File name:

2561c7b2e10623156767700719da73abba19ac92.doc

Full analysis: https://app.any.run/tasks/05fa3926-ea21-4f58-b2d5-312df9f30661
Verdict: Malicious activity
Analysis date: January 24, 2022, 21:37:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 9 11:51:00 2019, Last Saved Time/Date: Fri Sep 25 15:02:00 2020, Number of Pages: 1, Number of Words: 200, Number of Characters: 1142, Security: 0
MD5:

D4396A2BAE94A3D5A62109A158C72C99

SHA1:

2561C7B2E10623156767700719DA73ABBA19AC92

SHA256:

79A6583FBA3F84876395111C31FFF080A7DAA31DB7B8CFCEB6F44232AFBB0D25

SSDEEP:

24576:0VwtXuNv4huGaZD9TkP6BRN8XFpFOv3M32PL:0VSXRWxSqb8XFE3M32P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3660)

    • Changes settings of System certificates

      • WINWORD.EXE (PID: 3660)

    • Application was dropped or rewritten from another process

      • Cloudpath.exe (PID: 3256)
      • WinHelper.exe (PID: 2524)
      • NetworkWizardLoader.exe (PID: 2232)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3660)

  • SUSPICIOUS

    • Reads the computer name

      • Cloudpath.exe (PID: 3256)
      • WinHelper.exe (PID: 2524)
      • NetworkWizardLoader.exe (PID: 2232)

    • Reads Environment values

      • NetworkWizardLoader.exe (PID: 2232)

    • Checks supported languages

      • Cloudpath.exe (PID: 3256)
      • WinHelper.exe (PID: 2524)
      • NetworkWizardLoader.exe (PID: 2232)

    • Executable content was dropped or overwritten

      • Cloudpath.exe (PID: 3256)
      • NetworkWizardLoader.exe (PID: 2232)

    • Reads default file associations for system extensions

      • WINWORD.EXE (PID: 3660)

    • Reads the date of Windows installation

      • WINWORD.EXE (PID: 3660)

  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 3660)

    • Reads the computer name

      • WINWORD.EXE (PID: 3660)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3660)

    • Reads Microsoft Outlook installation path

      • WINWORD.EXE (PID: 3660)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 3660)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3660)

    • Checks Windows Trust Settings

      • WINWORD.EXE (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
Lupl_user_email: -
Sign-offStatus: -
Hyperlinks:
  • cid:image001.jpg@01D69271.EAD314B0
CodePage: Windows Latin 1 (Western European)
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 1340
Paragraphs: 2
Lines: 9
Security: None
Characters: 1142
Words: 200
Pages: 1
ModifyDate: 2020:09:25 14:02:00
CreateDate: 2019:12:09 11:51:00
LastPrinted: -
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal
Keywords: -
Author: -
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winword.exe networkwizardloader.exe cloudpath.exe winhelper.exe

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Users\admin\AppData\Local\Temp\NetworkWizardLoader.exe" C:\Users\admin\AppData\Local\Temp\NetworkWizardLoader.exe
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\networkwizardloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
2524"C:\Users\admin\AppData\Local\temp\Cloudpath\WinHelper.exe" C:\Users\admin\AppData\Local\temp\Cloudpath\WinHelper.exe
Cloudpath.exe
User:
admin
Company:
Ruckus Networks
Integrity Level:
HIGH
Exit code:
0
Version:
1000.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cloudpath\winhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
3256"C:\Users\admin\AppData\Local\temp\Cloudpath\Cloudpath.exe" -temp -name "University of Glasgow" -url "https://wifisetup.gla.ac.uk/" C:\Users\admin\AppData\Local\temp\Cloudpath\Cloudpath.exe
NetworkWizardLoader.exe
User:
admin
Company:
Ruckus Networks
Integrity Level:
MEDIUM
Exit code:
0
Version:
1000.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\cloudpath\cloudpath.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
3660"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\2561c7b2e10623156767700719da73abba19ac92.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
9 145
Read events
8 352
Write events
653
Delete events
140

Modification events

(PID) Process:(3660) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:m!
Value:
7F6D21004C0E0000010000000000000000000000
(PID) Process:(3660) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3660) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3660) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3660) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3660) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3660) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3660) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3660) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3660) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
4
Suspicious files
1
Text files
7
Unknown types
6

Dropped files

PID
Process
Filename
Type
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRC9FF.tmp.cvr
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\Desktop\~$61c7b2e10623156767700719da73abba19ac92.docpgc
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2561c7b2e10623156767700719da73abba19ac92.doc.LNKlnk
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E5E437032B2CF84550CECEA00B9F549Dbinary
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82019B97.emfemf
MD5:
SHA256:
2232NetworkWizardLoader.exeC:\Users\admin\AppData\Local\temp\Cloudpath\system_config.xmltext
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\NetworkWizardLoader.exeexecutable
MD5:
SHA256:
3660WINWORD.EXEC:\Users\admin\AppData\Local\Temp\NetworkWizardLoader.exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3660
WINWORD.EXE
GET
200
93.184.220.29:80
http://tl.symcb.com/tl.crt
US
der
1.15 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3660
WINWORD.EXE
93.184.220.29:80
tl.symcb.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2232
NetworkWizardLoader.exe
130.209.8.121:443
wifisetup.gla.ac.uk
Jisc Services Limited
GB
unknown
3256
Cloudpath.exe
130.209.8.121:443
wifisetup.gla.ac.uk
Jisc Services Limited
GB
unknown

DNS requests

Domain
IP
Reputation
tl.symcb.com
  • 93.184.220.29
whitelisted
wifisetup.gla.ac.uk
  • 130.209.8.121
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2561c7b2e10623156767700719da73abba19ac92.doc