analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Reply.wps

Full analysis: https://app.any.run/tasks/0a28d84b-1bca-4fd6-9de3-36f5f8ed36e0
Verdict: Malicious activity
Analysis date: January 22, 2019, 17:32:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/CDFV2
File info: Composite Document File V2 Document, Cannot read section info
MD5:

D54A69A2822EAD598261081B45F23E0F

SHA1:

3BA60440492849C0FEC9EE7BC6D1CEE4ADFF9019

SHA256:

5ADE47ABF189F38D8E2BF327C99AB5B35FAF0D4C066AC7583F1D667ACBF7158A

SSDEEP:

96:6IhJN7EZCQHaaEcrn7FINpVhnCJpQ8uWZoyrUbEpf4IIBz4CwJYh1WDIffHRffHv:6ItxQPEOncZnCJFbYYQNj0gxnRZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3224)

  • SUSPICIOUS

    • Creates files in the user directory

      • notepad++.exe (PID: 3744)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3224)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3224)

    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 3060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.wps | Microsoft Works text document (84.1)

EXIF

FlashPix

CompObjUserType: Quill96 Story Group Class
CompObjUserTypeLen: 26
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs notepad.exe no specs winword.exe wkconv.exe no specs notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
3060"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\Reply.wpsC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2292"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Reply.wpsC:\Windows\system32\NOTEPAD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3224"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Reply.wps"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3972"C:\Program Files\Common Files\Microsoft Shared\TextConv\Wksconv\WKCONV.EXE" Local\3192WKC2209656C:\Program Files\Common Files\Microsoft Shared\TextConv\Wksconv\WKCONV.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft® Works 6.0 - 9.0 WP RTF Export Converter
Exit code:
0
Version:
14.0.6009.1000
3744"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\Reply.wps"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
1848"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Total events
1 076
Read events
927
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
6
Unknown types
4

Dropped files

PID
Process
Filename
Type
3224WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB507.tmp.cvr
MD5:
SHA256:
3224WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF08D14CEBA912590A.TMP
MD5:
SHA256:
3224WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF34D7ABFA12087C11.TMP
MD5:
SHA256:
3224WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFFF23D5234A5D24AC.TMP
MD5:
SHA256:
3224WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_33F03A1A-7627-4F4A-BC4E-2DF4FFC4B50A.0\Reply.wps
MD5:
SHA256:
3972WKCONV.EXEC:\Users\admin\AppData\Local\Temp\OICE_33F03A1A-7627-4F4A-BC4E-2DF4FFC4B50A.0\~DFDCC1122B2BD1535F.TMP
MD5:
SHA256:
3972WKCONV.EXEC:\Users\admin\AppData\Local\Temp\OICE_33F03A1A-7627-4F4A-BC4E-2DF4FFC4B50A.0\22928
MD5:
SHA256:
3972WKCONV.EXEC:\Users\admin\AppData\Local\Temp\OICE_33F03A1A-7627-4F4A-BC4E-2DF4FFC4B50A.0\~DF860DB162C2AC4B16.TMP
MD5:
SHA256:
3224WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFA80264DB2E21F0D3.TMP
MD5:
SHA256:
3224WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{25D723C9-243D-46EF-A215-A82D66B6EB9F}.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.106.50:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D
unknown
der
727 b
whitelisted
GET
200
2.16.106.50:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
unknown
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.16.106.50:80
ocsp.usertrust.com
Akamai International B.V.
whitelisted
1848
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
ocsp.usertrust.com
  • 2.16.106.50
  • 2.16.106.80
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
TAG 'f2yg': CreateSandBoxedProcessWorker() is called
WINWORD.EXE
TAG 'b10e': Created desktop: Microsoft Office Isolated Environment
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Reply.wps