analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

PO.doc

Full analysis: https://app.any.run/tasks/178eafc1-f348-48a1-81e8-8be6e79c404c
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: November 15, 2018, 12:43:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, CR line terminators
MD5:

F0E43CACEB7D9011AAFECB83DA244CE4

SHA1:

D13AB2C943836187927296414E2D7C23E54E77D4

SHA256:

7696FA7669C261569A919825CE99AC56D51591BBEB44DB767227A810BADEFE99

SSDEEP:

48:k/+jVv3N1gNBrVQBgEEcUYEglCFLWel9JJ9iKdKd+Q+SQ5d+SQYV5+SQDQKdImjf:k/qjBC7W8kWyXRJG86W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 3912)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3912)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
31
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
3912"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\PO.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
1 156
Read events
817
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
3912WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9B61.tmp.cvr
MD5:
SHA256:
3912WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:11DED0D8BBA3F810DECC0D504DB0ADD3
SHA256:595A99C1AE5BFC290647BC293DFFB43CCAD089D6FEA96D3D5C03EDA729FE8DE3
3912WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:D7D0257B9151576A297E13062FA44495
SHA256:CEB9F9B4C1BFCB7A6617EB1E058694D904DB900DA7D42897ACE4A11DCAF717B2
3912WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\teh[1].htahtml
MD5:EB68A2FEE8AF82BF4E97DD056CFE9AF2
SHA256:81A64BF83A1C8D39B467596204AF9BBB1631A27EFADC92CDDCAABCE3EF62A84C
3912WINWORD.EXEC:\Users\admin\Downloads\~$PO.docpgc
MD5:4EEFFCE09CA60286D4038D529B59C040
SHA256:596D9FC63232FE36F0D2662BD71FF917B26D5EAF4F4E8E7811C0DA2A1D299B5B
3912WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\PO.doc.LNKlnk
MD5:F50A256717529F29E217F9DAD2F93E39
SHA256:ED0FB70DD79ADDB4A5F3B6F326B62DE5089BEEFF8E287ABB418AC3FF907D7298
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3912
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/pro/teh.hta
RU
html
2.55 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3912
WINWORD.EXE
31.184.198.161:80
Petersburg Internet Network ltd.
RU
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3912
WINWORD.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTA application download
3912
WINWORD.EXE
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
3912
WINWORD.EXE
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
3912
WINWORD.EXE
Attempted User Privilege Gain
ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag
No debug info