicious
3656
wmpenc.exe
POST
200
80.98.152.40:80
http://carfax.com/0lmdgvkcw/index.php
HU
binary
654 b
malicious
3656
wmpenc.exe
POST
200
41.110.200.194:80
http://carfax.com/0lmdgvkcw/index.php
DZ
binary
726 b
malicious
3656
wmpenc.exe
POST
200
213.231.169.71:80
http://carfax.com/0lmdgvkcw/index.php
BG
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2108
WINWORD.EXE
209.141.60.230:80
FranTech Solutions
US
malicious
3656
wmpenc.exe
8.8.8.8:53
Google Inc.
US
malicious
3656
wmpenc.exe
8.8.4.4:53
Google Inc.
US
whitelisted
3656
wmpenc.exe
94.190.187.35:80
Telecommunication Company Varna EAD
BG
suspicious
3656
wmpenc.exe
37.143.160.70:80
Adrana International SRL
RO
suspicious
3656
wmpenc.exe
37.143.207.7:80
Bulsatcom EAD
BG
suspicious
3656
wmpenc.exe
80.98.152.40:80
Liberty Global Operations B.V.
HU
malicious
3656
wmpenc.exe
193.33.1.18:80
PPHU 'VOIP PARTNERS' Tomasz Filak
PL
malicious
3656
wmpenc.exe
89.149.63.2:80
SC Servicii Micronet SRL
RO
suspicious
3656
wmpenc.exe
86.127.253.176:80
RCS & RDS
RO
malicious

DNS requests

Domain
IP
Reputation
microsoft.com
  • 40.76.4.15
  • 40.112.72.205
  • 40.113.200.201
  • 104.215.148.63
  • 13.77.161.179
whitelisted
infintsusi.com
  • 22.143.252.178
  • 242.16.155.36
  • 193.1.14.16
  • 37.95.206.5
  • 80.114.133.54
  • 213.135.86.120
  • 24.205.11.95
  • 89.178.59.4
  • 37.95.163.56
  • 30.78.187.37
  • 41.63.181.197
unknown
digefinsed.com
  • 47.254.192.56
malicious

Threats

PID
Process
Class
Message
2108
WINWORD.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2108
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2108
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2108
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2108
WINWORD.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3656
wmpenc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Nymaim Check-in
3656
wmpenc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Nymaim Check-in
3656
wmpenc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Nymaim Check-in
3656
wmpenc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Nymaim Check-in
3656
wmpenc.exe
A Network Trojan was detected
MALWARE [PTsecurity] Nymaim Check-in
22 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Litigation.doc