analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5993f5baa63dd2c9eb72709914246269384c0482bf33f95caeddd4fb789661a0.doc

Full analysis: https://app.any.run/tasks/2f43ef03-5e5a-4b0b-bade-23bc649a5f80
Verdict: Malicious activity
Analysis date: June 12, 2019, 03:45:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 949, Author: Richard, Template: Normal.dotm, Last Saved By: , Revision Number: 14, Name of Creating Application: Microsoft Office Word, Total Editing Time: 05:00, Create Time/Date: Tue Oct 16 00:10:00 2018, Last Saved Time/Date: Thu May 9 11:37:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

159499C409F5C932328553BFCBE87D89

SHA1:

F1B7CBCB24A472DC1DCC68398C4216276206B416

SHA256:

5993F5BAA63DD2C9EB72709914246269384C0482BF33F95CAEDDD4FB789661A0

SSDEEP:

6144:okvQ2xGsRIvLYBAx07dFwRgnNDkT6xz34XutIgU:LdGs4LY5fUa2Gxz34X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3252)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Dropped object may contain Bitcoin addresses

      • dwwin.exe (PID: 3268)
      • WINWORD.EXE (PID: 3252)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3252)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 ????
CompObjUserTypeLen: 28
HeadingPairs:
  • ????
  • 1
  • Title
  • 1
TitleOfParts:
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Korean (Unified Hangul Code)
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2019:05:09 10:37:00
CreateDate: 2018:10:15 23:10:00
TotalEditTime: 5.0 minutes
Software: Microsoft Office Word
RevisionNumber: 14
LastModifiedBy: ?? ?α?
Template: Normal.dotm
Comments: -
Keywords: -
Author: Richard
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs dw20.exe no specs dwwin.exe

Process information

PID
CMD
Path
Indicators
Parent process
3252"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\5993f5baa63dd2c9eb72709914246269384c0482bf33f95caeddd4fb789661a0.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3916"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1284C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Application Error Reporting
Exit code:
0
Version:
14.0.6015.1000
3268C:\Windows\system32\dwwin.exe -x -s 1284C:\Windows\system32\dwwin.exe
DW20.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Watson Client
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
631
Read events
601
Write events
25
Delete events
5

Modification events

(PID) Process:(3252) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:cz>
Value:
637A3E00B40C0000010000000000000000000000
(PID) Process:(3252) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3252) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3252) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1321992222
(PID) Process:(3252) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1321992336
(PID) Process:(3252) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1321992337
(PID) Process:(3252) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
B40C00000CA67C62D120D50100000000
(PID) Process:(3252) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:(|>
Value:
287C3E00B40C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3252) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:(|>
Value:
287C3E00B40C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3252) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
3
Text files
5
Unknown types
5

Dropped files

PID
Process
Filename
Type
3252WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF653.tmp.cvr
MD5:
SHA256:
3252WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF8470F8F8D9FA9BAE.TMP
MD5:
SHA256:
3252WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFAE8801282D522175.TMP
MD5:
SHA256:
3268dwwin.exeC:\Users\admin\AppData\Local\Temp\WER97D5.tmp.hdmp
MD5:
SHA256:
3268dwwin.exeC:\Users\admin\AppData\Local\Temp\WER9A47.tmp.mdmp
MD5:
SHA256:
3268dwwin.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_WINWORD.EXE_ef4ac5de42158e263874ab2de641f0eb2682588_cab_0cd69bfa\WER97D5.tmp.hdmp
MD5:
SHA256:
3252WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8EBCBAA3-E98D-40E3-8269-DCD8F221AE71}.tmp
MD5:
SHA256:
3252WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF6518E24F8B658B3E.TMP
MD5:
SHA256:
3252WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B7750C5B-C51C-4D11-ACAF-DA3C9E1AEBB2}.tmpbinary
MD5:65A10F911A71B40044E1D8D79DCFB67E
SHA256:0EFA1140A3271E809518F5357DCB1681D91480EEAF37F786945E506041FD3DD3
3268dwwin.exeC:\Users\admin\AppData\Local\Temp\WER8DA3.tmp.appcompat.txtxml
MD5:A78E993C40E5A39541F1EA524E137A7C
SHA256:0F349B56EC2CC61C4F324B18BA391521105A0E5E095138168FDBFB015AAAAABF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3268
dwwin.exe
GET
20.44.86.127:80
http://watson.microsoft.com/StageOne/WINWORD_EXE/14_0_6024_1000/4d83e310/unknown/0_0_0_0/00000000/c0000005/057804f5.htm?LCID=1033&skulcid=1033&LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3268
dwwin.exe
20.44.86.127:80
watson.microsoft.com
US
suspicious

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 20.44.86.127
whitelisted

Threats

PID
Process
Class
Message
3268
dwwin.exe
Potential Corporate Privacy Violation
ET POLICY Application Crash Report Sent to Microsoft
3268
dwwin.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info