analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

82918f0396e738fb0833d65ef582607ce3c19f973740c8a5d179b2b4e764605b

Full analysis: https://app.any.run/tasks/4c5a5b67-12ec-4b25-af7a-ab1a41f4234a
Verdict: Malicious activity
Analysis date: June 19, 2019, 10:44:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: Performance Evaluation Template, Author: Maylene Raful, Template: Normal.dotm, Last Saved By: pc1, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 04:00, Last Printed: Tue Feb 21 19:12:00 2017, Create Time/Date: Tue Jun 18 07:40:00 2019, Last Saved Time/Date: Tue Jun 18 08:05:00 2019, Number of Pages: 3, Number of Words: 916, Number of Characters: 5223, Security: 0
MD5:

8F416A523E272A751061F86E77B8CDAD

SHA1:

54E8936EE761FDD3E26DBAB6606F6DB1B3492BD4

SHA256:

82918F0396E738FB0833D65EF582607CE3C19F973740C8A5D179B2B4E764605B

SSDEEP:

3072:LDqvZRRZLGU1XTqcGfTsxO/sq+c2QkbSJu9RZNebKr3nsthySDNH3q6JWBd1gFf6:avf6Q2IGJDFoB2Hi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • WINWORD.EXE (PID: 3136)
  • SUSPICIOUS

    • Creates files in the user directory

      • notepad++.exe (PID: 3008)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 3608)
      • notepad++.exe (PID: 3008)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3136)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
PublishingStartDate: -
PublishingExpirationDate: -
DocumentVersion: 2017-04-01T00:00:00Z
Xd_ProgID: -
Xd_Signature: -
Tag_SharedFileIndex: -
Tag_SourceUrl: -
TemplateUrl: -
ContentTypeId: 0x0101001320F0329649CF4096F15D3A24058C2A
CodePage: Windows Latin 1 (Western European)
HeadingPairs:
  • Title
  • 1
TitleOfParts: Performance Evaluation Template
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 6127
Paragraphs: 12
Lines: 43
Company: UCLA
ThumbnailClip: (Binary data 152692 bytes, use -b option to extract)
Security: None
Characters: 5223
Words: 916
Pages: 3
ModifyDate: 2019:06:18 07:05:00
CreateDate: 2019:06:18 06:40:00
LastPrinted: 2017:02:21 19:12:00
TotalEditTime: 4.0 minutes
Software: Microsoft Office Word
RevisionNumber: 4
LastModifiedBy: pc1
Template: Normal.dotm
Comments: -
Keywords: -
Author: Maylene Raful
Subject: -
Title: Performance Evaluation Template
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe explorer.exe no specs notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
3136"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\82918f0396e738fb0833d65ef582607ce3c19f973740c8a5d179b2b4e764605b.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3608"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3008"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Public\lovelyTrump.tx"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
2768"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Total events
1 594
Read events
904
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
7
Unknown types
4

Dropped files

PID
Process
Filename
Type
3136WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF913.tmp.cvr
MD5:
SHA256:
3136WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFFCA453BD7AD991A2.TMP
MD5:
SHA256:
3136WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF54177715DCFA8106.TMP
MD5:
SHA256:
3136WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFB8DE30B9EBE9EF99.TMP
MD5:
SHA256:
3136WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$918f0396e738fb0833d65ef582607ce3c19f973740c8a5d179b2b4e764605b.docpgc
MD5:784E766BFF1B3C395BF6B3316BA2D8D5
SHA256:609A418E43EB3A0D0DC80656F627280EF802118324B23FED6F626DA6C60ABE42
3136WINWORD.EXEC:\Users\Public\lovelyTrump.txtext
MD5:9AB662BC899E5DC9B4E90B3027E098E0
SHA256:511491B45DBF7AA3AF4A0B9E6BE24C45C0A9147B72A73BA93EE051EFCC39F1AE
3008notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:F7C83D8C8E08F4A1AC1AA9F85EA4FD69
SHA256:0314561894E6624A35E20BBE42B3715463A409C811E126FA2D3F6B8ABC1A60BF
3136WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Forms\WINWORD.boxbinary
MD5:2AC728BF6ED96941F9DEDC5E595CF095
SHA256:91C4697B03E738099368877EAFB5D991E0AC01251C672EB083249ABCF5AA8DA9
3136WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:91C32645C5010C831CE5C6830DF5F196
SHA256:79940DBC918A81CC57D6EE080B5F0CDEF4A01E32CC1920E18BC5812C682CABD4
3136WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:17222E7BED955763CB75EBDA153E0074
SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.21.242.187:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2768
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
2.21.242.187:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.21.242.187
  • 2.21.242.197
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093