analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

follina.doc

Full analysis: https://app.any.run/tasks/19087068-9f1a-41ae-8ab4-d68bf980e5aa
Verdict: Malicious activity
Analysis date: June 27, 2022, 10:50:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
cve-2022-30190
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

00E566273DE0493C840AD147AC305D1E

SHA1:

72BEDD1B41810038C42C244292319EF901D89ED4

SHA256:

8AB78F3C681C9FA10D2F6C5A3537B831255D40697FBB5853E40BA846A6259E59

SSDEEP:

192:YEhMs7Z/c+8poF1d3jvvtl/b8cIGhed9264wpE+VihxrGxjPtLfAUUQO:YqBcfa7pr1l/bMGAd92hwG3yxjPtLfAF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • CVE-2022-30190 detected

      • WINWORD.EXE (PID: 1416)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads the computer name

      • WINWORD.EXE (PID: 1416)
    • Checks supported languages

      • WINWORD.EXE (PID: 1416)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1416)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Description: -
Creator: KIS2
Subject: -
Title: -

XML

ModifyDate: 2022:05:25 13:14:00Z
CreateDate: 2022:05:25 13:14:00Z
RevisionNumber: 3
LastModifiedBy: KIS2
Keywords: -
AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: -
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: -
Lines: -
DocSecurity: None
Application: Microsoft Office Word
Characters: -
Words: -
Pages: 1
TotalEditTime: -
Template: Normal

ZIP

ZipFileName: _rels/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2022:06:27 06:20:03
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1416"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\follina.doc.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
1 024
Read events
961
Write events
61
Delete events
2

Modification events

(PID) Process:(1416) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:/-7
Value:
2F2D370088050000010000000000000000000000
(PID) Process:(1416) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1416) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1416) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1416) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1416) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1416) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1416) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1416) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1416) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
8
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
1416WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR95AF.tmp.cvr
MD5:
SHA256:
1416WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{2B0019D2-AD17-4696-90FC-B1FF8B7076FC}binary
MD5:02AEF2EAC3B5A519C3AC814D95A3B871
SHA256:9A15E5164062F11E84BD4645DA365AA0D9DF72A2156070FD94BC786092C392B4
1416WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{96D7ECAB-5AF9-4943-9E0E-50B4504C99C2}.FSDbinary
MD5:0C247FE275654D9E63E636F51B14F2AA
SHA256:EDD84F6A8E996CDEDB63C1E1663D56B7B2AB9255C36463A9FECAFFC17EB6EB53
1416WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{49318950-15A6-41ED-BD0F-5EB9C873101D}.FSDbinary
MD5:9F1DC4010EDB4AF7F863C0E451B68842
SHA256:4D13E3CCF23D88A545C454A6FB3370ECCD6B52E0318713D8AC2E26BC9CE49DC4
1416WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B441B146E56E2764ACFA116FEB4866A1
SHA256:1188F9CD73576F14D8F7FB06ED609FE6FF35E870BE52D5DBF85CE39D42CD1F02
1416WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:D471A0BB5F0B8A9AC834E0172491B7F9
SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F
1416WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{BA17E97F-92DC-4CAD-9C96-FF35057B1CA1}binary
MD5:79EF2C96071EE67126B68D4C1A4A7025
SHA256:F6220CA39623FD9E20FFC4F1A42D2403B824E99AEAEC36A9E6B15A018F1BFC18
1416WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:02AEF2EAC3B5A519C3AC814D95A3B871
SHA256:9A15E5164062F11E84BD4645DA365AA0D9DF72A2156070FD94BC786092C392B4
1416WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$llina.doc.docxpgc
MD5:9F36CBF2BD5778B84B096D3CDBAA20A7
SHA256:BDFD0A6D71BB0A93F146F31D752B508BE543AB6A896C32B5679DC4007A6ECFD6
1416WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:79EF2C96071EE67126B68D4C1A4A7025
SHA256:F6220CA39623FD9E20FFC4F1A42D2403B824E99AEAEC36A9E6B15A018F1BFC18
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.72:55446
malicious
192.168.100.72:54992
malicious
192.168.100.72:55836
malicious

DNS requests

No data

Threats

No threats detected
No debug info