File name:

Incident_Harassment.doc

Full analysis: https://app.any.run/tasks/f0d3bd69-1a93-4356-a1dd-ee17a2b300c6
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: May 08, 2024, 17:42:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-close
evasion
ssload
loader
backdoor
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: mob, Template: Normal.dotm, Last Saved By: mob, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Apr 15 15:36:00 2024, Last Saved Time/Date: Mon Apr 15 15:37:00 2024, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

EC7E26A81B6002C53854A1769AD427A6

SHA1:

D43501510CA909818EAC2684A53C9BE609075BAC

SHA256:

57BD8E8606DC579EB8190DC8882C2892EF05636F28BAD0178E04C9BCBDAC5995

SSDEEP:

49152:XEtkIKEgJAJvpW4XMrCV/L75aWfpmL+n5uS/PudUUHzY:XEtkIKEgCpWnCVz7thlZG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses environment variables (SCRIPT)

      • WINWORD.EXE (PID: 3980)

    • Uses base64 encoding (SCRIPT)

      • WINWORD.EXE (PID: 3980)

    • Gets TEMP folder path (SCRIPT)

      • WINWORD.EXE (PID: 3980)

    • Detects the decoding of a binary file from Base64 (SCRIPT)

      • WINWORD.EXE (PID: 3980)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3980)

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 3980)

  • SUSPICIOUS

    • Creates XML DOM element (SCRIPT)

      • WINWORD.EXE (PID: 3980)

    • Sets XML DOM element text (SCRIPT)

      • WINWORD.EXE (PID: 3980)

    • Script creates XML DOM node (SCRIPT)

      • WINWORD.EXE (PID: 3980)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • WINWORD.EXE (PID: 3980)

    • Writes binary data to a Stream object (SCRIPT)

      • WINWORD.EXE (PID: 3980)

    • Saves data to a binary file (SCRIPT)

      • WINWORD.EXE (PID: 3980)

    • Checks for external IP

      • app.com (PID: 1024)

    • Connects to the server without a host name

      • app.com (PID: 1024)

    • Starts application with an unusual extension

      • WINWORD.EXE (PID: 3980)

    • Reads settings of System Certificates

      • app.com (PID: 1024)

    • Runs shell command (SCRIPT)

      • WINWORD.EXE (PID: 3980)

  • INFO

    • Checks transactions between databases Windows and Oracle

      • WINWORD.EXE (PID: 3980)

    • Drops the executable file immediately after the start

      • WINWORD.EXE (PID: 3980)

    • Reads the machine GUID from the registry

      • app.com (PID: 1024)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2028)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2028)
      • app.com (PID: 1024)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2028)
      • app.com (PID: 1024)

    • Reads the software policy settings

      • app.com (PID: 1024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Identification: Word 8.0
LanguageCode: English (US)
DocFlags: Has picture, 1Table, ExtChar
System: Windows
Word97: No
Title: -
Subject: -
Author: mob
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: mob
Software: Microsoft Office Word
CreateDate: 2024:04:15 15:36:00
ModifyDate: 2024:04:15 15:37:00
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
LastPrinted: 0000:00:00 00:00:00
RevisionNumber: 3
TotalEditTime: 1 minute
Words: -
Characters: 1
Pages: 1
Paragraphs: 1
Lines: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe app.com wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1024"C:\Users\admin\AppData\Local\Temp\app.com" C:\Users\admin\AppData\Local\Temp\app.com
WINWORD.EXE
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
MEDIUM
Description:
360 Patch Up
Version:
8, 6, 0, 1022
Modules
Images
c:\users\admin\appdata\local\temp\app.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2028"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3980"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\Incident_Harassment.docC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
11 222
Read events
10 418
Write events
553
Delete events
251

Modification events

(PID) Process:(3980) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:)h?
Value:
29683F008C0F0000010000000000000000000000
(PID) Process:(3980) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3980) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3980) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3980) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3980) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3980) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3980) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3980) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3980) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
1
Suspicious files
6
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3819.tmp.cvr
MD5:
SHA256:
3980WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{D6789D44-4AE8-4BD2-A655-B193BBFCBBAD}.tmp
MD5:
SHA256:
3980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFC7E1D4472B2C6D90.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFF3923165B6F78D35.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdbinary
MD5:31DA46C4044C30AD57B8274658315AE0
SHA256:9D82DCAD3DA0871D16E365E6F06AAF7490AB002A7A58DA773CFDCC7B44F95124
3980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF95E53DD13DA2E9A6.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\app.comexecutable
MD5:BD3231011448B2D6A335032D11C12CAD
SHA256:CA066896A28840F4ECCB9150ADF86170D83337650D28B128CB584E7D8B178695
3980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF06B71594023EA665.TMPbinary
MD5:72F5C05B7EA8DD6059BF59F50B22DF33
SHA256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
3980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$cident_Harassment.docpgc
MD5:62991A446B4AEC2BC48D78B6266A16FD
SHA256:95D98757861435BE0D2CB3780D26D8C8814332624A548A64D65514742D28809E
3980WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D27D307C9620F0F2B78519B6F5CB7294
SHA256:8A5E3EC0A17A150FA69946625208F77546C15E5247A4A318EE1F7ADA644FFCF5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
9
DNS requests
2
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1024
app.com
GET
500
209.182.225.10:80
http://209.182.225.10/download?id=LosAngeles&module=2&filename=None
unknown
unknown
1024
app.com
POST
200
85.239.53.219:80
http://85.239.53.219/api/0d5c5f0d-1526-e933-42a7-5ec964719e94/tasks
unknown
unknown
1024
app.com
POST
200
85.239.53.219:80
http://85.239.53.219/api/0d5c5f0d-1526-e933-42a7-5ec964719e94/tasks
unknown
unknown
1024
app.com
POST
200
85.239.53.219:80
http://85.239.53.219/api/gateway
unknown
unknown
1024
app.com
POST
85.239.53.219:80
http://85.239.53.219/api/0d5c5f0d-1526-e933-42a7-5ec964719e94/tasks
unknown
unknown
1024
app.com
POST
200
85.239.53.219:80
http://85.239.53.219/api/0d5c5f0d-1526-e933-42a7-5ec964719e94/tasks
unknown
unknown
1024
app.com
POST
200
85.239.53.219:80
http://85.239.53.219/api/0d5c5f0d-1526-e933-42a7-5ec964719e94/tasks
unknown
unknown
1024
app.com
POST
200
85.239.53.219:80
http://85.239.53.219/api/0d5c5f0d-1526-e933-42a7-5ec964719e94/tasks
unknown
unknown
1024
app.com
POST
200
85.239.53.219:80
http://85.239.53.219/api/0d5c5f0d-1526-e933-42a7-5ec964719e94/tasks
unknown
unknown
1024
app.com
POST
200
85.239.53.219:80
http://85.239.53.219/api/0d5c5f0d-1526-e933-42a7-5ec964719e94/tasks
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1024
app.com
104.26.12.205:443
api.ipify.org
CLOUDFLARENET
US
unknown
1024
app.com
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
unknown
1024
app.com
85.239.53.219:80
BlueVPS OU
US
unknown
1024
app.com
209.182.225.10:80
SHOCK-1
US
unknown

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared

Threats

PID
Process
Class
Message
1088
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
1024
app.com
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
A Network Trojan was detected
ET MALWARE Win32/SSLoad Registration Activity (POST)
A Network Trojan was detected
ET MALWARE Win32/SSLoad Registration Response
A Network Trojan was detected
ET MALWARE Win32/SSLoad Tasking Request (POST)
A Network Trojan was detected
ET MALWARE Win32/SSLoad Tasking Response
A Network Trojan was detected
ET MALWARE Win32/SSLoad Module Request (GET)
A Network Trojan was detected
ET MALWARE Win32/SSLoad Tasking Request (POST)
A Network Trojan was detected
ET MALWARE Win32/SSLoad Tasking Request (POST)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Incident_Harassment.doc