analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

922075B1D2E58C34B8BB6B47262B77A9

Full analysis: https://app.any.run/tasks/2d87dd04-72b3-46fb-9b8c-5bca17b53af7
Verdict: Malicious activity
Analysis date: May 15, 2019, 01:58:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI
MD5:

922075B1D2E58C34B8BB6B47262B77A9

SHA1:

D05E586251B3A965B9C9AF76568EFF912E16432F

SHA256:

76A0C2684A4429710C3BEBFF6E827881986FB8EEB9D370FAFB3AA8BBD6F371DF

SSDEEP:

6144:oJOElgNkaVtlvP5OWuK0itb/XbI99qjIaj4iNt/10FsfPv2Tz5EveNMf:/ElzaVzMslrI9AUAqFsfPv2Pnuf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3028)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3028)

    • Application was dropped or rewritten from another process

      • F4A0.tmp (PID: 3540)
      • gousm.exe (PID: 2504)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3028)

    • Modifies the Internet Explorer registry keys for privacy or tracking

      • dwm.exe (PID: 2016)

    • Application was injected by another process

      • dwm.exe (PID: 2016)

    • Runs injected code in another process

      • gousm.exe (PID: 2504)

    • Changes internet zones settings

      • dwm.exe (PID: 2016)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • WINWORD.EXE (PID: 3028)

    • Executable content was dropped or overwritten

      • F4A0.tmp (PID: 3540)

    • Creates files in the user directory

      • F4A0.tmp (PID: 3540)

    • Starts itself from another location

      • F4A0.tmp (PID: 3540)

    • Starts Microsoft Office Application

      • cmd.exe (PID: 2856)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3028)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3028)
      • WINWORD.EXE (PID: 2660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start inject winword.exe f4a0.tmp gousm.exe no specs cmd.exe no specs winword.exe no specs dwm.exe

Process information

PID
CMD
Path
Indicators
Parent process
3028"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\922075B1D2E58C34B8BB6B47262B77A9.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3540C:\Users\admin\AppData\Local\Temp\F4A0.tmpC:\Users\admin\AppData\Local\Temp\F4A0.tmp
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
2504"C:\Users\admin\AppData\Roaming\Veedu\gousm.exe"C:\Users\admin\AppData\Roaming\Veedu\gousm.exeF4A0.tmp
User:
admin
Integrity Level:
MEDIUM
2856cmd.exe /c C:\Users\admin\AppData\Local\Temp\~tmp.docC:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2660"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\~tmp.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2016"C:\Windows\system32\Dwm.exe"C:\Windows\System32\dwm.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
869
Read events
840
Write events
26
Delete events
3

Modification events

(PID) Process:(3028) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:ec
Value:
65632000D40B0000010000000000000000000000
(PID) Process:(3028) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3028) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3028) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1320091678
(PID) Process:(3028) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1320091800
(PID) Process:(3028) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1320091801
(PID) Process:(3028) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
D40B00003C4B0CBFC10AD50100000000
(PID) Process:(3028) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:.e
Value:
2E652000D40B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3028) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:.e
Value:
2E652000D40B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3028) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
7
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
3028WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREBE5.tmp.cvr
MD5:
SHA256:
2660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7009.tmp.cvr
MD5:
SHA256:
3028WINWORD.EXEC:\Users\admin\AppData\Local\Temp\F4A0.tmpexecutable
MD5:E2FA3D5BD4AE97F60E47359549B777FD
SHA256:FF60DD3E8D0098C0B2718EB9477395C2E691176CEC922E12FCE50FF53F94764F
3028WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:816BEA007272E3D591722A84B2EBD2E8
SHA256:0BD48B965DD591F21A77D8C83E4C24FE5627C543192A698F7B1E1842A0EEDB5A
3028WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$2075B1D2E58C34B8BB6B47262B77A9.rtfpgc
MD5:0F202B177B999C7DA3D45F10CAC0445C
SHA256:0C30F76BF25B335EE9CB1E17A71176AA7FCC9964DFBFE84C4AAC29784A4B4800
3540F4A0.tmpC:\Users\admin\AppData\Roaming\Veedu\gousm.exeexecutable
MD5:86E1151C8ED20531C5120BF07B18AC79
SHA256:570C13BD11D6605EC283C03972CA1C6E830568E49CB2EBEF476E37F59302285E
3028WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~tmp.docdocument
MD5:45F021FBF8B533F4180393E10E6DFDF9
SHA256:4DC5FE8E9637ABD4C251C4623AFBAE5D05D415479606902AD069F922241305D9
3028WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{DCE0A545-83E3-4FE3-A8F2-3B7015411538}.tmpbinary
MD5:80C6550F00872E0515C83F5E1A2FB5D6
SHA256:7F46D1D9032262459233552CEADE5B0663FA138DF9B8048BDCF711CF54E27D21
3028WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{03044EBE-C264-4142-B848-1F98153932F3}.tmpsmt
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
2016dwm.exeC:\Users\admin\AppData\Roaming\Hodiy\laehs.waubinary
MD5:833A17EA7FC2342E15A3E19DF2120424
SHA256:9097167A286D23F618829614477214BE77E9EAD5F9772B1545466AB52E76B732
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
922075B1D2E58C34B8BB6B47262B77A9