analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | contract.doc |
| Full analysis: | https://app.any.run/tasks/32bb32f2-d990-4379-ba5b-6e8592b3ecf3 |
| Verdict: | Malicious activity |
| Analysis date: | November 08, 2019, 14:23:42 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: teGo, Subject: zBOI, Author: oma, Template: Normal, Last Saved By: J, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Nov 8 11:46:00 2019, Last Saved Time/Date: Fri Nov 8 11:46:00 2019, Number of Pages: 1, Number of Words: 6, Number of Characters: 37, Security: 0 |
| MD5: | 16EAA81ACBACBC05DF0DFC281FFEA6FD |
| SHA1: | 7C26CAEDD364BEE425E399F648E88989A8B9DD14 |
| SHA256: | AF39CF1F4A5F6D3F96CFC56F18C7E7DA91A109D76CF1DF9C5662DFC7540A1B93 |
| SSDEEP: | 12288:CRQ6X9GDapmo7H+9vo4karcaXv2CAwz0NASBY196ID+9F52:CRQ6tlX/4kc/vAi0NASi65N2 |
MALICIOUS
Loads dropped or rewritten executable
- WINWORD.EXE (PID: 2580)
Executable content was dropped or overwritten
- WINWORD.EXE (PID: 2580)
SUSPICIOUS
No suspicious indicators.INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2580)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Word 97-2003 Document |
|---|---|
| CompObjUserTypeLen: | 32 |
| AYIoa: | $gKlc;^sWyKs?Og=JD~A.1c7=BEP%8~ |
| CodePage: | Windows Latin 1 (Western European) |
| HeadingPairs: |
|
| TitleOfParts: | - |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| CharCountWithSpaces: | 42 |
| Paragraphs: | 1 |
| Lines: | 1 |
| Bytes: | 97508 |
| Company: | - |
| Security: | None |
| Characters: | 37 |
| Words: | 6 |
| Pages: | 1 |
| ModifyDate: | 2019:11:08 11:46:00 |
| CreateDate: | 2019:11:08 11:46:00 |
| TotalEditTime: | - |
| Software: | Microsoft Office Word |
| RevisionNumber: | 2 |
| LastModifiedBy: | J |
| Template: | Normal |
| Comments: | - |
| Keywords: | - |
| Author: | oma |
| Subject: | zBOI |
| Title: | teGo |
Total processes
36
Monitored processes
1
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2580 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\contract.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
Total events
926
Read events
717
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
3
Text files
0
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA8FC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0000.tmp | — | |
MD5:— | SHA256:— | |||
| 2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$demem.docx.zip | — | |
MD5:— | SHA256:— | |||
| 2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0001.tmp | — | |
MD5:— | SHA256:— | |||
| 2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ntract.doc | pgc | |
MD5:0C276C28FEBD2A6418A897BEBC0A9000 | SHA256:F5B242A605CC101AD999AB6E6C15625DCAE867E6418AD94E284507D1D559BF1D | |||
| 2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\oleObject1.bin | binary | |
MD5:D146162D6096A48C2A4EACE2ABD8697A | SHA256:138E2370CDCEAF9CF06A7F906A33831BB0C16523853864AF069FA473312D866B | |||
| 2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8707F6C3.emf | emf | |
MD5:FB3981532125928BB4E7E59661FB0744 | SHA256:7B2D4BC5CE523C483E756AC65AAD9678CC1FCB6D183EBA4A9977EEE320ADD207 | |||
| 2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\videmem.docx | document | |
MD5:6374606EF0C17BEA279A1D47541219ED | SHA256:D7DED6F1CE6BCA6CA13DA7B447CC441A81C94F45DDE0F3F6F78DBB5E0E165150 | |||
| 2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:026AFBE4E2835025DDB1A72DEB1BBC73 | SHA256:F6CAB3C6239AB4A236952EFFF3A7AD0B3034F2C4A4876A668866165C09F613E0 | |||
| 2580 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\videmem.docx.zip | document | |
MD5:EA60E8476043FCB1C1A68555F3274E67 | SHA256:D0A99E29B032CC9270D0BBB306A5ACC1A6CBF527CDC770A0419B767FF0E09816 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2580 | WINWORD.EXE | 195.123.246.12:443 | microsoft-hub-us.com | — | UA | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
microsoft-hub-us.com |
| unknown |