analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 71357f80f90af2690d2d554f2f8ae57616556de5e0df3bc3f4e63c3bf4eca237 |
| Full analysis: | https://app.any.run/tasks/e5bd9c8d-1e38-4636-b8c3-882e9e0c0113 |
| Verdict: | Malicious activity |
| Analysis date: | April 23, 2019, 09:44:10 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 19 07:18:00 2017, Last Saved Time/Date: Tue Dec 19 07:18:00 2017, Number of Pages: 1, Number of Words: 88, Number of Characters: 503, Security: 0 |
| MD5: | 98B3FD6949DF214BB6C4CE6B9A86D0CD |
| SHA1: | 5B308F98C9F77A7A59ADF5F050BAC5A92138637A |
| SHA256: | 71357F80F90AF2690D2D554F2F8AE57616556DE5E0DF3BC3F4E63C3BF4ECA237 |
| SSDEEP: | 24576:4COstnLozvG/vwJO2BZX6aDiRgI5eis+FpOkYRM:4CvtnLCKwJ9Bp6ye5XAw |
MALICIOUS
Executes scripts
- WINWORD.EXE (PID: 3356)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3356)
Changes the autorun value in the registry
- powershell.exe (PID: 3836)
Uses Task Scheduler to run other applications
- powershell.exe (PID: 3836)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 2480)
SUSPICIOUS
Starts Microsoft Office Application
- rundll32.exe (PID: 3016)
Creates files in the user directory
- powershell.exe (PID: 3836)
Executes PowerShell scripts
- WScript.exe (PID: 4004)
Uses ATTRIB.EXE to modify file attributes
- powershell.exe (PID: 3836)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 3356)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .flo | | | iGrafx FlowCharter document (36.2) |
|---|---|---|
| .doc | | | Microsoft Word document (34.5) |
| .doc | | | Microsoft Word document (old ver.) (20.5) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | - |
| Keywords: | - |
| Comments: | - |
| Template: | Normal.dotm |
| LastModifiedBy: | - |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2017:12:19 07:18:00 |
| ModifyDate: | 2017:12:19 07:18:00 |
| Pages: | 1 |
| Words: | 88 |
| Characters: | 503 |
| Security: | None |
| Company: | - |
| Lines: | 4 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 590 |
| AppVersion: | 15 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CodePage: | Windows Latin 1 (Western European) |
| Hyperlinks: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
38
Monitored processes
7
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3016 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\71357f80f90af2690d2d554f2f8ae57616556de5e0df3bc3f4e63c3bf4eca237.flo | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3356 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\71357f80f90af2690d2d554f2f8ae57616556de5e0df3bc3f4e63c3bf4eca237.flo" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
| 4004 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\system.vbs" | C:\Windows\System32\WScript.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
| 3836 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -file C:\Users\Public\system.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3780 | "C:\Windows\system32\attrib.exe" +s +h C:\Users\Public\system.vbs | C:\Windows\system32\attrib.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 908 | "C:\Windows\system32\attrib.exe" +s +h C:\Users\Public\system.ps1 | C:\Windows\system32\attrib.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2480 | "C:\Windows\system32\schtasks.exe" /Create /RU system /SC ONLOGON /TN Microsoft\WindowsOptimizationsService /TR "wscript C:\Users\Public\system.vbs" /F | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
2 143
Read events
1 577
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
3
Unknown types
7
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2723.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3836 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QB011BLTMZQ3OEPUCV9Y.temp | — | |
MD5:— | SHA256:— | |||
| 3356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF69BAFF8005E4B44.TMP | — | |
MD5:— | SHA256:— | |||
| 3356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DE6916ED-FD3C-4526-9553-7E90C7ABA4C1}.tmp | — | |
MD5:— | SHA256:— | |||
| 3356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D4B040A6-00C3-434C-8966-3465AB869D80}.tmp | — | |
MD5:— | SHA256:— | |||
| 3356 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3DB281D6-6800-408F-BBD6-862D46D8205D}.tmp | — | |
MD5:— | SHA256:— | |||
| 3836 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13472e.TMP | binary | |
MD5:5F9A7BF5388376D94C2EDCA422810BEC | SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C | |||
| 3356 | WINWORD.EXE | C:\users\public\system.ps1 | text | |
MD5:F424B5F2A17F080D7ED335DC43E11B7C | SHA256:9153DE7BA0F11C7BF23FF8108509406269B6E497456BCAA5E63C406A04EBBCD5 | |||
| 3356 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A9D6DF8FBC85FC5BACE8A32411A5ED6C | SHA256:4C21BB7FFBE3838D715521737E5FC3442AB943B3AC262DC508DD24AD94BDFD8D | |||
| 3356 | WINWORD.EXE | C:\users\public\system.vbs | text | |
MD5:457D97AEB38CCD2FDD79DE46F6931320 | SHA256:C87A6247962FD343D717FC5C5964615912AAA47791CD75F1B590B8045BF68EBB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report