Malware analysis info_10_09_1.doc Malicious activity | ANY.RUN

Add for printing

File name:	info_10_09_1.doc
Full analysis:	https://app.any.run/tasks/7ac512b6-5283-4884-ac61-c8d129781c8e
Verdict:	Malicious activity
Threats:	Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. Malware Trends Tracker >>>
Analysis date:	October 09, 2019, 13:59:16
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open maldoc-3 generated-doc gozi ursnif
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	E3C555135FA48386A8626C68C7A6555F
SHA1:	76DBC66C28A730F1AE81B8BC308318A206D95A6C
SHA256:	4F3E3DDD61CFB7AD59E2BD690729EE0DCB0B2650FE3BC630BA17DEB776DE6DE1
SSDEEP:	1536:bWUCXMYyzGGpnTb76bd6Rd1yywQmBKov5aJDA1:CUMypTb76bd8d1jCFBaJ4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: on
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Unusual execution from Microsoft Office
  - WINWORD.EXE (PID: 2768)
- URSNIF was detected
  - WMIC.exe (PID: 3560)
SUSPICIOUS
- Uses WMIC.EXE to obtain a system information
  - WINWORD.EXE (PID: 2768)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2768)
- Creates files in the user directory
  - WINWORD.EXE (PID: 2768)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.docm	\|	Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx	\|	Word Microsoft Office Open XML Format document (24.2)
.zip	\|	Open Packaging Conventions container (18)
.zip	\|	ZIP compressed archive (4.1)

EXIF

XMP

Language:	en-US
Description:	-
Creator:	hdwpx
Subject:	-
Title:	-

XML

Category:	-
ModifyDate:	2019:10:09 08:44:00Z
CreateDate:	2019:10:09 08:44:00Z
RevisionNumber:	2
LastModifiedBy:	admin
Keywords:	-
AppVersion:	16
HyperlinksChanged:	No
SharedDoc:	No
CharactersWithSpaces:	-
LinksUpToDate:	No
Company:	home
Manager:	-
TitlesOfParts:	ffwmamztsi
HeadingPairs:	Название 1 Title 1
ScaleCrop:	No
Paragraphs:	-
Lines:	1
DocSecurity:	None
Application:	Microsoft Office Word
Characters:	-
Words:	-
Pages:	1
TotalEditTime:	-
Template:	Normal.dotm

ZIP

ZipFileName:	[Content_Types].xml
ZipUncompressedSize:	1901
ZipCompressedSize:	445
ZipCRC:	0x01119293
ZipModifyDate:	1980:01:01 00:00:00
ZipCompression:	Deflated
ZipBitFlag:	0x0006
ZipRequiredVersion:	20

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

35

Monitored processes

2

Malicious processes

2

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2768	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\info_10_09_1.doc.docm"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
3560	"C:\Windows\System32\wbem\WMIC.exe" process list /format:"C:\Users\admin\AppData\Local\Temp\aZoC3IYWg"	C:\Windows\System32\wbem\WMIC.exe		WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147500037 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 502

Read events

802

Write events

0

Delete events

0

Modification events

No data

Add for printing

Executable files

0

Suspicious files

0

Text files

1

Unknown types

3

Dropped files

PID	Process	Filename		Type
2768	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR99C.tmp.cvr		—
		MD5:—	SHA256:—
2768	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F96FA6D.jpeg		—
		MD5:—	SHA256:—
2768	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:8029E02E7BE0EF0B0770BA11C6BD50D5	SHA256:18328DBAA8534BB6BC321D73E4E01CDB24FE844DCA6A2F1000827682BE2837FB
2768	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd		tlb
		MD5:D94ACE99F319025E04E4CDD9AB9CACFE	SHA256:504A8D78F751F64EF41781DCA463503FE0F922A30D6ACD23D65498596203E8BB
2768	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$fo_10_09_1.doc.docm		pgc
		MD5:4C5DBD074FA18DB727BC4D7BF03363FD	SHA256:B60A8BCDB997330C4ADF24432117979C7CA41D5C62594C75032793433D10ACA4
2768	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\aZoC3IYWg.xsl		xml
		MD5:FB859F0330ED3FC5728525AAB1A3253B	SHA256:3CAAB04DD8B0B3A989607D83A7F48E6B668275627B7D4335931B8DDD5115E8FF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

1

DNS requests

3

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3560	WMIC.exe	GET	404	185.174.173.55:80	http://protedabao.com/angosz/cecolf.php?l=icath5.tar	UA	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3560	WMIC.exe	185.174.173.55:80	protedabao.com	ITL Company	UA	malicious

DNS requests

Domain	IP	Reputation
protedabao.com	185.174.173.55	malicious

Threats

PID	Process	Class	Message
3560	WMIC.exe	A Network Trojan was detected	MALWARE [PTsecurity] MalDoc Requesting Ursnif Payload

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

info_10_09_1.doc

E3C555135FA48386A8626C68C7A6555F

76DBC66C28A730F1AE81B8BC308318A206D95A6C

4F3E3DDD61CFB7AD59E2BD690729EE0DCB0B2650FE3BC630BA17DEB776DE6DE1

1536:bWUCXMYyzGGpnTb76bd6Rd1yywQmBKov5aJDA1:CUMypTb76bd8d1jCFBaJ4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Unusual execution from Microsoft Office

URSNIF was detected

SUSPICIOUS

Uses WMIC.EXE to obtain a system information

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

XMP

XML

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings