analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

инструкция_ркн.doc

Full analysis: https://app.any.run/tasks/b6e6eff3-385f-49a3-ade6-a1fb14b85a1e
Verdict: Malicious activity
Analysis date: April 01, 2023, 16:20:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: x, Template: Normal.dotm, Last Saved By: atel, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Mar 18 03:43:00 2022, Last Saved Time/Date: Fri Mar 18 15:20:00 2022, Number of Pages: 1, Number of Words: 99, Number of Characters: 570, Security: 0
MD5:

341610A5A0CC430F99F9F9BD694B04A9

SHA1:

9B520D709CEE6C57FBABA38F38A667B0B0691E86

SHA256:

C7DD490ADB297B7F529950778B5A426E8068EA2DF58BE5D8FD49FE55B5331E28

SSDEEP:

24576:0Ltxfb5+PfLYk1eMavV4luzEMjor4Ln+oDSMrWRHeNDoH+sN7rUziacva0FmLZe+:0LtRbA7Yk1laewzjfCoDSM6xeNsH+Vc8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2992)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2992)

    • Starts POWERSHELL.EXE for commands execution

      • WINWORD.EXE (PID: 2368)

    • Microsoft Office executes commands via PowerShell or Cmd

      • WINWORD.EXE (PID: 2368)

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 2368)

  • SUSPICIOUS

    • The process hide an interactive prompt from the user

      • WINWORD.EXE (PID: 2368)

    • The process executes Powershell scripts

      • WINWORD.EXE (PID: 2368)

    • The process hides Powershell's copyright startup banner

      • WINWORD.EXE (PID: 2368)

    • Reads the Internet Settings

      • powershell.exe (PID: 2992)

    • Unusual connection from system programs

      • powershell.exe (PID: 2992)

  • INFO

    • The process uses the downloaded file

      • WINWORD.EXE (PID: 2368)

    • The process checks LSA protection

      • powershell.exe (PID: 2992)

    • Create files in a temporary directory

      • powershell.exe (PID: 2992)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 2992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Lines: 4
Paragraphs: 1
Pages: 1
Characters: 570
Words: 99
TotalEditTime: -
RevisionNumber: 2
LastPrinted: 0000:00:00 00:00:00
CompObjUserType: ???????? Microsoft Word 97-2003
CompObjUserTypeLen: 32
HeadingPairs:
  • Название
  • 1
  • Title
  • 1
TitleOfParts:
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 668
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2022:03:18 15:20:00
CreateDate: 2022:03:18 03:43:00
Software: Microsoft Office Word
LastModifiedBy: atel
Template: Normal.dotm
Comments: -
Keywords: -
Author: x
Subject: -
Title: -
Word97: No
System: Windows
DocFlags: Has picture, 1Table, ExtChar
LanguageCode: Russian
Identification: Word 8.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2368"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\инструкция_ркн.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2992"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NoLogo -WindowStyle Hidden -NonInteractive -f c:\users\admin\appdata\roaming\microsoft\templates\HkvWahS6osjcp1g.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\atl.dll
c:\windows\system32\rpcrt4.dll
Total events
8 670
Read events
7 742
Write events
636
Delete events
292

Modification events

(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(2368) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
0
Suspicious files
8
Text files
6
Unknown types
10

Dropped files

PID
Process
Filename
Type
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF0E8.tmp.cvr
MD5:
SHA256:
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$струкция_ркн.docpgc
MD5:338C4F18A85211ED435C240E7A9F0A5A
SHA256:04C50A033BBA15453C33BFCB98AD61033B492344F8AC229FEACFC6E301201020
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\9sIAWssbW73TcYG.W4x9LosInhvOjtItext
MD5:4D499B6D7B4106C52E650607CD9E25E7
SHA256:9D4640BDE3DAF44CC4258EB5F294CA478306AA5268C7D314FC5019CF783041F0
2368WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\HkvWahS6osjcp1g.ps1text
MD5:4D499B6D7B4106C52E650607CD9E25E7
SHA256:9D4640BDE3DAF44CC4258EB5F294CA478306AA5268C7D314FC5019CF783041F0
2368WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCA8ECCC.emfemf
MD5:0FB0C90DCF08AC747BEC44252E5004D9
SHA256:A85A18205F2B05042921FC19BFC6D4A04A7A1E7A56F74EFBD5A4D13B36F54E69
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\инструкция_ркн.docdocument
MD5:627B5B0972CBB7A97A9A1E7EA0674A8C
SHA256:9A5C90CCF1CE03E7C8A95AD51350FDF819F0816DB78B76586FC6D8B5D22CF297
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~WRL0001.tmpdocument
MD5:341610A5A0CC430F99F9F9BD694B04A9
SHA256:C7DD490ADB297B7F529950778B5A426E8068EA2DF58BE5D8FD49FE55B5331E28
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7F42F9E06F56BF96.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
2368WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D6B9E37780A881ABC68E64DB5E2F6E8F
SHA256:B96DAF2C8DC81081707312C0B41675CCF52A9A383969777B6991E1E51A5C4885
2368WINWORD.EXEC:\Users\admin\AppData\Local\Temp\9sIAWssbW73TcYG.W4x9LosInhvOjtI:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2992
powershell.exe
99.83.154.118:443
swordoke.com
AMAZON-02
US
malicious

DNS requests

Domain
IP
Reputation
swordoke.com
  • 99.83.154.118
malicious

Threats

PID
Process
Class
Message
Domain Observed Used for C2 Detected
ET MALWARE Win32/Backdoor Related Domain in DNS Lookup (swordoke .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
инструкция_ркн.doc