analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2561c7b2e10623156767700719da73abba19ac92.doc

Full analysis: https://app.any.run/tasks/05fa3926-ea21-4f58-b2d5-312df9f30661
Verdict: Malicious activity
Analysis date: January 24, 2022, 21:37:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 9 11:51:00 2019, Last Saved Time/Date: Fri Sep 25 15:02:00 2020, Number of Pages: 1, Number of Words: 200, Number of Characters: 1142, Security: 0
MD5:

D4396A2BAE94A3D5A62109A158C72C99

SHA1:

2561C7B2E10623156767700719DA73ABBA19AC92

SHA256:

79A6583FBA3F84876395111C31FFF080A7DAA31DB7B8CFCEB6F44232AFBB0D25

SSDEEP:

24576:0VwtXuNv4huGaZD9TkP6BRN8XFpFOv3M32PL:0VSXRWxSqb8XFE3M32P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3660)

    • Changes settings of System certificates

      • WINWORD.EXE (PID: 3660)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3660)

    • Application was dropped or rewritten from another process

      • NetworkWizardLoader.exe (PID: 2232)
      • Cloudpath.exe (PID: 3256)
      • WinHelper.exe (PID: 2524)

  • SUSPICIOUS

    • Reads default file associations for system extensions

      • WINWORD.EXE (PID: 3660)

    • Reads the date of Windows installation

      • WINWORD.EXE (PID: 3660)

    • Checks supported languages

      • NetworkWizardLoader.exe (PID: 2232)
      • Cloudpath.exe (PID: 3256)
      • WinHelper.exe (PID: 2524)

    • Reads Environment values

      • NetworkWizardLoader.exe (PID: 2232)

    • Reads the computer name

      • NetworkWizardLoader.exe (PID: 2232)
      • WinHelper.exe (PID: 2524)
      • Cloudpath.exe (PID: 3256)

    • Executable content was dropped or overwritten

      • NetworkWizardLoader.exe (PID: 2232)
      • Cloudpath.exe (PID: 3256)

  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 3660)

    • Reads the computer name

      • WINWORD.EXE (PID: 3660)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3660)

    • Checks Windows Trust Settings

      • WINWORD.EXE (PID: 3660)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 3660)

    • Reads Microsoft Outlook installation path

      • WINWORD.EXE (PID: 3660)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Lupl_user_email: -
Sign-offStatus: -
Hyperlinks:
CodePage: Windows Latin 1 (Western European)
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 1340
Paragraphs: 2
Lines: 9
Security: None
Characters: 1142
Words: 200
Pages: 1
ModifyDate: 2020:09:25 14:02:00
CreateDate: 2019:12:09 11:51:00
LastPrinted: -
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal
Keywords: -
Author: -
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winword.exe networkwizardloader.exe cloudpath.exe winhelper.exe

Process information

PID
CMD
Path
Indicators
Parent process
3660"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\2561c7b2e10623156767700719da73abba19ac92.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
2232"C:\Users\admin\AppData\Local\Temp\NetworkWizardLoader.exe" C:\Users\admin\AppData\Local\Temp\NetworkWizardLoader.exe
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\networkwizardloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
3256"C:\Users\admin\AppData\Local\temp\Cloudpath\Cloudpath.exe" -temp -name "University of Glasgow" -url "https://wifisetup.gla.ac.uk/" C:\Users\admin\AppData\Local\temp\Cloudpath\Cloudpath.exe
NetworkWizardLoader.exe
User:
admin
Company:
Ruckus Networks
Integrity Level:
MEDIUM
Version:
1000.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\cloudpath\cloudpath.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
2524"C:\Users\admin\AppData\Local\temp\Cloudpath\WinHelper.exe" C:\Users\admin\AppData\Local\temp\Cloudpath\WinHelper.exe
Cloudpath.exe
User:
admin
Company:
Ruckus Networks
Integrity Level:
HIGH
Version:
1000.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cloudpath\winhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
Total events
9 145
Read events
8 352
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1
Text files
7
Unknown types
6

Dropped files

PID
Process
Filename
Type
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRC9FF.tmp.cvr
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2561c7b2e10623156767700719da73abba19ac92.doc.LNKlnk
MD5:EEC54300AE5C6A8ADD5579ECEB749686
SHA256:95D077DDDC19FE4FF4DC8D998F27D7DD08B8873B11D2A26D05D85AAF4D04AE10
3660WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:943799681AB783C0069DF58210FD98CA
SHA256:9879A43C41C51874B8C2F56A906E142ECF49656FD2D4043AF5B6DCF85CCC43BD
3660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82019B97.emfemf
MD5:2BFC2FE0EEC1DA08A68FB5B13BD25A98
SHA256:F6382ADA45E3FC41D7308163FE6F7AECE853B6E072890D88691B5A8C79EACA12
3660WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E5E437032B2CF84550CECEA00B9F549Dbinary
MD5:DC930E10EACACB1C441C54D826A46AD5
SHA256:3C61B6D718C93D9A97B1FCB07A25B6C3620194100CBBB304EE80FF9132B3F334
3660WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:BB377DAABFFDE4949BC40F50AB510358
SHA256:3681D4F8E3BAF59D7DB24D2A7E358A562807450186B28597DC82ED5917AAFBA7
3660WINWORD.EXEC:\Users\admin\Desktop\~$61c7b2e10623156767700719da73abba19ac92.docpgc
MD5:80355D2D5A9146B75F6BE94D505F5713
SHA256:5F2CA04C1ACD14268AA7E7B3994E510D33E21E1C2B3EB54B70788D784BEF94CC
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\NetworkWizardLoader.exeexecutable
MD5:DC86B2B06C25EF931B8AE02A158321E9
SHA256:FA87707D7E14588E77E43A30E271BD9E5F9844095B243062DB12D6556DC724E5
3256Cloudpath.exeC:\Users\admin\AppData\Local\Temp\network_config.xmltext
MD5:0DD64E19A87C72D6B6D9C32B19E9BDD7
SHA256:B1ABCDE1D5D11B060E9F58072DFCF0E07FA462232BAA321AC3C8D3344B704079
3256Cloudpath.exeC:\Users\admin\AppData\Local\Temp\testfile.txttext
MD5:28327A617227E34787368FB09D4E9BFD
SHA256:E46D58088886664D779858D8B3967F63811787A61E5400BF8085890FDE6F9FE6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3660
WINWORD.EXE
GET
200
93.184.220.29:80
http://tl.symcb.com/tl.crt
US
der
1.15 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2232
NetworkWizardLoader.exe
130.209.8.121:443
wifisetup.gla.ac.uk
Jisc Services Limited
GB
unknown
3660
WINWORD.EXE
93.184.220.29:80
tl.symcb.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3256
Cloudpath.exe
130.209.8.121:443
wifisetup.gla.ac.uk
Jisc Services Limited
GB
unknown

DNS requests

Domain
IP
Reputation
tl.symcb.com
  • 93.184.220.29
whitelisted
wifisetup.gla.ac.uk
  • 130.209.8.121
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2561c7b2e10623156767700719da73abba19ac92.doc