analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bf126c2c8f7d4263c78f4b97857912a3c1e87c73fee3f18095d58ef5053f2959.doc

Full analysis: https://app.any.run/tasks/7349c0a2-4c1e-44fb-abec-5085dfa023c2
Verdict: Malicious activity
Analysis date: October 14, 2019, 08:15:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

DB51F2715C81C4357D11D69AC96BF582

SHA1:

7C53694B3478D4342BA593FB4CD70D3841B40D6A

SHA256:

BF126C2C8F7D4263C78F4B97857912A3C1E87C73FEE3F18095D58EF5053F2959

SSDEEP:

384:JrCYRPkd4HzqD4rLG0a2j57la6PWqtA5P5P5P5P57XSvfB7f3REcwmtWuOW3myik:MYRMd4zE4XGF2jhBtzntmcFtWuO1k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes scripts

      • WINWORD.EXE (PID: 2568)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 1760)
      • mmc.exe (PID: 2352)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2568)

    • Uses Task Scheduler to run other applications

      • WScript.exe (PID: 2628)

  • SUSPICIOUS

    • Creates files in the program directory

      • WINWORD.EXE (PID: 2568)
      • WScript.exe (PID: 2628)

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 2628)
      • WScript.exe (PID: 3024)
      • WScript.exe (PID: 1928)
      • mmc.exe (PID: 2352)
      • WScript.exe (PID: 476)

    • Executed via Task Scheduler

      • WScript.exe (PID: 3024)
      • WScript.exe (PID: 1928)
      • WScript.exe (PID: 476)

  • INFO

    • Manual execution by user

      • mmc.exe (PID: 2996)
      • mmc.exe (PID: 2352)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2568)

    • Reads settings of System Certificates

      • WScript.exe (PID: 2628)
      • WScript.exe (PID: 3024)
      • WScript.exe (PID: 1928)
      • WScript.exe (PID: 476)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2568)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x33c89c7f
ZipCompressedSize: 446
ZipUncompressedSize: 1615
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: 5.2 hours
Pages: 3
Words: 11
Characters: 66
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
  • العنوان
  • 1
TitlesOfParts:
Company: -
LinksUpToDate: No
CharactersWithSpaces: 76
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
Keywords: -
LastModifiedBy: Windows User
RevisionNumber: 69
CreateDate: 2017:04:18 09:38:00Z
ModifyDate: 2019:09:10 08:23:00Z

XMP

Title: -
Subject: -
Creator: TOOL
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wscript.exe schtasks.exe no specs mmc.exe no specs mmc.exe wscript.exe wscript.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2568"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\bf126c2c8f7d4263c78f4b97857912a3c1e87c73fee3f18095d58ef5053f2959.doc.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
2628"C:\Windows\System32\WScript.exe" "C:\programdata\Micorsoft\Microsoft.vbs" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1760"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn Chorme /F /tr C:\ProgramData\GoogleChrome.vbsC:\Windows\System32\schtasks.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2996"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2352"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3024C:\Windows\System32\WScript.exe "C:\ProgramData\GoogleChrome.vbs"C:\Windows\System32\WScript.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
476C:\Windows\System32\WScript.exe "C:\ProgramData\GoogleChrome.vbs"C:\Windows\System32\WScript.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1928C:\Windows\System32\WScript.exe "C:\ProgramData\GoogleChrome.vbs"C:\Windows\System32\WScript.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
2 105
Read events
1 354
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
2568WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3A95.tmp.cvr
MD5:
SHA256:
2568WINWORD.EXEC:\programdata\Micorsoft\Microsoft.vbstext
MD5:520DA22971D3494DC3BE609EF74F22E3
SHA256:FF28CB1E1C299F39B7B72AEE3B0817A22B1718B2C4014A2A4E9C9028EA8FAA5D
2568WINWORD.EXEC:\Users\admin\Desktop\~$126c2c8f7d4263c78f4b97857912a3c1e87c73fee3f18095d58ef5053f2959.doc.docmpgc
MD5:9F03406723CE9F3111A2CFAC673CB036
SHA256:65B5400D20516D6007B9DACD0DE3DDDC9034C0CC578158318891BDEF75EBE919
2568WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\bf126c2c8f7d4263c78f4b97857912a3c1e87c73fee3f18095d58ef5053f2959.doc.docm.LNKlnk
MD5:47722FE043EA2FC8431417E82061D57E
SHA256:C589A96AA31594ACC9F784B5EA9907667E757E61BCB2568C643A8EC6CA1B645C
2568WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:2DA121643D5E90A16EAAE3F123784CF4
SHA256:60D2A3DBFBBA130BE2A5206D902FDB8F92F514079EFC42775032D7EF2B462373
2628WScript.exeC:\ProgramData\GoogleChrome.vbstext
MD5:B76F5F87364FA71559FFC14573420DA4
SHA256:9451A110F75CBC3B66AF5ACB11A07A8D5E20E15E5487292722E695678272BCA7
2568WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryAR0401.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2628
WScript.exe
GET
200
45.15.168.118:443
https://dapoerwedding.com/GoogleChrome.vbs
unknown
text
1.06 Kb
malicious
1928
WScript.exe
GET
404
45.15.168.118:443
https://dapoerwedding.com/GoogleChrome.msi
unknown
html
280 b
malicious
476
WScript.exe
GET
404
45.15.168.118:443
https://dapoerwedding.com/GoogleChrome.msi
unknown
html
280 b
malicious
3024
WScript.exe
GET
404
45.15.168.118:443
https://dapoerwedding.com/GoogleChrome.msi
unknown
html
280 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2628
WScript.exe
45.15.168.118:443
dapoerwedding.com
malicious
476
WScript.exe
45.15.168.118:443
dapoerwedding.com
malicious
1928
WScript.exe
45.15.168.118:443
dapoerwedding.com
malicious
3024
WScript.exe
45.15.168.118:443
dapoerwedding.com
malicious

DNS requests

Domain
IP
Reputation
dapoerwedding.com
  • 45.15.168.118
malicious

Threats

No threats detected
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
bf126c2c8f7d4263c78f4b97857912a3c1e87c73fee3f18095d58ef5053f2959.doc