File name:

investments.doc

Full analysis: https://app.any.run/tasks/b2f2a7e3-7922-417f-adf4-67d7a1304eb2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 01, 2020, 21:02:06
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
macros
macros-on-open
loader
zloader
ZLoader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

9F7AD143A94843AA7EAFEC20BA5B3F33

SHA1:

848F7A4EE5798214F2008C39CEF6C8CBBA99CB79

SHA256:

BAEC947561E13D9143176E394069929B7CB98C7B56755106B0BC38A3BE1C9B73

SSDEEP:

1536:cZdvsp/VRnnYHNSooakuCr2a3qg0qGApJT7/0d7GZPrFB0Mwk/MDuWRor:wvUVJYHwo3e3VJj7vPrFixk/+Ror

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 4580)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 4580)

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 4580)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2944)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 5884)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 5672)

  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 2944)

    • Executable content was dropped or overwritten

      • cscript.exe (PID: 5520)
      • msiexec.exe (PID: 5672)

    • Reads the machine GUID from the registry

      • cscript.exe (PID: 5520)
      • powershell.exe (PID: 976)
      • msiexec.exe (PID: 5672)
      • SpeechRuntime.exe (PID: 5720)
      • backgroundTaskHost.exe (PID: 5396)

    • Uses RUNDLL32.EXE to load library

      • powershell.exe (PID: 976)
      • rundll32.exe (PID: 3988)

    • Uses NETSTAT.EXE to discover network connections

      • cmd.exe (PID: 2944)

    • Creates files in the user directory

      • msiexec.exe (PID: 5672)
      • SystemSettings.exe (PID: 756)

    • Executed via COM

      • ApplicationFrameHost.exe (PID: 5952)
      • RuntimeBroker.exe (PID: 2376)
      • backgroundTaskHost.exe (PID: 5396)
      • SystemSettings.exe (PID: 756)
      • SpeechRuntime.exe (PID: 5720)

    • Checks supported languages

      • SystemSettings.exe (PID: 756)
      • backgroundTaskHost.exe (PID: 5396)

  • INFO

    • Reads Environment values

      • WINWORD.EXE (PID: 4580)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 4580)
      • cscript.exe (PID: 5520)
      • powershell.exe (PID: 976)
      • msiexec.exe (PID: 5672)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 4580)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4580)

    • Reads the software policy settings

      • WINWORD.EXE (PID: 4580)
      • cscript.exe (PID: 5520)
      • powershell.exe (PID: 976)
      • msiexec.exe (PID: 5672)

    • Scans artifacts that could help determine the target

      • WINWORD.EXE (PID: 4580)

    • Dropped object may contain Bitcoin addresses

      • cscript.exe (PID: 5520)
      • msiexec.exe (PID: 5672)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x3f450766
ZipCompressedSize: 399
ZipUncompressedSize: 1503
ZipFileName: [Content_Types].xml

XML

Template: Normal
TotalEditTime: 5 minutes
Pages: 1
Words: -
Characters: 1
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 1
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
Keywords: -
LastModifiedBy: fjqowisuqwodi
RevisionNumber: 4
CreateDate: 2020:04:01 14:10:00Z
ModifyDate: 2020:04:01 15:12:00Z

XMP

Title: -
Subject: -
Creator: fjqowisuqwodi
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
105
Monitored processes
15
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs conhost.exe no specs cscript.exe powershell.exe no specs rundll32.exe no specs rundll32.exe no specs tracert.exe no specs netstat.exe no specs msiexec.exe applicationframehost.exe no specs systemsettings.exe no specs runtimebroker.exe no specs backgroundtaskhost.exe no specs speechruntime.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
708TRACERT https://www.marketwatch.com/investingC:\WINDOWS\system32\TRACERT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Traceroute Command
Exit code:
1
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tracert.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
756"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanelC:\Windows\ImmersiveControlPanel\SystemSettings.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Settings
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\immersivecontrolpanel\systemsettings.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
820NETSTATC:\WINDOWS\system32\NETSTAT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netstat.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\snmpapi.dll
976powershell -C Sleep -s 3;rundll32 C:\Datainv\inVe.dll, DllRegisterServerC:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2376C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\sechost.dll
2944C:\WINDOWS\system32\cmd.exe /c c:\Datainv\scrpt.batC:\WINDOWS\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3988"C:\WINDOWS\system32\rundll32.exe" C:\Datainv\inVe.dll DllRegisterServerC:\WINDOWS\system32\rundll32.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
4580"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\investments.doc" /o ""C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.12026.20264
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
5396"C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mcaC:\WINDOWS\system32\backgroundTaskHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Background Task Host
Exit code:
1
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtaskhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
5400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
4 362
Read events
3 860
Write events
457
Delete events
45

Modification events

(PID) Process:(4580) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000284FFA2E02000000000000000500000000000000
(PID) Process:(4580) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\WINWORD\4580
Operation:writeName:0
Value:
0B0E1089B24B0013F6D44D89686CBD7BE8B7AB230046CDFBCAEF8D8D82EB016A0410240044FA5D64A89E01008500A907556E6B6E6F776EC9062E2237746A7531514A7270614A676C575A3133564B5831454135496D464B2F5649644A30497A464862453674383D2200
(PID) Process:(4580) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(4580) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(4580) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(4580) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(4580) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(4580) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(4580) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(4580) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
2
Suspicious files
2
Text files
140
Unknown types
6

Dropped files

PID
Process
Filename
Type
4580WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PKXQNZONOHRNCSBYLANT.temp
MD5:
SHA256:
4580WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z7UL4CZD6H0V2WSO59YG.temp
MD5:
SHA256:
4580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EA7E554F.png
MD5:
SHA256:
4580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7F2F9765A184E3FE.TMP
MD5:
SHA256:
4580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF8ECC325E27A83FF6.TMP
MD5:
SHA256:
4580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{87558749-35C6-46EC-9D01-87D35FFB7115}.tmp
MD5:
SHA256:
4580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{780ABCBE-7104-4220-9C93-E983E80CBB53}.tmp
MD5:
SHA256:
4580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm
MD5:
SHA256:
4580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5:
SHA256:
4580WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\investments.doc.LNKlnk
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
8
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4580
WINWORD.EXE
GET
304
20.191.48.196:443
https://settings-win-ppe.data.microsoft.com/settings/v2.0/Storage/StorageHealthEvaluation?os=Windows&deviceClass=Windows.Desktop&appVer=1.0.0.0
US
whitelisted
4580
WINWORD.EXE
POST
162.255.119.253:443
https://105711.com/docs.php
US
malicious
4580
WINWORD.EXE
GET
200
13.107.3.128:443
https://config.edge.skype.com/config/v2/Office/word/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b004BB289-F613-4DD4-8968-6CBD7BE8B7AB%7d&LabMachine=false
US
text
84.7 Kb
malicious
4580
WINWORD.EXE
POST
162.255.119.253:443
https://105711.com/docs.php
US
malicious
4580
WINWORD.EXE
POST
162.255.119.253:443
https://105711.com/docs.php
US
malicious
4580
WINWORD.EXE
GET
200
94.103.84.245:443
https://foodsgoodforliver.com/invest_20.dll
RU
executable
453 Kb
suspicious
4580
WINWORD.EXE
POST
200
40.122.160.14:443
https://self.events.data.microsoft.com/OneCollector/1.0/
US
text
9 b
whitelisted
4580
WINWORD.EXE
POST
200
40.122.160.14:443
https://self.events.data.microsoft.com/OneCollector/1.0/
US
text
9 b
whitelisted
4580
WINWORD.EXE
POST
200
40.122.160.14:443
https://self.events.data.microsoft.com/OneCollector/1.0/
US
text
9 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4580
WINWORD.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
5520
cscript.exe
94.103.84.245:443
foodsgoodforliver.com
RU
malicious
5672
msiexec.exe
162.255.119.253:443
105711.com
Namecheap, Inc.
US
malicious
1920
svchost.exe
20.191.48.196:443
settings-win-ppe.data.microsoft.com
Microsoft Corporation
US
unknown
162.255.119.253:443
105711.com
Namecheap, Inc.
US
malicious
4580
WINWORD.EXE
40.122.160.14:443
self.events.data.microsoft.com
Microsoft Corporation
US
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.3.128
malicious
self.events.data.microsoft.com
  • 40.122.160.14
  • 52.114.128.43
whitelisted
foodsgoodforliver.com
  • 94.103.84.245
suspicious
2.1.168.192.in-addr.arpa
suspicious
128.3.107.13.in-addr.arpa
unknown
14.160.122.40.in-addr.arpa
unknown
settings-win-ppe.data.microsoft.com
  • 20.191.48.196
whitelisted
105711.com
  • 162.255.119.253
  • 185.141.24.57
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
investments.doc