File name:	SecureMessage.docm
Full analysis:	https://app.any.run/tasks/738cc560-f3c6-4534-893d-3ea28dd60671
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 22, 2019, 09:32:24
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	macros macros-on-open macros-on-close loader trickbot trojan stealer
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:	Microsoft Word 2007+
MD5:	095C4FD66987B268D1690059DEE9CDE4
SHA1:	BF5B0521515A31DC3EE70DF98A02CF93B67B529F
SHA256:	A6BC9CBFA4C7C85D2434395D884991F708F784155E26370DF8DB046B3FEAE02A
SSDEEP:	1536:2okVYIFnJRHU60S7QotsocLukQkFJq+NiwuwZmaBB8:KFJRjtsJQkCCuHP

.docm	\|	Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx	\|	Word Microsoft Office Open XML Format document (24.2)
.zip	\|	Open Packaging Conventions container (18)
.zip	\|	ZIP compressed archive (4.1)

ZipRequiredVersion:	20
ZipBitFlag:	0x0006
ZipCompression:	Deflated
ZipModifyDate:	1980:01:01 00:00:00
ZipCRC:	0x714a6bd3
ZipCompressedSize:	433
ZipUncompressedSize:	1685
ZipFileName:	[Content_Types].xml

Template:	Normal.dotm
TotalEditTime:	2 minutes
Pages:	1
Words:	30
Characters:	171
Application:	Microsoft Office Word
DocSecurity:	None
Lines:	1
Paragraphs:	1
ScaleCrop:	No
HeadingPairs:	Title 1
TitlesOfParts:	-
Company:	-
LinksUpToDate:	No
CharactersWithSpaces:	200
SharedDoc:	No
HyperlinksChanged:	No
AppVersion:	16
LastModifiedBy:	Пользователь Windows
RevisionNumber:	3
CreateDate:	2019:03:11 17:58:00Z
ModifyDate:	2019:03:11 18:05:00Z


(PID) Process:	(2840) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	wd$
Value: 77642400180B0000010000000000000000000000
(PID) Process:	(2840) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(2840) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(2840) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1316356138
(PID) Process:	(2840) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1316356222
(PID) Process:	(2840) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1316356223
(PID) Process:	(2840) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: 180B0000548E893192E0D40100000000
(PID) Process:	(2840) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	-k$
Value: 2D6B2400180B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2840) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	-k$
Value: 2D6B2400180B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2840) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
2840	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRC857.tmp.cvr		—
		MD5:—	SHA256:—
2904	DllHost.exe	C:\$RECYCLE.BIN\S-1-5-21-3896776584-4254864009-862391680-1000\$RXJHPF3.tmp		—
		MD5:—	SHA256:—
2840	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C35F2B0.png		—
		MD5:—	SHA256:—
2840	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\209F72F1.gif		—
		MD5:—	SHA256:—
2840	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF7D3BBCE63E507707.TMP		—
		MD5:—	SHA256:—
2840	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DF025C641F42BFFE42.TMP		—
		MD5:—	SHA256:—
2840	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{18E99E7A-39D0-481C-AC4A-3319482DA7DB}.tmp		—
		MD5:—	SHA256:—
2840	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{39DCF1EC-EB0D-4B64-BB40-C143319DD7FE}.tmp		—
		MD5:—	SHA256:—
2840	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~DFFA11FDCC17D9E1AA.TMP		—
		MD5:—	SHA256:—
2840	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B23727D5-65C5-40FD-9E55-19F2871874F8}.tmp		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	HEAD	200	184.107.130.34:80	http://oneentertainment.ca/shh.sshh	CA	—	—	suspicious
—	—	GET	206	184.107.130.34:80	http://oneentertainment.ca/shh.sshh	CA	binary	11.5 Kb	suspicious
—	—	GET	206	184.107.130.34:80	http://oneentertainment.ca/shh.sshh	CA	binary	5.44 Kb	suspicious
—	—	GET	206	184.107.130.34:80	http://oneentertainment.ca/shh.sshh	CA	binary	48.7 Kb	suspicious
—	—	GET	206	184.107.130.34:80	http://oneentertainment.ca/shh.sshh	CA	binary	42.8 Kb	suspicious
—	—	GET	206	184.107.130.34:80	http://oneentertainment.ca/shh.sshh	CA	binary	24.0 Kb	suspicious
—	—	GET	206	184.107.130.34:80	http://oneentertainment.ca/shh.sshh	CA	flc	98.9 Kb	suspicious
940	svchost.exe	POST	200	103.119.144.250:8082	http://103.119.144.250:8082/ser0311us/USER-PC_W617601.89C912174DAF7028C34CF95ED56C7396/81/	unknown	text	3 b	malicious
—	—	GET	206	184.107.130.34:80	http://oneentertainment.ca/shh.sshh	CA	binary	5.42 Kb	suspicious
2812	svchost.exe	GET	200	8.248.237.254:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f65c04fed216139a	US	compressed	55.2 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2812	svchost.exe	97.87.160.98:449	—	Charter Communications	US	malicious
2812	svchost.exe	8.248.237.254:80	ctldl.windowsupdate.com	Level 3 Communications, Inc.	US	unknown
940	svchost.exe	103.119.144.250:8082	—	—	—	malicious
2812	svchost.exe	82.202.212.171:447	—	OOO Network of data-centers Selectel	RU	suspicious
—	—	184.107.130.34:80	oneentertainment.ca	iWeb Technologies Inc.	CA	suspicious
2812	svchost.exe	47.52.62.55:443	api.ip.sb	Alibaba (China) Technology Co., Ltd.	HK	malicious
2812	svchost.exe	177.107.51.162:449	—	G8 NETWORKS LTDA	BR	malicious

Domain	IP	Reputation
pamelaannspantry.com	160.153.133.211	malicious
oneentertainment.ca	184.107.130.34	suspicious
api.ip.sb	47.52.62.55	whitelisted
ctldl.windowsupdate.com	8.248.237.254	whitelisted

PID	Process	Class	Message
2812	svchost.exe	A Network Trojan was detected	MALWARE TEST [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
2812	svchost.exe	A Network Trojan was detected	MALWARE TEST [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
2812	svchost.exe	Not Suspicious Traffic	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
2812	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
2812	svchost.exe	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
2812	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
2812	svchost.exe	A Network Trojan was detected	MALWARE TEST [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
2812	svchost.exe	A Network Trojan was detected	MALWARE TEST [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
2812	svchost.exe	Not Suspicious Traffic	ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
2812	svchost.exe	A Network Trojan was detected	MALWARE TEST [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)

General Info

SecureMessage.docm

095C4FD66987B268D1690059DEE9CDE4

BF5B0521515A31DC3EE70DF98A02CF93B67B529F

A6BC9CBFA4C7C85D2434395D884991F708F784155E26370DF8DB046B3FEAE02A

1536:2okVYIFnJRHU60S7QotsocLukQkFJq+NiwuwZmaBB8:KFJRjtsJQkCCuHP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts CMD.EXE for commands execution

Unusual execution from Microsoft Office

Application was dropped or rewritten from another process

Connects to CnC server

TRICKBOT was detected

Stops/Deletes Windows Defender service

Uses SVCHOST.EXE for hidden code execution

Loads the Task Scheduler COM API

Known privilege escalation attack

Trickbot detected

Stealing of credential data

SUSPICIOUS

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Application launched itself

Uses RUNDLL32.EXE to load library

Connects to unusual port

Creates files in the user directory

Executes PowerShell scripts

Loads DLL from Mozilla Firefox

Creates files in the program directory

Creates files in the Windows directory

Removes files from Windows directory

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Reads the machine GUID from the registry

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

ZIP

XML

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections