analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

16325-16325-16325-163250.doc

Full analysis: https://app.any.run/tasks/5039dbfc-7b2e-42be-87d0-db71ae8ae4c7
Verdict: Malicious activity
Analysis date: September 30, 2020, 04:06:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines
MD5:

FB5F468EC0181F2A95F22EE8EC2EF130

SHA1:

07EE73E843C0148733EEA87CEC381A6038E7476E

SHA256:

5ED6B9153000CB0B666DDB2D45ED660B4024B089FFC9CC577C8620DFD84D7732

SSDEEP:

768:hzpUQM4rt0+7QVbrFi+vC/7F5yGoJevr40xCZbZq5een0TEcm0Frrrveeeei6r4a:9rt0p5hajiGievr40gVw5een0TEcm0pv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via COM

      • iexplore.exe (PID: 2684)

  • INFO

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 584)
      • iexplore.exe (PID: 2684)
      • iexplore.exe (PID: 3400)

    • Reads internet explorer settings

      • WINWORD.EXE (PID: 584)
      • iexplore.exe (PID: 2692)
      • iexplore.exe (PID: 3400)

    • Changes internet zones settings

      • iexplore.exe (PID: 2684)

    • Application launched itself

      • iexplore.exe (PID: 2684)
      • chrome.exe (PID: 3436)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 584)
      • iexplore.exe (PID: 2684)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2684)
      • WINWORD.EXE (PID: 584)
      • iexplore.exe (PID: 3400)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 584)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2684)
      • iexplore.exe (PID: 2692)

    • Reads the hosts file

      • chrome.exe (PID: 3436)
      • chrome.exe (PID: 2776)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2684)
      • iexplore.exe (PID: 2692)

    • Manual execution by user

      • chrome.exe (PID: 3436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Title: *|MC:SUBJECT|*
viewport: width=device-width, initial-scale=1
HTTPEquivXUACompatible: IE=edge
PixelsPerInch: 96
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
66
Monitored processes
26
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe iexplore.exe iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
584"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\16325-16325-16325-163250.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2684"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2692"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2684 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3400"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2684 CREDAT:333058 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3436"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
2064"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x60eaa9d0,0x60eaa9e0,0x60eaa9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2104"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2352 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2732"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,2655571448757889271,11871144869221290735,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=6464101424021850303 --mojo-platform-channel-handle=1036 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2776"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1028,2655571448757889271,11871144869221290735,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=17424367218618639602 --mojo-platform-channel-handle=1664 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3416"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,2655571448757889271,11871144869221290735,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10382080329215910718 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
3 519
Read events
2 595
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
496
Text files
150
Unknown types
20

Dropped files

PID
Process
Filename
Type
584WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA51A.tmp.cvr
MD5:
SHA256:
584WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Cab52DB.tmp
MD5:
SHA256:
584WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Tar52EB.tmp
MD5:
SHA256:
3400iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab5B36.tmp
MD5:
SHA256:
3400iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar5B37.tmp
MD5:
SHA256:
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
584WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E7CF7C7D76EB8601C18DE984E4219EA9
SHA256:8AE03A59DE4E64FF9104761BB71D595044097E560A73B67C07E4ED4986162AB8
584WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691der
MD5:4F4276F3848F701637FC0809EAFB4A13
SHA256:796CC6D8FD509D2384487DA26B9CA26458B74D3066CBEE85145783E76FC3DC72
584WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691binary
MD5:B10A6C61FF82E9D6DB81BDBB095FDDE9
SHA256:4205E9B53C452B2E65660FC2C306344CE21C0C3F0C826187875576EF69107210
3400iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\authorize_client_id_zsmcvljq-e5n3-6ns7-tlwi-knca51szy4rb_7aw09dich41mut6qljx25gsvf3yrzkopnbe8flh2iye85sb6ducnrqxjam970vwgzt4okp13ph421gorsejln0ciukqmxza85[1].htmhtm
MD5:802D8B495341C5434298D39BCD5E4ABF
SHA256:C4E40F88CF5BE692A8CDEA60CFF17A153BF0F8ACB307BFCFB79680854F61B346
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
60
TCP/UDP connections
96
DNS requests
55
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3400
iexplore.exe
GET
78.110.50.127:80
http://srv89704.ht-test.ru/OfficeV4/css/style.css
RU
suspicious
584
WINWORD.EXE
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D
US
der
471 b
whitelisted
584
WINWORD.EXE
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY
US
der
728 b
whitelisted
3400
iexplore.exe
GET
200
78.110.50.127:80
http://srv89704.ht-test.ru/OfficeV4/authorize_client_id:zsmcvljq-e5n3-6ns7-tlwi-knca51szy4rb_7aw09dich41mut6qljx25gsvf3yrzkopnbe8flh2iye85sb6ducnrqxjam970vwgzt4okp13ph421gorsejln0ciukqmxza85vw36fdt9y7b?data=Y2hyaXN0aW5lQHNvdXRoZXJuc3RyYXRhc2VydmljZXMuY29tLmF1
RU
htm
12.9 Kb
suspicious
3400
iexplore.exe
GET
200
78.110.50.127:80
http://srv89704.ht-test.ru/OfficeV4/images/firstmsg1.png
RU
image
3.29 Kb
suspicious
3400
iexplore.exe
GET
200
78.110.50.127:80
http://srv89704.ht-test.ru/OfficeV4/images/ellipsis_grey.svg
RU
image
915 b
suspicious
3400
iexplore.exe
GET
302
78.110.50.127:80
http://srv89704.ht-test.ru/OfficeV4/Y2hyaXN0aW5lQHNvdXRoZXJuc3RyYXRhc2VydmljZXMuY29tLmF1
RU
htm
12.9 Kb
suspicious
3400
iexplore.exe
POST
78.110.50.127:80
http://srv89704.ht-test.ru/OfficeV4/api.php
RU
suspicious
3400
iexplore.exe
GET
200
78.110.50.127:80
http://srv89704.ht-test.ru/OfficeV4/images/forgpass.png
RU
image
713 b
suspicious
3400
iexplore.exe
GET
200
78.110.50.127:80
http://srv89704.ht-test.ru/OfficeV4/images/enterpass.png
RU
image
1.41 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2684
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
584
WINWORD.EXE
72.9.153.136:443
puneganeshfestival.com
Dallas Infrastructure Services, LLC
US
malicious
3400
iexplore.exe
72.9.153.136:443
puneganeshfestival.com
Dallas Infrastructure Services, LLC
US
malicious
3400
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
584
WINWORD.EXE
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
3400
iexplore.exe
78.110.50.127:80
srv89704.ht-test.ru
ZAO Hosting Telesystems
RU
malicious
3400
iexplore.exe
104.109.84.139:443
secure.aadcdn.microsoftonline-p.com
Akamai International B.V.
NL
unknown
2684
iexplore.exe
78.110.50.127:80
srv89704.ht-test.ru
ZAO Hosting Telesystems
RU
malicious
1056
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1056
svchost.exe
2.16.186.74:80
crl.microsoft.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
puneganeshfestival.com
  • 72.9.153.136
malicious
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
srv89704.ht-test.ru
  • 78.110.50.127
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
secure.aadcdn.microsoftonline-p.com
  • 104.109.84.139
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl.microsoft.com
  • 2.16.186.74
  • 2.16.186.120
whitelisted
ocsp.msocsp.com
  • 104.18.25.243
  • 104.18.24.243
whitelisted
ocsp.pki.goog
  • 216.58.208.35
whitelisted

Threats

PID
Process
Class
Message
2776
chrome.exe
Potential Corporate Privacy Violation
ET POLICY HTTP POST contains pass= in cleartext
2776
chrome.exe
Potential Corporate Privacy Violation
ET POLICY HTTP POST contains pass= in cleartext
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
16325-16325-16325-163250.doc