analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

641d1e752250d27556de774dbb3692d24c4236595ee0e26cc055d4ab5e9cdbe0.doc

Full analysis: https://app.any.run/tasks/eabff2e4-81bc-409b-a58d-94444f0b9b37
Verdict: Malicious activity
Analysis date: May 20, 2020, 13:41:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-close
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 932, Template: Normal.dotm, Revision Number: 17, Total Editing Time: 01:39:00, Create Time/Date: Mon May 18 03:08:00 2020, Last Saved Time/Date: Tue May 19 04:07:00 2020, Number of Pages: 1, Number of Words: 21, Number of Characters: 121, Security: 0
MD5:

C031B786CB0A7479CC72D299DAB2F0E3

SHA1:

10FA9313309A00955EC8F49B639909C4ED124AC4

SHA256:

641D1E752250D27556DE774DBB3692D24C4236595EE0E26CC055D4AB5E9CDBE0

SSDEEP:

12288:/esFbPMTAdMFfU6p+t2tLf26NB6Y6mAmh/pELQ/R0Vks/HT2ZIe4mbe8P:2sbPHj61Le6X6WEcRtF4i/P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SfsDllSample.exe (PID: 2296)
    • Loads dropped or rewritten executable

      • SfsDllSample.exe (PID: 2296)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2836)
    • Changes the autorun value in the registry

      • SfsDllSample.exe (PID: 2296)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2836)
    • Actions looks like stealing of personal data

      • notepad++.exe (PID: 2240)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • SfsDllSample.exe (PID: 2296)
    • Creates files in the user directory

      • notepad++.exe (PID: 2240)
  • INFO

    • Manual execution by user

      • notepad++.exe (PID: 2240)
      • mspaint.exe (PID: 2316)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2836)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (38.3)
.xls | Microsoft Excel sheet (alternate) (29.3)
.doc | Microsoft Word document (old ver.) (22.7)

EXIF

FlashPix

HeadingPairs:
  • ?^?C?g??
  • 1
TitleOfParts: ??????
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 141
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Japanese (Shift-JIS)
Security: None
Characters: 121
Words: 21
Pages: 1
ModifyDate: 2020:05:19 03:07:00
CreateDate: 2020:05:18 02:08:00
TotalEditTime: 1.6 hours
RevisionNumber: 17
Template: Normal.dotm
Comments: -
Keywords: -
Subject: -
CompObjUserType: Microsoft Word 97-2003 ????
CompObjUserTypeLen: 28
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winword.exe notepad++.exe gup.exe mspaint.exe no specs sfsdllsample.exe

Process information

PID
CMD
Path
Indicators
Parent process
2836"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\641d1e752250d27556de774dbb3692d24c4236595ee0e26cc055d4ab5e9cdbe0.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2240"C:\Program Files\Notepad++\notepad++.exe" C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
1696"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
4294967295
Version:
4.1
2316"C:\Windows\system32\mspaint.exe" C:\Windows\system32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2296"C:\Users\admin\AppData\Local\Temp\HFVREUI\SfsDllSample.exe" C:\Users\admin\AppData\Local\Temp\HFVREUI\SfsDllSample.exe
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Total events
3 798
Read events
2 459
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
10
Unknown types
3

Dropped files

PID
Process
Filename
Type
2836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR991D.tmp.cvr
MD5:
SHA256:
2836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF11CF9AE2F486D970.TMP
MD5:
SHA256:
2836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF1C96B31EC8E3D002.TMP
MD5:
SHA256:
2836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF8EFFF151766D944B.TMP
MD5:
SHA256:
2836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF35DBE696E43C8479.TMP
MD5:
SHA256:
2836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF058C955BF2D0B4E5.TMP
MD5:
SHA256:
2836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF94642552F6F5CCEC.TMP
MD5:
SHA256:
2836WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3B27674A-D6F9-46DE-9FCF-D0A83462F0F4}.tmp
MD5:
SHA256:
2836WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFB385B84F24EB8262.TMP
MD5:
SHA256:
2836WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{80E09FB5-69D1-4FA0-B51A-1C3CC2B56117}.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1696
gup.exe
104.31.89.28:443
notepad-plus-plus.org
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 104.31.89.28
  • 104.31.88.28
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093