Malware analysis bill4759.doc Malicious activity | ANY.RUN

Add for printing

File name:	bill4759.doc
Full analysis:	https://app.any.run/tasks/72ddf59e-9256-4a8f-900d-c226a20f123e
Verdict:	Malicious activity
Analysis date:	May 20, 2019, 12:38:42
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Bob Brown, Template: Normal.dotm, Last Saved By: Bob Brown, Revision Number: 8, Name of Creating Application: Microsoft Office Word, Total Editing Time: 05:00, Create Time/Date: Thu May 16 10:32:00 2019, Last Saved Time/Date: Thu May 16 10:58:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:	C459B5D54552D99A4658C680DBF61DCC
SHA1:	CC29DB93DC649F7AF9E9D2E4BB6F35382278B943
SHA256:	62AE80DC45B409A7A609EEAB1228C661B9303FCB1D8B8090907C9241B1FE1F57
SSDEEP:	3072:IQSzo2azvHOWAFum2UIUiN1r+F1+nls1v/kvy:IBzo2AvPA92UIUeznls1v9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Executable content was dropped or overwritten
  - WINWORD.EXE (PID: 3336)
- Unusual execution from Microsoft Office
  - WINWORD.EXE (PID: 3336)
- Application was dropped or rewritten from another process
  - wprgxyeqd79.exe (PID: 2684)
  - rher.exe (PID: 2724)
- Loads dropped or rewritten executable
  - WINWORD.EXE (PID: 3336)
  - wprgxyeqd79.exe (PID: 2684)
  - rher.exe (PID: 2724)
  - svchost.exe (PID: 4056)
  - WerFault.exe (PID: 2644)
SUSPICIOUS
- Reads Internet Cache Settings
  - WINWORD.EXE (PID: 3336)
- Executable content was dropped or overwritten
  - wprgxyeqd79.exe (PID: 2684)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 3336)
- Dropped object may contain Bitcoin addresses
  - WINWORD.EXE (PID: 3336)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3336)
- Application was crashed
  - rher.exe (PID: 2724)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (80)

EXIF

FlashPix

Title:	-
Subject:	-
Author:	Bob Brown
Keywords:	-
Template:	Normal.dotm
LastModifiedBy:	Bob Brown
RevisionNumber:	8
Software:	Microsoft Office Word
TotalEditTime:	5.0 minutes
CreateDate:	2019:05:16 09:32:00
ModifyDate:	2019:05:16 09:58:00
Pages:	1
Words:	-
Characters:	1
Security:	None
CodePage:	Unicode (UTF-8)
Company:	Microsoft
Lines:	1
Paragraphs:	1
CharCountWithSpaces:	1
AppVersion:	14
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Название 1
CompObjUserTypeLen:	-
CompObjUserType:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3336	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bill4759.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
2684	C:\Users\Public\wprgxyeqd79.exe	C:\Users\Public\wprgxyeqd79.exe		WINWORD.EXE
User: admin Company: Miranda IM Integrity Level: MEDIUM Description: Tile Textheight Clipbook Mostly Wading Exit code: 0 Version: 8.7.56.236
2724	C:\Users\Public\rher.exe	C:\Users\Public\rher.exe		WINWORD.EXE
User: admin Company: x264 project Integrity Level: MEDIUM Description: Nkcreatestaticmapping Aboriginal Year Exit code: 3221225477 Version: 5.7.3.790
4056	C:\Windows\System32\svchost.exe -k WerSvcGroup	C:\Windows\System32\svchost.exe	—	services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2644	C:\Windows\system32\WerFault.exe -u -p 2724 -s 712	C:\Windows\system32\WerFault.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 135

Read events

793

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3336	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRED6A.tmp.cvr		—
		MD5:—	SHA256:—
3336	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:17222E7BED955763CB75EBDA153E0074	SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882
2644	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\rher.exe.2724.dmp		dmp
		MD5:301ECFC1A5AADC3A50A8E40165EF9252	SHA256:9DB79DECB3B004333A04D0D0EE15D6D55AE9666C9119B2880AF26B94EA0CD97B
3336	WINWORD.EXE	C:\Users\Public\wprgxyeqd79.exe		executable
		MD5:6DF420B5D8BDDB0F5FFE3EDCC9A4464B	SHA256:1EE1BA514212F11A69D002005DFC623B1871CC808F18DDFA2191102BBB9F623B
3336	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ananas[1].exe		executable
		MD5:7E77BB853D227E06B635E6EB3E0B31F0	SHA256:385F0A0CCAEC6272C8270F0D5228F2641CCA916E84825EBB35DBEBB036FA2165
2684	wprgxyeqd79.exe	C:\Users\admin\AppData\Local\Temp\1D86.tmp		executable
		MD5:ED60C95C805DBAEE92C90C3AB930085A	SHA256:D35574D2CC42B4EDBF217A86639864422FBE02443250A36EB2CD11B22F165C39
3336	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\pasmmm[1].exe		executable
		MD5:6DF420B5D8BDDB0F5FFE3EDCC9A4464B	SHA256:1EE1BA514212F11A69D002005DFC623B1871CC808F18DDFA2191102BBB9F623B
3336	WINWORD.EXE	C:\Users\Public\rher.exe		executable
		MD5:7E77BB853D227E06B635E6EB3E0B31F0	SHA256:385F0A0CCAEC6272C8270F0D5228F2641CCA916E84825EBB35DBEBB036FA2165
2644	WerFault.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_rher.exe_379ab0e06c94173b5e3bfd67e28d4ef6f46c3531_0a40bdff\Report.wer		binary
		MD5:648B30A783D098ABCBFE4CC44835FCB5	SHA256:AAF56B4A6535E703F9E8545DD0E0F1CB08FC92CEC4259F7EC9513D15D4B14E16
3336	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$ll4759.doc		pgc
		MD5:A705DCE972DFA99998900DF4F48FD84B	SHA256:1F0A3926EB6A5EADB3EF4FF815152E4A651F65ED906B66FA220FC995814AAB31

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2724	rher.exe	GET	—	104.218.63.76:80	http://104.218.63.76/tor/server/fp/484f666c491bcde22b45e0e19d1cea5acc5a9611	CA	—	—	suspicious
2724	rher.exe	GET	—	162.247.74.216:80	http://162.247.74.216/tor/server/fp/7f849e3b86dd0df2c4d0e31108228ec7c714191b	US	—	—	suspicious
2724	rher.exe	GET	—	199.249.230.108:80	http://199.249.230.108/tor/server/fp/592031cfdba17dd46e1e365e6c60ad1f81655033	US	—	—	malicious
2724	rher.exe	GET	—	66.111.2.131:9030	http://66.111.2.131:9030/tor/status-vote/current/consensus	US	—	—	suspicious
2724	rher.exe	GET	—	185.96.180.164:80	http://185.96.180.164/tor/server/fp/4109314e35c8e4084ae2bc1711562d380077b1f0	DK	—	—	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2724	rher.exe	54.243.147.226:443	api.ipify.org	Amazon.com, Inc.	US	malicious
2724	rher.exe	66.111.2.131:9030	—	The New York Internet Company	US	suspicious
2724	rher.exe	37.123.132.154:443	—	Bahnhof Internet AB	NO	suspicious
3336	WINWORD.EXE	47.245.58.124:443	kentona.su	—	US	suspicious
2724	rher.exe	129.6.15.28:13	time-a.nist.gov	National Bureau of Standards	US	unknown
2724	rher.exe	199.249.230.108:80	—	Quintex Alliance Consulting	US	malicious
2724	rher.exe	162.247.74.216:80	—	The Calyx Institute	US	suspicious
2724	rher.exe	185.96.180.164:80	—	BornFiber Service Provider ApS	DK	suspicious
2724	rher.exe	104.218.63.76:80	—	Tech Futures Interactive Inc.	CA	suspicious

DNS requests

Domain	IP	Reputation
kentona.su	47.245.58.124	malicious
api.ipify.org	54.243.147.226 54.225.171.237 54.204.36.156 50.19.247.198 50.16.229.140 54.235.124.112 107.22.215.20 54.243.198.12	shared
time-a.nist.gov	129.6.15.28	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
2724	rher.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 550
2724	rher.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
2724	rher.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
2724	rher.exe	Misc Attack	ET TOR Known Tor Exit Node Traffic group 12
2724	rher.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 13
2724	rher.exe	Potential Corporate Privacy Violation	ET P2P Tor Get Server Request
2724	rher.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 452
2724	rher.exe	Misc Attack	ET TOR Known Tor Exit Node Traffic group 2
2724	rher.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 2

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

bill4759.doc

C459B5D54552D99A4658C680DBF61DCC

CC29DB93DC649F7AF9E9D2E4BB6F35382278B943

62AE80DC45B409A7A609EEAB1228C661B9303FCB1D8B8090907C9241B1FE1F57

3072:IQSzo2azvHOWAFum2UIUiN1r+F1+nls1v/kvy:IBzo2AvPA92UIUeznls1v9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executable content was dropped or overwritten

Unusual execution from Microsoft Office

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Reads Internet Cache Settings

Executable content was dropped or overwritten

INFO

Creates files in the user directory

Dropped object may contain Bitcoin addresses

Reads Microsoft Office registry keys

Application was crashed

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings