analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://cdn.discordapp.com/attachments/758045142044246116/767775339169579068/application.doc

Full analysis: https://app.any.run/tasks/cb22642c-211c-42d2-a911-406221c37242
Verdict: Malicious activity
Analysis date: October 19, 2020, 20:42:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

3196410BB5B8D140AF2616CD3D87E264

SHA1:

A5337284E26FB6EB34B51D996B9F7D9983AF59FE

SHA256:

BBE74BFB03373E1A01C291B530655FA7549207B4092A63B96508F9AFA8BADB1D

SSDEEP:

3:N8cCWdy6//jdhRRXRTNpSStcUw8VJYMQAG:2cry6XjPRRgSHVJ6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • payload.exe (PID: 3708)
      • payload.exe (PID: 2968)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3432)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 3188)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3432)
    • Actions looks like stealing of personal data

      • payload.exe (PID: 3708)
      • payload.exe (PID: 2968)
    • Changes the autorun value in the registry

      • payload.exe (PID: 3708)
      • payload.exe (PID: 2968)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3528)
      • powershell.exe (PID: 2776)
      • payload.exe (PID: 2968)
      • payload.exe (PID: 3708)
    • Creates files in the user directory

      • powershell.exe (PID: 3528)
      • powershell.exe (PID: 2776)
    • Application launched itself

      • WINWORD.EXE (PID: 3432)
    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 3432)
      • chrome.exe (PID: 2880)
  • INFO

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2880)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3432)
      • WINWORD.EXE (PID: 3412)
    • Reads the hosts file

      • chrome.exe (PID: 2880)
      • chrome.exe (PID: 2540)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3432)
    • Application launched itself

      • chrome.exe (PID: 2880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
20
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs winword.exe no specs winword.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe powershell.exe chrome.exe no specs payload.exe payload.exe regasm.exe regasm.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2880"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://cdn.discordapp.com/attachments/758045142044246116/767775339169579068/application.doc"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3716"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f6aa9d0,0x6f6aa9e0,0x6f6aa9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3004"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2884 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2272"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1000,3804236469292357242,14782796014547117598,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=6925058546748486004 --mojo-platform-channel-handle=1016 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2540"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1000,3804236469292357242,14782796014547117598,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=643551237141332904 --mojo-platform-channel-handle=1536 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2676"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,3804236469292357242,14782796014547117598,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10527615689641371722 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3376"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,3804236469292357242,14782796014547117598,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8637892800914944143 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1564"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,3804236469292357242,14782796014547117598,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1275720488908176077 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3432"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\application.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEchrome.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3412"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
4 163
Read events
3 343
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
23
Text files
62
Unknown types
7

Dropped files

PID
Process
Filename
Type
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F8DFA2F-B40.pma
MD5:
SHA256:
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\26b91def-efcc-434b-bf12-87968d28388c.tmp
MD5:
SHA256:
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000046.dbtmp
MD5:
SHA256:
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old
MD5:
SHA256:
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF1655d5.TMPtext
MD5:D55489ED6031D8B188E37B0B59F5CED3
SHA256:365B01D1B3333E366EEA50106551AAC8721156CB2572C173E2F501D8255093F4
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:745FF98D6EB320D6A946D4C43E8D3317
SHA256:558AE8B06570B9C63A72F515E6CD288BCA67368A23E349B625D8B1B7E42E9918
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF165652.TMPtext
MD5:C5C3F347BDC11EA7A5BF62BCEA89896F
SHA256:EAE604A1C662FF82AD4B2D1056179FD77587159FDD7F1674404C0465E0610BC1
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:D55489ED6031D8B188E37B0B59F5CED3
SHA256:365B01D1B3333E366EEA50106551AAC8721156CB2572C173E2F501D8255093F4
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:4AFC066387D33D5264F8E796393B223B
SHA256:BB3E0F925E883318FB09FC498CACEA57F0F71548C9D42FF07634DC30D87F2D86
2880chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1655f4.TMPtext
MD5:4AFC066387D33D5264F8E796393B223B
SHA256:BB3E0F925E883318FB09FC498CACEA57F0F71548C9D42FF07634DC30D87F2D86
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
18
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3528
powershell.exe
GET
200
87.121.98.55:80
http://87.121.98.55/loader.html
BG
text
115 Kb
suspicious
2776
powershell.exe
GET
200
87.121.98.55:80
http://87.121.98.55/loader.html
BG
text
115 Kb
suspicious
2968
payload.exe
GET
200
87.121.98.55:80
http://87.121.98.55/update.html
BG
text
26 b
suspicious
2968
payload.exe
GET
200
87.121.98.55:80
http://87.121.98.55/payload.html
BG
text
10.9 Mb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2540
chrome.exe
162.159.134.233:443
cdn.discordapp.com
Cloudflare Inc
shared
2540
chrome.exe
216.58.205.238:443
sb-ssl.google.com
Google Inc.
US
whitelisted
2540
chrome.exe
216.58.212.173:443
accounts.google.com
Google Inc.
US
whitelisted
2540
chrome.exe
172.217.23.99:443
ssl.gstatic.com
Google Inc.
US
whitelisted
3528
powershell.exe
87.121.98.55:80
Tamatiya EOOD
BG
suspicious
2540
chrome.exe
162.159.130.233:443
cdn.discordapp.com
Cloudflare Inc
shared
2776
powershell.exe
87.121.98.55:80
Tamatiya EOOD
BG
suspicious
3708
payload.exe
87.121.98.55:80
Tamatiya EOOD
BG
suspicious
216.58.212.173:443
accounts.google.com
Google Inc.
US
whitelisted
2968
payload.exe
87.121.98.55:80
Tamatiya EOOD
BG
suspicious

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.22.3
whitelisted
cdn.discordapp.com
  • 162.159.134.233
  • 162.159.130.233
  • 162.159.133.233
  • 162.159.135.233
  • 162.159.129.233
shared
accounts.google.com
  • 216.58.212.173
shared
sb-ssl.google.com
  • 216.58.205.238
whitelisted
ssl.gstatic.com
  • 172.217.23.99
whitelisted

Threats

PID
Process
Class
Message
2776
powershell.exe
Misc activity
ET POLICY EXE Base64 Encoded potential malware
2776
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable base64 Payload
3528
powershell.exe
Misc activity
ET POLICY EXE Base64 Encoded potential malware
3528
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable base64 Payload
2968
payload.exe
Misc activity
SUSPICIOUS [PTsecurity] Encoded PKZip to Base64 Data
3708
payload.exe
Misc activity
SUSPICIOUS [PTsecurity] Encoded PKZip to Base64 Data
No debug info