analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Rule of conduct.docx

Full analysis: https://app.any.run/tasks/e1554478-4430-4c8f-a38b-420740552193
Verdict: Malicious activity
Analysis date: July 11, 2019, 21:21:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
phishing
phish-microsoft
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

2C5CD00D2B2C1D041AAD285CEAC099D1

SHA1:

E22070602362554C2BCEF135219B36AAD78A6A46

SHA256:

78DA2E6AC408D6DC7187061E700A721D0A00830B2623494993B4A9D262488BAD

SSDEEP:

384:dwiP3+rqiUUcuC8GqHvjNcqkKkxU4U3tTB9A:6iP39iU2C8wqjkx84

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3212)

  • SUSPICIOUS

    • Starts Internet Explorer

      • WINWORD.EXE (PID: 3212)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2628)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3212)

    • Changes internet zones settings

      • iexplore.exe (PID: 1652)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3212)
      • iexplore.exe (PID: 2872)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2628)
      • iexplore.exe (PID: 1652)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2872)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2872)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1652)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1652)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XML

AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 736
LinksUpToDate: No
Company: by adguard
TitlesOfParts: -
HeadingPairs:
  • Title
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 5
DocSecurity: None
Application: Microsoft Office Word
Characters: 627
Words: 110
Pages: 1
TotalEditTime: 8.4 hours
Template: Normal
ModifyDate: 2019:07:11 18:19:00Z
CreateDate: 2019:01:24 16:34:00Z
LastPrinted: 2019:01:08 12:58:00Z
RevisionNumber: 48
LastModifiedBy: Sue Lyons

XMP

Creator: HP-PC

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1445
ZipCompressedSize: 358
ZipCRC: 0x576f9132
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3212"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rule of conduct.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1652"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2872"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1652 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2628C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
0
Version:
26,0,0,131
Total events
1 870
Read events
1 171
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
55
Unknown types
12

Dropped files

PID
Process
Filename
Type
3212WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD622.tmp.cvr
MD5:
SHA256:
3212WINWORD.EXEC:\Users\admin\AppData\Local\Temp\msoD845.tmp
MD5:
SHA256:
1652iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
1652iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2872iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\login[1].php
MD5:
SHA256:
3212WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$le of conduct.docxpgc
MD5:274512E2DF468A6A1EE103B3FEC18DD7
SHA256:9428016556540A0A330747E81E387E1156BBA4D38867CB9A784FC05C292606F6
3212WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@atamaria[1].txttext
MD5:291634104CABC08B156F29DB7B85E47E
SHA256:680DF16DF0C91B2833CDF071B3030AFFB00A4D3209EFD7B91F571BC865F3256A
2872iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\THOJPES7\login[1].htmhtml
MD5:7EB81AEDF98B820975E29ACABFD8157B
SHA256:5D577769F938C6D2BCF1BB9EFC02F2E6C97BCB44078424E455FD12E316A184A4
2872iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@atamaria[1].txttext
MD5:74FFBDD35E3D3306F8B361FED2DB13FE
SHA256:41CB8BF27491E3AF2C1B1891902B1A916CC70512D588FD63598B5A1145309B15
2872iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\continue[1].pngimage
MD5:68EE0BF2D67020AFCF0F6C5561FA0361
SHA256:0A30956D43221ED177BC7C8B0B18A004112DF1E32BB12F4562A5BA6C1418803C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
34
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3212
WINWORD.EXE
GET
301
104.27.136.110:80
http://atamaria.top/office/office365/ada1d9ff3377cc9007c9d0b1e0e307c3/
US
suspicious
1652
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1652
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2872
iexplore.exe
54.148.84.95:443
www.sitepoint.com
Amazon.com, Inc.
US
unknown
3212
WINWORD.EXE
104.27.136.110:80
atamaria.top
Cloudflare Inc
US
shared
3212
WINWORD.EXE
104.27.136.110:443
atamaria.top
Cloudflare Inc
US
shared
1652
iexplore.exe
104.27.136.110:443
atamaria.top
Cloudflare Inc
US
shared
2872
iexplore.exe
104.27.136.110:443
atamaria.top
Cloudflare Inc
US
shared
2872
iexplore.exe
104.111.240.106:443
account.microsoft.com
Akamai International B.V.
NL
whitelisted
2872
iexplore.exe
152.199.19.160:443
ajax.aspnetcdn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2872
iexplore.exe
23.38.55.187:443
compass-ssl.microsoft.com
Akamai International B.V.
NL
whitelisted
2872
iexplore.exe
23.210.249.30:443
cdn.optimizely.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
atamaria.top
  • 104.27.136.110
  • 104.27.137.110
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.sitepoint.com
  • 54.148.84.95
shared
account.microsoft.com
  • 104.111.240.106
whitelisted
login.live.com
  • 40.90.23.236
  • 40.90.23.221
  • 40.90.23.222
whitelisted
mwf-service.akamaized.net
  • 2.16.186.18
  • 2.16.186.9
whitelisted
ajax.aspnetcdn.com
  • 152.199.19.160
whitelisted
cdn.optimizely.com
  • 23.210.249.30
whitelisted
www.microsoft.com
  • 104.99.234.13
whitelisted
compass-ssl.microsoft.com
  • 23.38.55.187
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3212
WINWORD.EXE
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Rule of conduct.docx