analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://84.54.50.76/tyaffgh.doc

Full analysis: https://app.any.run/tasks/7f4af86a-e069-48ee-9259-fc77a40d821d
Verdict: Malicious activity
Analysis date: April 01, 2023, 06:13:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

0344C05FA731195F25D6C5F0430F4B25

SHA1:

347E9B779894C053D751E0D130F6F370C1EBFC2E

SHA256:

6B7E4F19E2DE1E353DB96B73C1A9B00C3AF97D0A1CF079279EA93556909E0BE5

SSDEEP:

3:N1KZG1qN1d:CBd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connection from MS Office application

      • WINWORD.EXE (PID: 268)

  • SUSPICIOUS

    • Application launched itself

      • WINWORD.EXE (PID: 268)

    • Connects to the server without a host name

      • WINWORD.EXE (PID: 268)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2784)

    • Create files in a temporary directory

      • iexplore.exe (PID: 2784)

    • The process uses the downloaded file

      • WINWORD.EXE (PID: 268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winword.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2784"C:\Program Files\Internet Explorer\iexplore.exe" "http://84.54.50.76/tyaffgh.doc"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
3204"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2784 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
3221225477
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
268"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
2408"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
27 268
Read events
26 326
Write events
862
Delete events
80

Modification events

(PID) Process:(2784) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(2784) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(2784) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(2784) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2784) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2784) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2784) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2784) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2784) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2784) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
38
Text files
18
Unknown types
10

Dropped files

PID
Process
Filename
Type
268WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5F7.tmp.cvr
MD5:
SHA256:
3204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\tyaffgh[1].doc
MD5:
SHA256:
268WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:255B294C9EACDDCDD39BDC752E71C754
SHA256:45A37A705DEE7C6B94BE07028BCC97BC7EE68B4101F7C55B251A176E6382E66C
2784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:8461A037B38246996C5F98A64B5FD918
SHA256:C85675B72791F932EBE52B51BC13DCB761A469B1FBDE881C6C4EF6BA93A1B36F
2784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:3703071A5314AB9AC8AF3EE261957EA3
SHA256:E29FF6B37AF51A53A62B20C94443707A5A641C7E232EDE71E7C2EBE6531FA23F
2784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:3711CAB1834584E8B2165E952202F6BB
SHA256:462001E2B80E7A7EFAED17E698DC06B333CCE59BC070B8C31486F499850409A5
268WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F975A779.doc
MD5:
SHA256:
268WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_F533F745-021A-4D37-A7E6-A12034BD0F92.0\E684B726.doc
MD5:
SHA256:
268WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:926EABC85FF2B3B46C80ED21C80B4EA2
SHA256:C793F49B1BFE00EE076C4E01737985FA1CCF5813A701F3005C8A4965830803C0
268WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:C44F73D0D3D381ACCE94F4A01D107FEB
SHA256:213A38769D2C05E1CE20B7A18D15092085DD44C1A647444BDC261B80D1E0B7DA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
13
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
268
WINWORD.EXE
OPTIONS
200
84.54.50.76:80
http://84.54.50.76/
US
suspicious
268
WINWORD.EXE
HEAD
200
84.54.50.76:80
http://84.54.50.76/tyaffgh.doc
US
suspicious
2784
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
3204
iexplore.exe
GET
200
84.54.50.76:80
http://84.54.50.76/tyaffgh.doc
US
text
5.49 Mb
suspicious
832
svchost.exe
OPTIONS
84.54.50.76:80
http://84.54.50.76/
US
suspicious
268
WINWORD.EXE
HEAD
200
84.54.50.76:80
http://84.54.50.76/tyaffgh.doc
US
suspicious
2784
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1936b2285a8d196f
US
compressed
4.70 Kb
whitelisted
2784
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5658f70ea6755573
US
compressed
4.70 Kb
whitelisted
2784
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3204
iexplore.exe
84.54.50.76:80
GLOBALCOMPASS
US
suspicious
2784
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
268
WINWORD.EXE
84.54.50.76:80
GLOBALCOMPASS
US
suspicious
2784
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
84.54.50.76:80
GLOBALCOMPASS
US
suspicious
2784
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
832
svchost.exe
84.54.50.76:80
GLOBALCOMPASS
US
suspicious
2784
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
3204
iexplore.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
268
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
268
WINWORD.EXE
Misc activity
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
268
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://84.54.50.76/tyaffgh.doc