File name:

reporte-financeiro-template.dot

Full analysis: https://app.any.run/tasks/41e7c6d8-73cf-47ec-981a-22e0149ab508
Verdict: Malicious activity
Analysis date: August 22, 2024, 08:19:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: uwishuhadamail, Template: upds.azureedge.net-stager-https-ssh-schtask.dot, Last Saved By: uwishuhadamail, Revision Number: 34, Name of Creating Application: Microsoft Office Word, Total Editing Time: 04:00, Create Time/Date: Wed May 22 11:01:00 2024, Last Saved Time/Date: Sun May 26 17:03:00 2024, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0
MD5:

5D36D4DA71EB9A3B04917C4E197E6C5A

SHA1:

88FA956D021807C5FC9D0E71D5410EA7E0A4CA91

SHA256:

7D1FBE79DF80ED442093510023B383C42749C4A689C1590F2D288402392E58E0

SSDEEP:

49152:HFINas5FeFjXJYndnNS51heM/qhwLkLsLRa6AYLYAqSR4dSjXGEpa3r4y/VDCzU+:HFINaCFeFjMnI/qhwLkLsLRa6AYLYAqP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 6952)

    • Gets path to any of the special folders (SCRIPT)

      • WINWORD.EXE (PID: 6952)

    • Runs injected code in another process

      • WINWORD.EXE (PID: 6952)

    • Application was injected by another process

      • svchost.exe (PID: 4140)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • WINWORD.EXE (PID: 6952)

  • INFO

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 4140)

    • Checks proxy server information

      • svchost.exe (PID: 4140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Identification: Word 8.0
LanguageCode: English (US)
DocFlags: Template, 1Table, ExtChar
System: Windows
Word97: No
Title: -
Subject: -
Author: uwishuhadamail
Keywords: -
Comments: -
Template: upds.azureedge.net-stager-https-ssh-schtask.dot
LastModifiedBy: uwishuhadamail
Software: Microsoft Office Word
CreateDate: 2024:05:22 11:01:00
ModifyDate: 2024:05:26 17:03:00
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
CharCountWithSpaces: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
LastPrinted: 0000:00:00 00:00:00
RevisionNumber: 34
TotalEditTime: 4 minutes
Words: -
Characters: -
Pages: 1
Paragraphs: -
Lines: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
4140C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvcC:\Windows\System32\svchost.exe
services.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6952"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\reporte-financeiro-template.dot.doc /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
7 996
Read events
7 736
Write events
252
Delete events
8

Modification events

(PID) Process:(6952) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(6952) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(6952) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(6952) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6952
Operation:writeName:0
Value:
0B0E107CB71B6B363AB34E80DD7375858F390F230046D7E8E4DEC18DBDED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511A836D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6952) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6952) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6952) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6952) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6952) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6952) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
Executable files
1
Suspicious files
11
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:B46B0548BD6A094124B5F82A59793C2C
SHA256:238A9CEE717E8E31711F18EAA06AFFB427BE343B1127394F1EE022278482DBAE
6952WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmabr
MD5:8E2C7529BFCCF47C3CC3A18E6F4F9688
SHA256:B3928A3C0FF53FB46464494148CABD6464AEBF3B2A2B122E66845ABA111F5520
6952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
6952WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:BB3901DC8A00FEE7598F0F49639FADBE
SHA256:66B66FF28EB3A96FD1E091533A0AC118DD087E909915CE36D4B68C54A2A092CF
6952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2F32E3F2-151F-4436-B93D-DFAB86BFDAB0xml
MD5:F5F98FCDB534BEED8177E5F756CAFA5B
SHA256:5E141709DC41EB97C8FC79207ADDCE1153C0FBB49D253F1E6752ADC4DFD525F5
6952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttfbinary
MD5:4296A064B917926682E7EED650D4A745
SHA256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
6952WINWORD.EXEC:\Users\admin\AppData\Local\azsvc-privtext
MD5:19AA68DD2332D55E6B02765F0D82723A
SHA256:B4E5829E09465E7A22D4E7DF653E72CF646D7EA31BFB0AF7901D51224F4AE367
6952WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G53DUJTET0ORULFUB47C.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
6952WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:78F75B2A7706B7583FD751321149CAC6
SHA256:E4E373366B0A98220C4DD6401D793E24DB3D25A2E5A7B3EB83C8FA81B473932D
6952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$porte-financeiro-template.dot.docabr
MD5:BB501C817D31AC3255999A5BA8EE4B89
SHA256:7D46173BAAD2CC3435CA3C97FBEFC4D539B35F60609AB833520C61CDDC2047C7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
58
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2228
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6952
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6624
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6856
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4040
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5904
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6952
WINWORD.EXE
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
6952
WINWORD.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2228
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2228
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
roaming.officeapps.live.com
  • 52.109.32.7
whitelisted
omex.cdn.office.net
  • 23.48.23.30
  • 23.48.23.18
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
upds.azureedge.net
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
reporte-financeiro-template.dot