analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

инструкция_ркн.doc

Full analysis: https://app.any.run/tasks/9280b2bb-d295-41a2-8d4f-ba22c389bf17
Verdict: Malicious activity
Analysis date: April 01, 2023, 16:22:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: x, Template: Normal.dotm, Last Saved By: atel, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Mar 18 03:43:00 2022, Last Saved Time/Date: Fri Mar 18 15:20:00 2022, Number of Pages: 1, Number of Words: 99, Number of Characters: 570, Security: 0
MD5:

341610A5A0CC430F99F9F9BD694B04A9

SHA1:

9B520D709CEE6C57FBABA38F38A667B0B0691E86

SHA256:

C7DD490ADB297B7F529950778B5A426E8068EA2DF58BE5D8FD49FE55B5331E28

SSDEEP:

24576:0Ltxfb5+PfLYk1eMavV4luzEMjor4Ln+oDSMrWRHeNDoH+sN7rUziacva0FmLZe+:0LtRbA7Yk1laewzjfCoDSM6xeNsH+Vc8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3400)

    • Microsoft Office executes commands via PowerShell or Cmd

      • WINWORD.EXE (PID: 2588)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3400)

    • Starts POWERSHELL.EXE for commands execution

      • WINWORD.EXE (PID: 2588)

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 2588)

  • SUSPICIOUS

    • The process executes Powershell scripts

      • WINWORD.EXE (PID: 2588)

    • Reads the Internet Settings

      • powershell.exe (PID: 3400)

    • The process hides Powershell's copyright startup banner

      • WINWORD.EXE (PID: 2588)

    • The process hide an interactive prompt from the user

      • WINWORD.EXE (PID: 2588)

    • Unusual connection from system programs

      • powershell.exe (PID: 3400)

  • INFO

    • The process uses the downloaded file

      • WINWORD.EXE (PID: 2588)

    • Create files in a temporary directory

      • powershell.exe (PID: 3400)

    • The process checks LSA protection

      • powershell.exe (PID: 3400)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 3400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Identification: Word 8.0
LanguageCode: Russian
DocFlags: Has picture, 1Table, ExtChar
System: Windows
Word97: No
Title: -
Subject: -
Author: x
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: atel
Software: Microsoft Office Word
CreateDate: 2022:03:18 03:43:00
ModifyDate: 2022:03:18 15:20:00
Security: None
CodePage: Windows Cyrillic
Company: -
CharCountWithSpaces: 668
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
HeadingPairs:
  • Название
  • 1
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: ???????? Microsoft Word 97-2003
LastPrinted: 0000:00:00 00:00:00
RevisionNumber: 2
TotalEditTime: -
Words: 99
Characters: 570
Pages: 1
Paragraphs: 1
Lines: 4
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2588"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\инструкция_ркн.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3400"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NoLogo -WindowStyle Hidden -NonInteractive -f c:\users\admin\appdata\roaming\microsoft\templates\HkvWahS6osjcp1g.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\atl.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
Total events
8 898
Read events
7 978
Write events
636
Delete events
284

Modification events

(PID) Process:(2588) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2588) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(2588) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(2588) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(2588) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(2588) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(2588) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(2588) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(2588) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(2588) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
0
Suspicious files
10
Text files
6
Unknown types
10

Dropped files

PID
Process
Filename
Type
2588WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF83B.tmp.cvr
MD5:
SHA256:
2588WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1D89D97.emfemf
MD5:0FB0C90DCF08AC747BEC44252E5004D9
SHA256:A85A18205F2B05042921FC19BFC6D4A04A7A1E7A56F74EFBD5A4D13B36F54E69
2588WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$струкция_ркн.docpgc
MD5:0F768B7958CE69E1EAD8B8FB312E097E
SHA256:ECD399450383DAEF2B35D6F77447BD3BBE981CE11CD1B16C226C012D7F817574
2588WINWORD.EXEC:\Users\admin\AppData\Local\Temp\9sIAWssbW73TcYG.W4x9LosInhvOjtItext
MD5:4D499B6D7B4106C52E650607CD9E25E7
SHA256:9D4640BDE3DAF44CC4258EB5F294CA478306AA5268C7D314FC5019CF783041F0
2588WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\HkvWahS6osjcp1g.ps1text
MD5:4D499B6D7B4106C52E650607CD9E25E7
SHA256:9D4640BDE3DAF44CC4258EB5F294CA478306AA5268C7D314FC5019CF783041F0
2588WINWORD.EXEC:\Users\admin\AppData\Local\Temp\инструкция_ркн.docdocument
MD5:829D043907530BDC628010A97A290EAC
SHA256:DEC57189534E569A8AB0F8A7D1E7EB0335ABB459A039EAD90C9414A2D92643A8
2588WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFA789B68BA867843F.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3400powershell.exeC:\Users\admin\AppData\Local\Temp\mfmwenh1.5lc.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3400powershell.exeC:\Users\admin\AppData\Local\Temp\nmts14s5.bxz.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2588WINWORD.EXEC:\Users\admin\AppData\Local\Temp\9sIAWssbW73TcYG.W4x9LosInhvOjtI:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3400
powershell.exe
99.83.154.118:443
swordoke.com
AMAZON-02
US
malicious

DNS requests

Domain
IP
Reputation
swordoke.com
  • 99.83.154.118
malicious

Threats

PID
Process
Class
Message
Domain Observed Used for C2 Detected
ET MALWARE Win32/Backdoor Related Domain in DNS Lookup (swordoke .com)
3400
powershell.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Backdoor Related Domain (swordoke .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
инструкция_ркн.doc