analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

info_10_08.doc

Full analysis: https://app.any.run/tasks/afbf6c50-935b-4351-abc1-096ec0ec1f95
Verdict: Malicious activity
Analysis date: October 14, 2019, 09:19:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
maldoc-3
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Spooler 57E6E608-E20C-4D9C-BBBB-02C926DDB06E, Subject: 5571236c-bbbf-4c58-ac78-13abbd2f85ec, Comments: xl oggtclfnd, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 25 19:51:00 2018, Last Saved Time/Date: Mon Oct 14 10:18:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

D9B39F0D77F27FCA0AFDA8A429787335

SHA1:

7406721896698120B29076B527751FA955A7382D

SHA256:

C600C544FAEB7F2B4285A7D688D9C59A84630A0E19F871F96AA6E7584DC5D1A0

SSDEEP:

768:oRLlh5XGHEE7Z4VA8RzdUyL+Fhg2A6v3jYRmYN2a5scftDmlyxHp:uLFkFO+D1pjYN2A4yZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes scripts

      • WINWORD.EXE (PID: 2200)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2200)
    • Changes settings of System certificates

      • WScript.exe (PID: 2580)
      • WScript.exe (PID: 1048)
  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 2200)
    • Adds / modifies Windows certificates

      • WScript.exe (PID: 1048)
      • WScript.exe (PID: 2580)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2200)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
TitleOfParts:
  • Spooler 57E6E608-E20C-4D9C-BBBB-02C926DDB06E
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 14
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Bytes: 27648
Company: -
Manager: -
CodePage: Unicode (UTF-8)
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2019:10:14 09:18:00
CreateDate: 2018:04:25 18:51:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: xl oggtclfnd
Keywords: -
Author: -
Subject: 5571236c-bbbf-4c58-ac78-13abbd2f85ec
Title: Spooler 57E6E608-E20C-4D9C-BBBB-02C926DDB06E
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs wscript.exe wscript.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2200"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\info_10_08.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1048"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\rzhgbzpdmk.js" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2580"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\rzhgbzpdmk.js" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3328"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\rzhgbzpdmk.js" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
2 030
Read events
1 134
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2200WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA459.tmp.cvr
MD5:
SHA256:
3328WScript.exeC:\Users\admin\AppData\Local\Temp\Cab5039.tmp
MD5:
SHA256:
3328WScript.exeC:\Users\admin\AppData\Local\Temp\Tar503A.tmp
MD5:
SHA256:
3328WScript.exeC:\Users\admin\AppData\Local\Temp\Cab504A.tmp
MD5:
SHA256:
3328WScript.exeC:\Users\admin\AppData\Local\Temp\Tar504B.tmp
MD5:
SHA256:
3328WScript.exeC:\Users\admin\AppData\Local\Temp\Cab5211.tmp
MD5:
SHA256:
3328WScript.exeC:\Users\admin\AppData\Local\Temp\Tar5212.tmp
MD5:
SHA256:
3328WScript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015compressed
MD5:93871E1433144C58CAB0DEDDD1D46925
SHA256:3193F3035A4F457D66BAB3048880AAC2EB8557027F6373E606D4621609AF1068
2200WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:339D8CCD7F0F323DB8CC4FAE45364B3D
SHA256:62844C7FDB29483B850A832956640C2DC3334A1812DEDF41B3684FCA3D98F879
3328WScript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015binary
MD5:A98D54F3FBE4821C814EA0AFBC1F5BA8
SHA256:27217A1061BE40DFA18FD5650050C625AC2AABE9CCBE6400F704034A73FAC091
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
32
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1048
WScript.exe
GET
45.132.19.133:80
http://thachastew.com/Lwos.php
unknown
suspicious
3328
WScript.exe
GET
45.132.19.133:80
http://thachastew.com/Lwos.php
unknown
suspicious
3328
WScript.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.0 Kb
whitelisted
3328
WScript.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7.crt
US
der
848 b
whitelisted
2580
WScript.exe
GET
45.132.19.133:80
http://thachastew.com/Lwos.php
unknown
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2580
WScript.exe
104.109.84.249:443
docs.microsoft.com
Akamai International B.V.
NL
whitelisted
1048
WScript.exe
104.109.84.249:443
docs.microsoft.com
Akamai International B.V.
NL
whitelisted
3328
WScript.exe
104.109.84.249:443
docs.microsoft.com
Akamai International B.V.
NL
whitelisted
3328
WScript.exe
184.30.217.76:443
www.trendmicro.com
Akamai International B.V.
NL
unknown
3328
WScript.exe
13.107.4.50:80
www.download.windowsupdate.com
Microsoft Corporation
US
whitelisted
1048
WScript.exe
184.30.217.76:443
www.trendmicro.com
Akamai International B.V.
NL
unknown
2580
WScript.exe
184.30.217.76:443
www.trendmicro.com
Akamai International B.V.
NL
unknown
2580
WScript.exe
45.132.19.133:80
thachastew.com
suspicious
3328
WScript.exe
45.132.19.133:80
thachastew.com
suspicious
1048
WScript.exe
45.132.19.133:80
thachastew.com
suspicious

DNS requests

Domain
IP
Reputation
docs.microsoft.com
  • 104.109.84.249
whitelisted
www.trendmicro.com
  • 184.30.217.76
whitelisted
www.download.windowsupdate.com
  • 13.107.4.50
whitelisted
prehedrolo.com
unknown
thachastew.com
  • 45.132.19.133
suspicious

Threats

No threats detected
No debug info