File name:

technical prooft.docx

Full analysis: https://app.any.run/tasks/794ccb1f-1400-464b-91db-10eadd83e29d
Verdict: Malicious activity
Analysis date: December 05, 2022, 18:53:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

38E96590FDD9BA00EB4B4FB1575E05D4

SHA1:

0B3E77357004B05502DD5497C251F6085947A110

SHA256:

7167DF2D3896ADB65EC4E49E8F3868011254ADBBAAB81DDF59ADA59413EB5AC0

SSDEEP:

1536:YKGcgSbucgSbOcgSb1HYz6rRrKs4cv132DVQ0q:YhcxScxqcxpHYz6rRrWcv13Yrq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual connection from system programs

      • WScript.exe (PID: 2560)
  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • WINWORD.EXE (PID: 2884)
  • INFO

    • Checks proxy server information

      • WScript.exe (PID: 1752)
      • WScript.exe (PID: 2560)
      • WScript.exe (PID: 3384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs wscript.exe wscript.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\technical prooft.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
3384"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\MS Word Document Open.vbs" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2560"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\MS Word Document Open (2).vbs" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
1752"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\MS Word Document Open (3).vbs" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
5 130
Read events
4 271
Write events
699
Delete events
160

Modification events

(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:'g.
Value:
27672E00440B0000010000000000000000000000
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2884) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
0
Text files
7
Unknown types
5

Dropped files

PID
Process
Filename
Type
2884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF727.tmp.cvr
MD5:
SHA256:
2884WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:BD0F7CA04713B9C5CA4127B2FD8E7037
SHA256:719457D4BD0617FF6E230B9B49AF6D68E63A69C02352E849B0D51F30F3DF8CD0
2884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA6CE588.emfemf
MD5:BAB02FCD546707A00B5930F1CC8C39BA
SHA256:C261185859453A13A9C3AA1DE6AD5AF71C2A3B801211473A0B6E4B2737E5A6D7
2884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\MS Word Document Open (3).vbs:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\MS Word Document Open.vbs:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\MS Word Document Open (2).vbs:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$chnical prooft.docxpgc
MD5:4611E876AF66B18FEC55D128ECAB1B40
SHA256:D4FFC9C0E15AA847BC45B9DF11C10BF53BD5E233F76D567CC8D2E69337E63FED
2884WINWORD.EXEC:\Users\admin\AppData\Local\Temp\MS Word Document Open.vbstext
MD5:CB8C8356D0A96E63529B332C50B0EC43
SHA256:2569127F96913D9A76F44AB0076BC6DA9CC88F261D9C8B610F10D7104E263218
2884WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB3385EA.emfemf
MD5:A76496F7BC33D93669A00465ABAB57E3
SHA256:803F3F9D4235391B9E5AA071587407A90B2DDE40C3142AF57824FB4593D1410C
2884WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3384
WScript.exe
GET
185.195.25.79:80
http://185.195.25.79/5324.csv
RU
unknown
2560
WScript.exe
GET
185.195.25.79:80
http://185.195.25.79/5324.csv
RU
unknown
1752
WScript.exe
GET
185.195.25.79:80
http://185.195.25.79/5324.csv
RU
unknown
3384
WScript.exe
GET
302
213.186.33.5:80
http://coloctionneur.fr/license.csv
FR
html
138 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2560
WScript.exe
185.195.25.79:80
Network Management Ltd
RU
unknown
185.195.25.79:80
Network Management Ltd
RU
unknown
3384
WScript.exe
185.195.25.79:80
Network Management Ltd
RU
unknown
3384
WScript.exe
213.186.33.5:80
coloctionneur.fr
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
coloctionneur.fr
  • 213.186.33.5
malicious
www.coloctionneur.fr
  • 213.186.33.5
malicious

Threats

No threats detected
No debug info