analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

60e518257525caca179ec234b4b2bdfd57b0dfff8ac6740204c18f4d8fc830b1

Full analysis: https://app.any.run/tasks/e192caa1-80e6-479b-8341-2c9f45a65478
Verdict: Malicious activity
Analysis date: January 22, 2019, 18:19:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
macros-on-close
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Author: IRIS, Template: Normal, Revision Number: 225, Name of Creating Application: Microsoft Word 9.0, Total Editing Time: 13:49:00, Last Printed: Thu Dec 11 08:31:00 2003, Create Time/Date: Wed Dec 3 02:18:00 2003, Last Saved Time/Date: Wed Mar 9 12:41:00 2005, Number of Pages: 10, Number of Words: 1640, Number of Characters: 9352, Security: 0
MD5:

397B90BE2C63F105FF07E86DFD09A6C5

SHA1:

1460B1FF02926CECAEF6741CA6A9C0C917D0D4BE

SHA256:

60E518257525CACA179EC234B4B2BDFD57B0DFFF8AC6740204C18F4D8FC830B1

SSDEEP:

3072:oGhK+QMgq3F7qNQNQMQXQ8QnQDQHQPQbQsQMQ//QnQevQw5j9HUi0cbsdvUjptcA:odiV3ANABK9myWyGp9iSfvpt9KccA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • WINWORD.EXE (PID: 2996)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2996)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2996)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: ???????룺
Subject: -
Author: IRIS
Keywords: -
Comments: -
Template: Normal
LastModifiedBy: ??????
RevisionNumber: 225
Software: Microsoft Word 9.0
TotalEditTime: 13.8 hours
LastPrinted: 2003:12:11 08:31:00
CreateDate: 2003:12:03 02:18:00
ModifyDate: 2005:03:09 12:41:00
Pages: 10
Words: 1640
Characters: 9352
Security: None
Company: ????˼????(????)???޹?˾
Lines: 77
Paragraphs: 18
CharCountWithSpaces: 11484
AppVersion: 9.2812
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: ???????룺
HeadingPairs:
  • ??Ŀ
  • 1
CodePage: Windows Simplified Chinese (PRC, Singapore)
Hyperlinks:
  • jwbiotu5
CompObjUserTypeLen: 20
CompObjUserType: Microsoft Word ?ĵ?
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2996"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\60e518257525caca179ec234b4b2bdfd57b0dfff8ac6740204c18f4d8fc830b1.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3324regsvr32 -s "C:\Users\admin\AppData\Local\Temp\ISIS_Proposal.dll"C:\Windows\system32\regsvr32.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 058
Read events
928
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
31

Dropped files

PID
Process
Filename
Type
2996WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE718.tmp.cvr
MD5:
SHA256:
2996WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF2546B13FC90282AA.TMP
MD5:
SHA256:
2996WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF2FBE498ADC773EEF.TMP
MD5:
SHA256:
2996WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F1C82313.wmf
MD5:
SHA256:
2996WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EAFB6199.wmf
MD5:
SHA256:
2996WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\100D2E9F.wmfwmf
MD5:F98EE707E5DB5EF5FD417A89E0890DDB
SHA256:23CC0D4A2AA0ADE3778AC8755C2E9F96F03FA10C9B7788BC84327C476009CA85
2996WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3261CA0.wmfwmf
MD5:E765A46B5C6ED266DC4C6D085C2EFE5E
SHA256:203C59622244D39D0E92C548200C2EFFFB95263A47909379D364A1891798C3E5
2996WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:DCAA67B0E70660D81D617FA974400603
SHA256:9FABD5C9F34C29E3100E05A15E1B4542A4BAF8849FC0CED4847B6465D692BCF4
2996WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1565105.wmfwmf
MD5:D3F072A297DD05D796D32241C1BA5779
SHA256:B8B71C0CA69054F54D212544334951F3B446F27C0DCA6181FD7EA78610AF2BA2
2996WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F97D00F.wmf
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
60e518257525caca179ec234b4b2bdfd57b0dfff8ac6740204c18f4d8fc830b1