analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | PO#90119.docx |
| Full analysis: | https://app.any.run/tasks/719e8826-07fc-4bca-9c03-bdc824448ec1 |
| Verdict: | Malicious activity |
| Analysis date: | January 11, 2019, 03:48:02 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File info: | Microsoft Word 2007+ |
| MD5: | 1A3FF39C7ABF2477C08E62A408B764C2 |
| SHA1: | F91CA114792B05ECC1FB10F260D2FA8BA857A555 |
| SHA256: | 5514CA4AEDC540538C6EC62450E2D8FB1F9D985F806ED02A0E07A613DF9A7068 |
| SSDEEP: | 3072:87lL2mrdFADYhDFc8rpKSvNYbWRDzUyRBelYc3nTMSFm9d+tlKfkaMp:87lCAdFkYhDFBxvqyRmTMSFmfSH |
MALICIOUS
No malicious indicators.SUSPICIOUS
Unusual connect from Microsoft Office
- WINWORD.EXE (PID: 2844)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2844)
Creates files in the user directory
- WINWORD.EXE (PID: 2844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .docx | | | Word Microsoft Office Open XML Format document (52.2) |
|---|---|---|
| .zip | | | Open Packaging Conventions container (38.8) |
| .zip | | | ZIP compressed archive (8.8) |
EXIF
XMP
| Description: | - |
|---|---|
| Creator: | Windows User |
| Subject: | - |
| Title: | - |
XML
| ModifyDate: | 2018:12:30 11:52:00Z |
|---|---|
| CreateDate: | 2018:12:30 11:52:00Z |
| RevisionNumber: | 2 |
| LastModifiedBy: | Richard |
| Keywords: | - |
| AppVersion: | 15 |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| CharactersWithSpaces: | 1 |
| LinksUpToDate: | No |
| Company: | - |
| TitlesOfParts: | - |
| HeadingPairs: |
|
| ScaleCrop: | No |
| Paragraphs: | 1 |
| Lines: | 1 |
| DocSecurity: | None |
| Application: | Microsoft Office Word |
| Characters: | 1 |
| Words: | - |
| Pages: | 1 |
| TotalEditTime: | - |
| Template: | template.dotx |
ZIP
| ZipFileName: | [Content_Types].xml |
|---|---|
| ZipUncompressedSize: | 1364 |
| ZipCompressedSize: | 351 |
| ZipCRC: | 0x2ea8411c |
| ZipModifyDate: | 1980:01:01 00:00:00 |
| ZipCompression: | Deflated |
| ZipBitFlag: | 0x0006 |
| ZipRequiredVersion: | 20 |
Total processes
30
Monitored processes
1
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2844 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PO#90119.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
Total events
1 077
Read events
744
Write events
96
Delete events
5
Modification events
| (PID) Process: | (2844) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | d9$ |
Value: 643924001C0B0000010000000000000000000000 | |||
| (PID) Process: | (2844) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (2844) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (2844) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1311440926 | |||
| (PID) Process: | (2844) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1311441040 | |||
| (PID) Process: | (2844) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1311441041 | |||
| (PID) Process: | (2844) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 1C0B0000AC8A6B8260A9D40100000000 | |||
| (PID) Process: | (2844) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | k;$ |
Value: 6B3B24001C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2844) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | k;$ |
Value: 6B3B24001C0B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2844) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
0
Suspicious files
24
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR99E4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{D702C08D-DE70-4047-994E-759784A4982E} | — | |
MD5:— | SHA256:— | |||
| 2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{FFAB94D9-D4AC-40C9-951F-03D224A3BC41} | — | |
MD5:— | SHA256:— | |||
| 2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5754EA7D.jpeg | — | |
MD5:— | SHA256:— | |||
| 2844 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B2A436A8C3D1FBC4316A1C780A4B85BD | SHA256:831EF4D2D350750F189D949F20BEEC0307F8F611932193B5D366BC53366AB189 | |||
| 2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:F034546ECF9EFCFE00D3252FA8DEB355 | SHA256:F3893543B8742E544A48EB734181A5AF13B0430F967999D86E3D686E87675380 | |||
| 2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$#90119.docx | pgc | |
MD5:26851C3CB0B03608E8C45435BFB97439 | SHA256:CF560AB2812267C9D5287E63F2B024DC1804F880C6ABA4EC65FAB3E714E32F9F | |||
| 2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B03BC8B5-2D5C-4681-80D7-F3F16E91493D}.FSD | binary | |
MD5:497935054E572744992C91FD770F32B8 | SHA256:A4BDE32FD8C19F31250FC0735DAADF8FF0BF3F8994F3BEDDCC0B55698E14F23F | |||
| 2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:E95C8F793D280B5F2ABECE291525F4C9 | SHA256:6CD31668C4DD93C68C4F2806A89763EA16EA953AEF724AF3B87EAD6A94486A88 | |||
| 2844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{93544ECC-2C04-4EA2-92EE-1C86643C0FE5}.FSD | binary | |
MD5:BA17058E22F66DFA6B8AC8563183BC59 | SHA256:2C0C605C6EBFBEFEE4F3CEBC5CB099BA3C43772304EE8DE22D3CBD9D14E75771 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2844 | WINWORD.EXE | HEAD | 500 | 76.72.173.69:80 | http://stomnsco.com/cgi/surb.doc | US | — | — | malicious |
2844 | WINWORD.EXE | GET | 500 | 76.72.173.69:80 | http://stomnsco.com/cgi/surb.doc | US | html | 7.14 Kb | malicious |
2844 | WINWORD.EXE | OPTIONS | 500 | 76.72.173.69:80 | http://stomnsco.com/cgi/ | US | html | 7.14 Kb | malicious |
976 | svchost.exe | OPTIONS | 500 | 76.72.173.69:80 | http://stomnsco.com/cgi | US | html | 7.14 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2844 | WINWORD.EXE | 76.72.173.69:80 | stomnsco.com | Database by Design, LLC | US | malicious |
976 | svchost.exe | 76.72.173.69:80 | stomnsco.com | Database by Design, LLC | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
stomnsco.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2844 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |