File name:

ccc.doc

Full analysis: https://app.any.run/tasks/d959fecc-fa01-4b3d-9068-a136b42c7692
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 15, 2018, 02:55:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
opendir
trojan
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

93C3E76659E7893FCEF5F63EF1AFC403

SHA1:

BB162586C1A1FAF0D5544F8223748E5ECA6F623E

SHA256:

C37ED90B11B277ADA5CC16671052962A85E4B2CAD61079E45655A2A680C1C93E

SSDEEP:

384:TQeNh+wS115Wp39FG6F7//o5wMAqNciBph:OwAk9GAycGP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2004)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2004)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2004)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 2004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x344b4b79
ZipCompressedSize: 398
ZipUncompressedSize: 1474
ZipFileName: [Content_Types].xml

XMP

Creator: Olachi

XML

LastModifiedBy: Olachi
RevisionNumber: 2
CreateDate: 2018:11:08 13:02:00Z
ModifyDate: 2018:11:08 13:02:00Z
Template: Normal.dotm
TotalEditTime: -
Pages: 1
Words: 10
Characters: 61
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 70
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
31
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe

Process information

PID
CMD
Path
Indicators
Parent process
2004"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ccc.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
Total events
429
Read events
368
Write events
53
Delete events
8

Modification events

(PID) Process:(2004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:1,c
Value:
312C6300D4070000010000000000000000000000
(PID) Process:(2004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2004) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1299120143
(PID) Process:(2004) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1299120256
(PID) Process:(2004) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1299120257
(PID) Process:(2004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
D40700001433AABE8E7CD40100000000
(PID) Process:(2004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:i-c
Value:
692D6300D407000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:i-c
Value:
692D6300D407000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
27
Text files
7
Unknown types
3

Dropped files

PID
Process
Filename
Type
2004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA091.tmp.cvr
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{565ACAAD-EE1F-4D46-845B-F5B0943FBE0E}
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{3548CEF4-18A5-4E82-8A02-8E66F98FD3AE}
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\512CC70.doc
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14EADE92.emfemf
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@urlz[1].txttext
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ccc.docpgc
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{29FADB15-45DE-44DA-B429-9C4563790098}.FSDbinary
MD5:
SHA256:
2004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E37A9BFE.doctext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
29
DNS requests
1
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2004
WINWORD.EXE
GET
304
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
2004
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
2004
WINWORD.EXE
GET
304
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
2004
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
suspicious
2004
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
2004
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
2004
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.hta
RU
html
2.29 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2004
WINWORD.EXE
104.28.14.54:443
urlz.fr
Cloudflare Inc
US
shared
980
svchost.exe
104.28.14.54:443
urlz.fr
Cloudflare Inc
US
shared
2004
WINWORD.EXE
31.184.198.161:80
Petersburg Internet Network ltd.
RU
suspicious

DNS requests

Domain
IP
Reputation
urlz.fr
  • 104.28.14.54
  • 104.28.15.54
shared

Threats

PID
Process
Class
Message
2004
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL
2004
WINWORD.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTA application download
2004
WINWORD.EXE
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
2004
WINWORD.EXE
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ccc.doc