Malware analysis bill4759.doc Malicious activity | ANY.RUN

Add for printing

File name:	bill4759.doc
Full analysis:	https://app.any.run/tasks/72ddf59e-9256-4a8f-900d-c226a20f123e
Verdict:	Malicious activity
Analysis date:	May 20, 2019, 12:38:42
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Bob Brown, Template: Normal.dotm, Last Saved By: Bob Brown, Revision Number: 8, Name of Creating Application: Microsoft Office Word, Total Editing Time: 05:00, Create Time/Date: Thu May 16 10:32:00 2019, Last Saved Time/Date: Thu May 16 10:58:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:	C459B5D54552D99A4658C680DBF61DCC
SHA1:	CC29DB93DC649F7AF9E9D2E4BB6F35382278B943
SHA256:	62AE80DC45B409A7A609EEAB1228C661B9303FCB1D8B8090907C9241B1FE1F57
SSDEEP:	3072:IQSzo2azvHOWAFum2UIUiN1r+F1+nls1v/kvy:IBzo2AvPA92UIUeznls1v9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Executable content was dropped or overwritten
  - WINWORD.EXE (PID: 3336)
- Loads dropped or rewritten executable
  - WINWORD.EXE (PID: 3336)
  - wprgxyeqd79.exe (PID: 2684)
  - svchost.exe (PID: 4056)
  - rher.exe (PID: 2724)
  - WerFault.exe (PID: 2644)
- Unusual execution from Microsoft Office
  - WINWORD.EXE (PID: 3336)
- Application was dropped or rewritten from another process
  - wprgxyeqd79.exe (PID: 2684)
  - rher.exe (PID: 2724)
SUSPICIOUS
- Reads Internet Cache Settings
  - WINWORD.EXE (PID: 3336)
- Executable content was dropped or overwritten
  - wprgxyeqd79.exe (PID: 2684)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 3336)
- Creates files in the user directory
  - WINWORD.EXE (PID: 3336)
- Dropped object may contain Bitcoin addresses
  - WINWORD.EXE (PID: 3336)
- Application was crashed
  - rher.exe (PID: 2724)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (80)

EXIF

FlashPix

Title:	-
Subject:	-
Author:	Bob Brown
Keywords:	-
Template:	Normal.dotm
LastModifiedBy:	Bob Brown
RevisionNumber:	8
Software:	Microsoft Office Word
TotalEditTime:	5.0 minutes
CreateDate:	2019:05:16 09:32:00
ModifyDate:	2019:05:16 09:58:00
Pages:	1
Words:	-
Characters:	1
Security:	None
CodePage:	Unicode (UTF-8)
Company:	Microsoft
Lines:	1
Paragraphs:	1
CharCountWithSpaces:	1
AppVersion:	14
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Название 1
CompObjUserTypeLen:	-
CompObjUserType:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2644

C:\Windows\system32\WerFault.exe -u -p 2724 -s 712

C:\Windows\system32\WerFault.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2684

C:\Users\Public\wprgxyeqd79.exe

WINWORD.EXE

User:

admin

Company:

Miranda IM

Integrity Level:

MEDIUM

Description:

Tile Textheight Clipbook Mostly Wading

Exit code:

Version:

8.7.56.236

Modules

Images
c:\users\public\wprgxyeqd79.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

2724

C:\Users\Public\rher.exe

WINWORD.EXE

User:

admin

Company:

x264 project

Integrity Level:

MEDIUM

Description:

Nkcreatestaticmapping Aboriginal Year

Exit code:

3221225477

Version:

5.7.3.790

Modules

Images
c:\users\public\rher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3336

"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bill4759.doc"

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Exit code:

Version:

14.0.6024.1000

Modules

Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll

4056

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\System32\svchost.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wersvc.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\faultrep.dll

Add for printing

Total events

1 135

Read events

793

Write events

337

Delete events

Modification events


(PID) Process:	(3336) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	j9?
Value: 6A393F00080D0000010000000000000000000000
(PID) Process:	(3336) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(3336) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(3336) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1320419358
(PID) Process:	(3336) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1320419472
(PID) Process:	(3336) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1320419473
(PID) Process:	(3336) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: 080D000054970403090FD50100000000
(PID) Process:	(3336) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	?;?
Value: 3F3B3F00080D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(3336) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	?;?
Value: 3F3B3F00080D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(3336) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3336	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRED6A.tmp.cvr		—
		MD5:—	SHA256:—
3336	WINWORD.EXE	C:\Users\Public\wprgxyeqd79.exe		executable
		MD5:—	SHA256:—
2684	wprgxyeqd79.exe	C:\Users\admin\AppData\Local\Temp\1D86.tmp		executable
		MD5:—	SHA256:—
3336	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$ll4759.doc		pgc
		MD5:—	SHA256:—
3336	WINWORD.EXE	C:\Users\Public\rher.exe		executable
		MD5:—	SHA256:—
3336	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:—	SHA256:—
3336	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\pasmmm[1].exe		executable
		MD5:—	SHA256:—
2644	WerFault.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_rher.exe_379ab0e06c94173b5e3bfd67e28d4ef6f46c3531_0a40bdff\Report.wer		binary
		MD5:—	SHA256:—
3336	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ananas[1].exe		executable
		MD5:—	SHA256:—
2644	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\rher.exe.2724.dmp		dmp
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2724	rher.exe	GET	—	185.96.180.164:80	http://185.96.180.164/tor/server/fp/4109314e35c8e4084ae2bc1711562d380077b1f0	DK	—	—	suspicious
2724	rher.exe	GET	—	162.247.74.216:80	http://162.247.74.216/tor/server/fp/7f849e3b86dd0df2c4d0e31108228ec7c714191b	US	—	—	suspicious
2724	rher.exe	GET	—	104.218.63.76:80	http://104.218.63.76/tor/server/fp/484f666c491bcde22b45e0e19d1cea5acc5a9611	CA	—	—	suspicious
2724	rher.exe	GET	—	66.111.2.131:9030	http://66.111.2.131:9030/tor/status-vote/current/consensus	US	—	—	suspicious
2724	rher.exe	GET	—	199.249.230.108:80	http://199.249.230.108/tor/server/fp/592031cfdba17dd46e1e365e6c60ad1f81655033	US	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3336	WINWORD.EXE	47.245.58.124:443	kentona.su	—	US	suspicious
2724	rher.exe	54.243.147.226:443	api.ipify.org	Amazon.com, Inc.	US	malicious
2724	rher.exe	185.96.180.164:80	—	BornFiber Service Provider ApS	DK	suspicious
2724	rher.exe	162.247.74.216:80	—	The Calyx Institute	US	suspicious
2724	rher.exe	129.6.15.28:13	time-a.nist.gov	National Bureau of Standards	US	unknown
2724	rher.exe	104.218.63.76:80	—	Tech Futures Interactive Inc.	CA	suspicious
2724	rher.exe	37.123.132.154:443	—	Bahnhof Internet AB	NO	suspicious
2724	rher.exe	66.111.2.131:9030	—	The New York Internet Company	US	suspicious
2724	rher.exe	199.249.230.108:80	—	Quintex Alliance Consulting	US	malicious

DNS requests

Domain	IP	Reputation
kentona.su	47.245.58.124	malicious
api.ipify.org	54.243.147.226 54.225.171.237 54.204.36.156 50.19.247.198 50.16.229.140 54.235.124.112 107.22.215.20 54.243.198.12	shared
time-a.nist.gov	129.6.15.28	whitelisted

Threats

PID	Process	Class	Message
1056	svchost.exe	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
2724	rher.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 550
2724	rher.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
2724	rher.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
2724	rher.exe	Misc Attack	ET TOR Known Tor Exit Node Traffic group 12
2724	rher.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 13
2724	rher.exe	Potential Corporate Privacy Violation	ET P2P Tor Get Server Request
2724	rher.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 452
2724	rher.exe	Misc Attack	ET TOR Known Tor Exit Node Traffic group 2
2724	rher.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 2

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

bill4759.doc

C459B5D54552D99A4658C680DBF61DCC

CC29DB93DC649F7AF9E9D2E4BB6F35382278B943

62AE80DC45B409A7A609EEAB1228C661B9303FCB1D8B8090907C9241B1FE1F57

3072:IQSzo2azvHOWAFum2UIUiN1r+F1+nls1v/kvy:IBzo2AvPA92UIUeznls1v9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executable content was dropped or overwritten

Loads dropped or rewritten executable

Unusual execution from Microsoft Office

Application was dropped or rewritten from another process

SUSPICIOUS

Reads Internet Cache Settings

Executable content was dropped or overwritten

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Dropped object may contain Bitcoin addresses

Application was crashed

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings