analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

C37ED90B11B277ADA5CC16671052962A85E4B2CAD61079E45655A2A680C1C93E.docx

Full analysis: https://app.any.run/tasks/95b98794-7813-44d5-bccd-6bc3913b48df
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 14, 2018, 23:10:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
opendir
trojan
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

93C3E76659E7893FCEF5F63EF1AFC403

SHA1:

BB162586C1A1FAF0D5544F8223748E5ECA6F623E

SHA256:

C37ED90B11B277ADA5CC16671052962A85E4B2CAD61079E45655A2A680C1C93E

SSDEEP:

384:TQeNh+wS115Wp39FG6F7//o5wMAqNciBph:OwAk9GAycGP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 3172)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3172)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 3172)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x344b4b79
ZipCompressedSize: 398
ZipUncompressedSize: 1474
ZipFileName: [Content_Types].xml

XMP

Creator: Olachi

XML

LastModifiedBy: Olachi
RevisionNumber: 2
CreateDate: 2018:11:08 13:02:00Z
ModifyDate: 2018:11:08 13:02:00Z
Template: Normal.dotm
TotalEditTime: -
Pages: 1
Words: 10
Characters: 61
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 70
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
3172"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\C37ED90B11B277ADA5CC16671052962A85E4B2CAD61079E45655A2A680C1C93E.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Total events
1 252
Read events
886
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
26
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9ABE.tmp.cvr
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{8DD2CC4B-8A83-498C-97D9-3938F8C14A57}
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{A19B7908-1469-4026-A653-50C08944629E}
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2D7B6C4.doc
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D0F7D72.doc
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A521AAF3-6F33-401D-A5B7-7757B26F8028}.FSDbinary
MD5:9CBA964E20E7D7892004AA83D1D12DAE
SHA256:6BD6E0855B49F469DF2ACFA0B5CCDDB4FCFAFE465F5D94D266D993AE7A7930B2
3172WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:D267082A8161DE534FC011E849555D96
SHA256:B5EF3F50A196596F78735F9D39BF3B0ED382A375E2F11A24C737D143DB62CFBB
3172WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:24529289AA3960403449DC3AC33DE94A
SHA256:5F5DF6B9D2D4C6783F245B129BC63C6B1162E7A17A9F826A7C7A17F42C9D99F5
3172WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:EC564778416A9044826F739AD10375CF
SHA256:CC3266B071933269ACC13E96D4F790189AC068B788BBA7F86EF90B7FBF4EB723
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$7ED90B11B277ADA5CC16671052962A85E4B2CAD61079E45655A2A680C1C93E.docxpgc
MD5:7F6339747766F02B157547DD2C66902F
SHA256:D077CB873919FA96B85A9BDA26B14986A405E798C1F3CCA40811707D84A5377B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
33
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3172
WINWORD.EXE
GET
304
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
3172
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
3172
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
3172
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
3172
WINWORD.EXE
GET
304
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
3172
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
3172
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.hta
RU
html
2.29 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3172
WINWORD.EXE
104.28.14.54:443
urlz.fr
Cloudflare Inc
US
shared
968
svchost.exe
104.28.14.54:443
urlz.fr
Cloudflare Inc
US
shared
3172
WINWORD.EXE
31.184.198.161:80
Petersburg Internet Network ltd.
RU
suspicious

DNS requests

Domain
IP
Reputation
urlz.fr
  • 104.28.14.54
  • 104.28.15.54
shared

Threats

PID
Process
Class
Message
3172
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL
3172
WINWORD.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTA application download
3172
WINWORD.EXE
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
3172
WINWORD.EXE
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
3172
WINWORD.EXE
Attempted User Privilege Gain
ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
C37ED90B11B277ADA5CC16671052962A85E4B2CAD61079E45655A2A680C1C93E.docx