analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5d1ec27295ab1e2b30a3113495f7d2110fd9192326e9ebc2f1968f15fb693368.doc

Full analysis: https://app.any.run/tasks/7417ca2d-0f43-4382-831a-56ec8fbff6dc
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: May 15, 2019, 01:46:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
rat
imminent
maldoc-43
Indicators:
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

DC0E1216BD27704F7E29AE7E9DD477AB

SHA1:

09920066CF1B5F2B68EDFDBFA182FB5A7471ABB2

SHA256:

5D1EC27295AB1E2B30A3113495F7D2110FD9192326E9EBC2F1968F15FB693368

SSDEEP:

12288:gVy+NOwoWWt7mUtjsSg/33EyIS8QrH14P4KOv2cEfk+j1XFcDLthzv:g4lwo97mgjs3/331IS8QrV4P42LcDLb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 344)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 344)
    • Application was dropped or rewritten from another process

      • ms.exe (PID: 3980)
    • Detected Imminent RAT

      • ms.exe (PID: 3980)
  • SUSPICIOUS

    • Creates files in the program directory

      • WINWORD.EXE (PID: 344)
    • Creates files in the user directory

      • ms.exe (PID: 3980)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 344)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1768
ZipCompressedSize: 430
ZipCRC: 0xa1fe8fa1
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe #IMMINENT ms.exe wmiapsrv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
344"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\5d1ec27295ab1e2b30a3113495f7d2110fd9192326e9ebc2f1968f15fb693368.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3980C:\ProgramData\Memsys\ms.exeC:\ProgramData\Memsys\ms.exe
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
apppp.exe
Version:
1.0.0.0
Modules
Images
c:\programdata\memsys\ms.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3568C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 193
Read events
856
Write events
332
Delete events
5

Modification events

(PID) Process:(344) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:d4=
Value:
64343D0058010000010000000000000000000000
(PID) Process:(344) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(344) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(344) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1320091678
(PID) Process:(344) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1320091792
(PID) Process:(344) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1320091793
(PID) Process:(344) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
58010000AE098B07C00AD50100000000
(PID) Process:(344) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:=6=
Value:
3D363D005801000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(344) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:=6=
Value:
3D363D005801000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(344) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
1
Suspicious files
4
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
344WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR40D5.tmp.cvr
MD5:
SHA256:
344WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso4512.tmp
MD5:
SHA256:
344WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$1ec27295ab1e2b30a3113495f7d2110fd9192326e9ebc2f1968f15fb693368.docpgc
MD5:DB98C9A4291A511C138AC856663BF969
SHA256:22631638E55864E3914EEBCE641B48E8C54686C5A9C1CFA277BF71D3CD25DCBA
3980ms.exeC:\Users\admin\AppData\Roaming\Imminent\Monitoring\network.datbinary
MD5:5850B2ACBB7E31107E0DEACCC6897ACB
SHA256:1A8BED4B47A83BF7100DAC70D66FD934F95A47D24C83F8FE149F978A7F9C8D95
3980ms.exeC:\Users\admin\AppData\Roaming\Imminent\Monitoring\system.datbinary
MD5:39C28F73E0E1C346F94FBF13826BC96F
SHA256:C73B92F921B374497F16EBBAC4D801E7C84A4BADF30BB982F58DB0E107D1AB00
344WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B19FF5CEFD1DA5D0F2805A945B570C3C
SHA256:F75A592B67565D406D9D7F15EC8C276CD6D0D5E54AD5EF87413F565E44175FC9
344WINWORD.EXEC:\ProgramData\Memsys\ms.exeexecutable
MD5:B401DCDC85E71C4DBB2F40F8A0207FCB
SHA256:FE1E5014CC6B33131922BBA25D0D8EE1D89BE49426194DD4F953F3BF19C171C9
3980ms.exeC:\Users\admin\AppData\Roaming\Imminent\Logs\15-05-2019text
MD5:33BE604F8044D5984E8E3E3B694D710A
SHA256:3F785F1CC535B0987139623200C7910B2B28F92DFE3309E8E071C091D0CE7313
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
22
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3980
ms.exe
216.38.7.247:8891
GigeNET
US
malicious
216.38.7.247:8891
GigeNET
US
malicious

DNS requests

No data

Threats

No threats detected
No debug info