analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Draft BL.doc

Full analysis: https://app.any.run/tasks/6ddf3999-f28f-476d-b40e-f0ec5df8b831
Verdict: Malicious activity
Analysis date: May 15, 2019, 13:25:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

AC3A35769F141166C120DE2B8E95DB1C

SHA1:

A6C2249E8808B65991370DD0E47D7BACE23D1549

SHA256:

A29A39D6D139A468FCB953587423C9B02D4D68B333922B7783E24FFAB5F69FB0

SSDEEP:

24576:pd6qlMEjK5kyHty99BE7f8Gh+lN4z4Z19tWLAs1Uwq0/4oveckLKOidW0GdmChP:F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Runs app for hidden code execution

      • cmd.exe (PID: 4004)
      • cmd.exe (PID: 3436)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2948)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2948)
    • Application was dropped or rewritten from another process

      • saver.scr (PID: 3408)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4004)
      • cmd.exe (PID: 3884)
      • cmd.exe (PID: 3436)
      • cmd.exe (PID: 1116)
    • Executes scripts

      • cmd.exe (PID: 1116)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 1116)
    • Executable content was dropped or overwritten

      • cscript.exe (PID: 3840)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 3724)
      • cmd.exe (PID: 2792)
      • cmd.exe (PID: 3512)
      • cmd.exe (PID: 2788)
      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 2952)
    • Application launched itself

      • cmd.exe (PID: 1116)
    • Starts application with an unusual extension

      • cmd.exe (PID: 1116)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2948)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
37
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cscript.exe taskkill.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs saver.scr no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Draft BL.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
3436"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3884CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1116C:\Windows\system32\cmd.exe /K mt6nzqofd.CMDC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2684TIMEOUT /T 1C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3152TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3748TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4004"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2388TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2968CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 088
Read events
1 055
Write events
30
Delete events
3

Modification events

(PID) Process:(2948) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:)s
Value:
29732000840B0000010000000000000000000000
(PID) Process:(2948) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2948) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2948) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1320091678
(PID) Process:(2948) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1320091800
(PID) Process:(2948) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1320091801
(PID) Process:(2948) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
840B00001295B9B9210BD50100000000
(PID) Process:(2948) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:bt
Value:
62742000840B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2948) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:bt
Value:
62742000840B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2948) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
1
Suspicious files
3
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREB29.tmp.cvr
MD5:
SHA256:
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{467EAFAE-5212-44D6-93FE-3DE6D21DE104}.tmpbinary
MD5:F2CF47F3D2D0BEE4E99A0AB16B2C4804
SHA256:A6984BEB2551A99FFA95223B0ED1CF3D24946F462799E2FE11CFAA6F25030A87
3840cscript.exeC:\Users\admin\AppData\Local\Temp\saver.screxecutable
MD5:0A389BF75072D8AB4B152CD4A14B3581
SHA256:F031A414E5C6881E2207D38006166CE1F6C86D7F8176AE6B3DCEBCA88DDC2935
3840cscript.exeC:\Users\admin\AppData\Local\Temp\gondi.doctext
MD5:6291D5A22FCE652360616BD330E07082
SHA256:80AE0226822B684927280C63CA9F4E683C121FA62715E02909DECC298C03B506
2948WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{DCE0A545-83E3-4FE3-A8F2-3E701D412B38}.tmpbinary
MD5:6AE9A47835BE77DBB98AFF42C07A8755
SHA256:5E07C5C96285344E4230F8751DB9B3E5302E709D6EB4DECA1F536624E068BD3C
1116cmd.exeC:\Users\admin\AppData\Local\Temp\_.vbstext
MD5:BF9646FA68CAE0CE69FBF7FFF70D65B5
SHA256:CC7DD8CF31F4634A109AC5A14931F8A4E55F528B36C40B0D109B9147B8E7C928
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\kulebiaka.ZiPcompressed
MD5:46820D7DA085420CC9F3956D5EA83332
SHA256:98AC30F758FFEA67D95DA03EDB2FDFF84C7C0CB3CF3C6ADAD750DC00782E77C2
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mt6nzqofd.cmdtext
MD5:B5B6D0CC5AE87D9B02585E5B3246C1A2
SHA256:15C6536DD7A47ADD995049F4E54D86F69F50BB20FE29B88B5AE809A888730A5E
2948WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$aft BL.doc.rtfpgc
MD5:373B54091DBDC71E17B565D6ADD27767
SHA256:9C020818C564EC80C56B572E3064466593922C79F96A2B0BC58F5738C5E2C201
2948WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:097280C056CE39439CCC3847D81BD8E8
SHA256:0953075297DD805C383180F637440927D9292D4FAEDCFD744C727C571261B925
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info