File name:	Edwardo resume.doc
Full analysis:	https://app.any.run/tasks/1ccb505b-27b7-4f88-b095-0ae625f472ee
Verdict:	Malicious activity
Threats:	Dridex is a very evasive and technically complex banking trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	May 30, 2019, 08:00:51
OS:	Windows 8.1 Professional (build: 9600, 64 bit)
Tags:	macros macros-on-open trojan loader dridex
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	27D3E9403115EBC394906D266EDFC9AC
SHA1:	AF436ACE53070F9EEC1FF5049A07B950B2FCD9E5
SHA256:	60D5166AEBF70BDA86E0DD41B777BE550AD364CD310CBAD41780347B463B2689
SSDEEP:	1536:nALxk6rxmqXx6UoRSUNLmoy2+u1b5bWONWU73SgfqxKi:Af9mPDLmoyKjcUu4qxKi

.docm	\|	Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx	\|	Word Microsoft Office Open XML Format document (24.2)
.zip	\|	Open Packaging Conventions container (18)
.zip	\|	ZIP compressed archive (4.1)

ModifyDate:	2019:05:30 05:22:00Z
CreateDate:	2019:05:22 12:44:00Z
RevisionNumber:	10
LastModifiedBy:	pablo.warner
Keywords:	-
AppVersion:	12
HyperlinksChanged:	No
SharedDoc:	No
CharactersWithSpaces:	1
LinksUpToDate:	No
Company:	home
TitlesOfParts:	-
HeadingPairs:	Title 1
ScaleCrop:	No
Paragraphs:	1
Lines:	1
DocSecurity:	None
Application:	Microsoft Office Word
Characters:	1
Words:	-
Pages:	1
TotalEditTime:	6 minutes
Template:	Normal.dotm

ZipFileName:	[Content_Types].xml
ZipUncompressedSize:	1635
ZipCompressedSize:	445
ZipCRC:	0x746ff8d9
ZipModifyDate:	1980:01:01 00:00:00
ZipCompression:	Deflated
ZipBitFlag:	0x0006
ZipRequiredVersion:	20


(PID) Process:	(932) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency\StartupItems
Operation:	write	Name:	fx9
Value: 66783900A40300000100000000000000D17F5ADFBD16D50100000000
(PID) Process:	(932) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(932) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(932) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	11274
Value: On
(PID) Process:	(932) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word
Operation:	write	Name:	MTTT
Value: A40300006A3C62D9BD16D50100000000
(PID) Process:	(932) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency\StartupItems
Operation:	write	Name:	i}9
Value: 697D3900A40300000400000000000000B1B20FE0BD16D5018C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(932) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	i}9
Value: 697D3900A40300000400000000000000B1B20FE0BD16D5018C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(932) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Roaming
Operation:	write	Name:	RoamingConfigurableSettings
Value: B800000000000000803A0900E307050004001E00080001001800AB02000000000000000000000000201C0000201C00008051010080510100805101008051010080F4030080F4030080F403002C01000084030000805101000000000084030000805101000A0000001E0000001E000000000000000000000080510100010000000100000000000000000000000000000000000000008D2700008D2700008D2700010000000A00000080510100000030000000300000003000
(PID) Process:	(932) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Roaming
Operation:	write	Name:	RoamingLastSyncTime
Value: E307050004001E00080001001800AB02
(PID) Process:	(932) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Roaming
Operation:	write	Name:	RoamingLastWriteTime
Value: E307050004001E00080001001800AB02

PID	Process	Filename		Type
932	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRAC97.tmp.cvr		—
		MD5:—	SHA256:—
932	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2ECCE926.png		—
		MD5:—	SHA256:—
932	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd		tlb
		MD5:730A2E4CF3E404B25C184EB1CCFEF747	SHA256:E0CA8207BD4F5B5B7A4365C2084534C948519871BC36F34D830FB53272343AF5
932	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:C62F740F1231E6E2D1C8CE104A5291A1	SHA256:9CDD49C83203901C95C8EDDD6B9D72D6BD6712A25FCD172B7214C0B142C21889
932	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$wardo resume.doc.docm		pgc
		MD5:69411B4F5A81D56C41DB0ABD39E54AB6	SHA256:83AB612747CA35209876CC702CA735A311E85FEDA88282CD94DA9681F6EE8420
2296	wmic.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\IFB0YWPX\5[1].exe		executable
		MD5:4A75D90BA45F0755E0EB7200CADCEF6D	SHA256:DCEF8ECF6E93D1095CBF2624980EDD1AA662C7986256947E79016EA284CE961D
2296	wmic.exe	C:\windows\temp\awMiOFl.exe		executable
		MD5:4A75D90BA45F0755E0EB7200CADCEF6D	SHA256:DCEF8ECF6E93D1095CBF2624980EDD1AA662C7986256947E79016EA284CE961D
1244	awMiOFl.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:7EB117D4F238090940DBE43EFBCDF1F4	SHA256:A45A77D256628943190F8AA0F4673496D11DBA6BC3569796B6F733465FD005E4
1244	awMiOFl.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:2C65CBBD4BB4B2011BBF88A9E08C9B8B	SHA256:C663AE9570875EEB5B1A451EAFEB2BAA75FA0AFCD27B5C1F13ADB8C79308F026
932	WINWORD.EXE	C:\Windows\Temp\aXwZvnt48.xsl		xml
		MD5:B52D790F96FE1A504939D194C8DE4C65	SHA256:5984FDFDF8F180CD06DB7ED978ADD90D805FEDCAB9BC1855F5B48A89895D487F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2296	wmic.exe	GET	200	209.141.46.175:80	http://209.141.46.175/5.exe	US	executable	260 Kb	malicious
1244	awMiOFl.exe	GET	200	13.107.4.50:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c518e8a7ab1cb476	US	compressed	56.1 Kb	whitelisted

Domain	IP	Reputation
www.microsoft.com	2.21.41.70	whitelisted
ctldl.windowsupdate.com	13.107.4.50	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET INFO Executable Download from dotted-quad Host
—	—	A Network Trojan was detected	ET TROJAN Single char EXE direct download likely trojan (multiple families)
—	—	A Network Trojan was detected	ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET INFO SUSPICIOUS Dotted Quad Host MZ Response
—	—	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
—	—	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Dridex/Feodo SSL connection

Process	Message
WINWORD.EXE	SHIMVIEW: ShimInfo(Complete)
awMiOFl.exe	SHIMVIEW: ShimInfo(Complete)
awMiOFl.exe	Installing...
awMiOFl.exe	Installing...
awMiOFl.exe	Installing...
awMiOFl.exe	Installing...
awMiOFl.exe	Installing...
awMiOFl.exe	Installing...
awMiOFl.exe	Installing...
awMiOFl.exe	Installing...

Description:	-
Creator:	admin
Subject:	-
Title:	-

General Info

Edwardo resume.doc

27D3E9403115EBC394906D266EDFC9AC

AF436ACE53070F9EEC1FF5049A07B950B2FCD9E5

60D5166AEBF70BDA86E0DD41B777BE550AD364CD310CBAD41780347B463B2689

1536:nALxk6rxmqXx6UoRSUNLmoy2+u1b5bWONWU73SgfqxKi:Af9mPDLmoyKjcUu4qxKi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Downloads executable files from the Internet

Downloads executable files from IP

SUSPICIOUS

Executable content was dropped or overwritten

Removes files from Windows directory

Creates files in the Windows directory

Searches for installed software

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

XMP

XML

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings