File name:

инструкция_ркн.doc

Full analysis: https://app.any.run/tasks/b6e6eff3-385f-49a3-ade6-a1fb14b85a1e
Verdict: Malicious activity
Analysis date: April 01, 2023, 16:20:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: x, Template: Normal.dotm, Last Saved By: atel, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Mar 18 03:43:00 2022, Last Saved Time/Date: Fri Mar 18 15:20:00 2022, Number of Pages: 1, Number of Words: 99, Number of Characters: 570, Security: 0
MD5:

341610A5A0CC430F99F9F9BD694B04A9

SHA1:

9B520D709CEE6C57FBABA38F38A667B0B0691E86

SHA256:

C7DD490ADB297B7F529950778B5A426E8068EA2DF58BE5D8FD49FE55B5331E28

SSDEEP:

24576:0Ltxfb5+PfLYk1eMavV4luzEMjor4Ln+oDSMrWRHeNDoH+sN7rUziacva0FmLZe+:0LtRbA7Yk1laewzjfCoDSM6xeNsH+Vc8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2992)

    • Starts POWERSHELL.EXE for commands execution

      • WINWORD.EXE (PID: 2368)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2992)

    • Microsoft Office executes commands via PowerShell or Cmd

      • WINWORD.EXE (PID: 2368)

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 2368)

  • SUSPICIOUS

    • The process executes Powershell scripts

      • WINWORD.EXE (PID: 2368)

    • The process hide an interactive prompt from the user

      • WINWORD.EXE (PID: 2368)

    • The process hides Powershell's copyright startup banner

      • WINWORD.EXE (PID: 2368)

    • Unusual connection from system programs

      • powershell.exe (PID: 2992)

    • Reads the Internet Settings

      • powershell.exe (PID: 2992)

  • INFO

    • The process uses the downloaded file

      • WINWORD.EXE (PID: 2368)

    • The process checks LSA protection

      • powershell.exe (PID: 2992)

    • Create files in a temporary directory

      • powershell.exe (PID: 2992)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 2992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Lines: 4
Paragraphs: 1
Pages: 1
Characters: 570
Words: 99
TotalEditTime: -
RevisionNumber: 2
LastPrinted: 0000:00:00 00:00:00
CompObjUserType: ???????? Microsoft Word 97-2003
CompObjUserTypeLen: 32
HeadingPairs:
  • Название
  • 1
  • Title
  • 1
TitleOfParts:
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 668
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2022:03:18 15:20:00
CreateDate: 2022:03:18 03:43:00
Software: Microsoft Office Word
LastModifiedBy: atel
Template: Normal.dotm
Comments: -
Keywords: -
Author: x
Subject: -
Title: -
Word97: No
System: Windows
DocFlags: Has picture, 1Table, ExtChar
LanguageCode: Russian
Identification: Word 8.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2368"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\инструкция_ркн.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2992"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NoLogo -WindowStyle Hidden -NonInteractive -f c:\users\admin\appdata\roaming\microsoft\templates\HkvWahS6osjcp1g.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\atl.dll
c:\windows\system32\rpcrt4.dll
Total events
8 670
Read events
7 742
Write events
636
Delete events
292

Modification events

(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
0
Suspicious files
8
Text files
6
Unknown types
10

Dropped files

PID
Process
Filename
Type
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF0E8.tmp.cvr
MD5:
SHA256:
2368WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\HkvWahS6osjcp1g.ps1text
MD5:
SHA256:
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$струкция_ркн.docpgc
MD5:
SHA256:
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\9sIAWssbW73TcYG.W4x9LosInhvOjtI:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~WRL0001.tmpdocument
MD5:
SHA256:
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\9sIAWssbW73TcYG.W4x9LosInhvOjtItext
MD5:
SHA256:
2368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCA8ECCC.emfemf
MD5:
SHA256:
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\инструкция_ркн.docdocument
MD5:
SHA256:
2992powershell.exeC:\Users\admin\AppData\Local\Temp\tdhqj0gg.1xu.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7F42F9E06F56BF96.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2992
powershell.exe
99.83.154.118:443
swordoke.com
AMAZON-02
US
malicious

DNS requests

Domain
IP
Reputation
swordoke.com
  • 99.83.154.118
malicious

Threats

PID
Process
Class
Message
Domain Observed Used for C2 Detected
ET MALWARE Win32/Backdoor Related Domain in DNS Lookup (swordoke .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
инструкция_ркн.doc