analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9a91835532524533c1f7afb878f1a2dbcd31c0b1f25a49563f71974d26ed29f4.doc

Full analysis: https://app.any.run/tasks/ca94ac3e-38f5-448e-b881-3f605179f8f2
Verdict: Malicious activity
Analysis date: May 20, 2019, 06:09:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: d84ef, Subject: g8cb9, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 8 04:34:00 2019, Last Saved Time/Date: Wed May 8 04:34:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

4611B335B88A0B5ABC58CF52B6D9A77D

SHA1:

6C822E32D5792AF43C33F49D53237B0A57C0A546

SHA256:

9A91835532524533C1F7AFB878F1A2DBCD31C0B1F25A49563F71974D26ED29F4

SSDEEP:

24576:w/aQOlrQv882gcMp+Nc1bN/L/JQOl6Qvk82gcdp+:w7OeeJCbtSO3W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Known privilege escalation attack

      • bcd9f.exe (PID: 2896)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2980)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2980)
    • Changes the autorun value in the registry

      • RegAsm.exe (PID: 3688)
    • Application was dropped or rewritten from another process

      • bcd9f.exe (PID: 2932)
      • bcd9f.exe (PID: 2896)
      • RegAsm.exe (PID: 3688)
    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 3688)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2440)
      • RegAsm.exe (PID: 3688)
    • Modifies the open verb of a shell class

      • bcd9f.exe (PID: 2896)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2980)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2980)
    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (38.3)
.xls | Microsoft Excel sheet (alternate) (29.3)
.doc | Microsoft Word document (old ver.) (22.7)

EXIF

FlashPix

Title: d84ef
Subject: g8cb9
Author: -
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2019:05:08 03:34:00
ModifyDate: 2019:05:08 03:34:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Latin 1 (Western European)
Bytes: 11000
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: d84ef
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winword.exe cmd.exe bcd9f.exe no specs eventvwr.exe no specs eventvwr.exe bcd9f.exe no specs regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2980"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\9a91835532524533c1f7afb878f1a2dbcd31c0b1f25a49563f71974d26ed29f4.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2440"C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\bcd9f.png" "bcd9f.exe" &start "" "C:\Users\admin\AppData\Local\Temp\bcd9f.exe" C:\Windows\System32\cmd.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2896"C:\Users\admin\AppData\Local\Temp\bcd9f.exe" C:\Users\admin\AppData\Local\Temp\bcd9f.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3204"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exebcd9f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Event Viewer Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4008"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exe
bcd9f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2932"C:\Users\admin\AppData\Local\Temp\bcd9f.exe" C:\Users\admin\AppData\Local\Temp\bcd9f.exeeventvwr.exe
User:
admin
Integrity Level:
HIGH
3688"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
bcd9f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Total events
1 380
Read events
1 021
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
2980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREAFB.tmp.cvr
MD5:
SHA256:
2980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\bcd9f.png
MD5:
SHA256:
2980WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE6E1746.emf
MD5:
SHA256:
2980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso39DD.tmp
MD5:
SHA256:
2980WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB3128F.jpeg
MD5:
SHA256:
2980WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRO0000.docdocument
MD5:8916A1D8A1F64932A829EFA029CBFC60
SHA256:8707B7E17194A42244D1560E88642E9F90E08304CE1BA4DE2E71B016AD9BA840
2980WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7517A019.emfemf
MD5:85EF11A0858FC3AC328644E889085B01
SHA256:BCA32069D03039583810E756FA98990D5AFD69783BB4290890925B38E7CC30C4
2980WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$91835532524533c1f7afb878f1a2dbcd31c0b1f25a49563f71974d26ed29f4.docpgc
MD5:EB0F3049BEAFA232B07AD63E99D1C241
SHA256:330B7F9D650B05EA8979249DC8D6CD7970522FBC131687F29650AABD2E90C675
2980WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:816BEA007272E3D591722A84B2EBD2E8
SHA256:0BD48B965DD591F21A77D8C83E4C24FE5627C543192A698F7B1E1842A0EEDB5A
2440cmd.exeC:\Users\admin\AppData\Local\Temp\bcd9f.exeexecutable
MD5:046BC9D1BA7D4991AF3959731F84B36C
SHA256:A2999BE4490911DAFC2ED0631BE87DA0E4F5348EC8B1A67494982F65F764D2ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2980
WINWORD.EXE
185.55.227.147:443
pourshojaei.com
Fanavari Serverpars Argham Gostar Company Ltd.
IR
malicious
3688
RegAsm.exe
185.55.225.185:26
mail.autelite.com
Fanavari Serverpars Argham Gostar Company Ltd.
IR
suspicious

DNS requests

Domain
IP
Reputation
pourshojaei.com
  • 185.55.227.147
malicious
mail.autelite.com
  • 185.55.225.185
malicious

Threats

PID
Process
Class
Message
3688
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info