analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

102.doc

Full analysis: https://app.any.run/tasks/7ebc1aba-e688-4f49-aff2-83abf427134b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 13, 2019, 19:07:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Locale ID: 1033, Author: mehux, Subject: bkkyxxwr
MD5:

92AFFE4D8C48FAE64216A423A5E0EEF3

SHA1:

2BD485B767E310C7C7DF606E94128CB02501A566

SHA256:

CAE0AAB85465F6EC9376D3CA21C468F8DE98396DC73212D83E25338038EA68A1

SSDEEP:

768:1tcTCiJpsJuaPJwCskJH7knU5/jSZccZ73lDNTO9y:nsNpsJNPZF4q/jSSUVD9O9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • felldistanceyearshipmentminorityplastics.exe (PID: 868)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2620)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2620)

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 2620)

  • SUSPICIOUS

    • Application launched itself

      • TOPTOP~2.EXE (PID: 2980)
      • TOPTOP~2.EXE (PID: 1432)
      • TOPTOP~2.EXE (PID: 2532)
      • TOPTOP~2.EXE (PID: 1840)
      • TOPTOP~2.EXE (PID: 2164)
      • TOPTOP~2.EXE (PID: 2064)
      • TOPTOP~2.EXE (PID: 4028)
      • TOPTOP~2.EXE (PID: 3988)
      • TOPTOP~2.EXE (PID: 2116)
      • TOPTOP~2.EXE (PID: 1780)
      • TOPTOP~2.EXE (PID: 1732)
      • TOPTOP~2.EXE (PID: 3564)
      • TOPTOP~2.EXE (PID: 2128)
      • TOPTOP~2.EXE (PID: 3292)
      • TOPTOP~2.EXE (PID: 4000)
      • TOPTOP~2.EXE (PID: 1876)
      • TOPTOP~2.EXE (PID: 2852)
      • TOPTOP~2.EXE (PID: 3336)
      • TOPTOP~2.EXE (PID: 3604)
      • TOPTOP~2.EXE (PID: 2084)
      • TOPTOP~2.EXE (PID: 3396)
      • TOPTOP~2.EXE (PID: 1028)
      • TOPTOP~2.EXE (PID: 1048)
      • TOPTOP~2.EXE (PID: 2392)
      • TOPTOP~2.EXE (PID: 1200)
      • TOPTOP~2.EXE (PID: 2224)
      • TOPTOP~2.EXE (PID: 2232)
      • TOPTOP~2.EXE (PID: 2976)
      • TOPTOP~2.EXE (PID: 2332)
      • TOPTOP~2.EXE (PID: 3512)
      • TOPTOP~2.EXE (PID: 1784)
      • TOPTOP~2.EXE (PID: 1928)
      • TOPTOP~2.EXE (PID: 2104)
      • TOPTOP~2.EXE (PID: 2568)
      • TOPTOP~2.EXE (PID: 3356)
      • TOPTOP~2.EXE (PID: 1088)
      • TOPTOP~2.EXE (PID: 2968)
      • TOPTOP~2.EXE (PID: 3276)
      • TOPTOP~2.EXE (PID: 3376)
      • TOPTOP~2.EXE (PID: 2380)
      • TOPTOP~2.EXE (PID: 2328)
      • TOPTOP~2.EXE (PID: 3016)
      • TOPTOP~2.EXE (PID: 1444)
      • TOPTOP~2.EXE (PID: 2812)
      • TOPTOP~2.EXE (PID: 3076)
      • TOPTOP~2.EXE (PID: 3548)
      • TOPTOP~2.EXE (PID: 592)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2620)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

EXIF

FlashPix

Subject: bkkyxxwr
Author: mehux
LocaleIndicator: 1033
CodePage: Windows Latin 1 (Western European)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
50
Malicious processes
1
Suspicious processes
38

Behavior graph

Click at the process to see the details
drop and start start winword.exe felldistanceyearshipmentminorityplastics.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs toptop~2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2620"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\102.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
868"C:\Users\admin\AppData\Local\Temp\felldistanceyearshipmentminorityplastics.exe" C:\Users\admin\AppData\Local\Temp\felldistanceyearshipmentminorityplastics.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.17763.1 (WinBuild.160101.0800)
2532C:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXEfelldistanceyearshipmentminorityplastics.exe
User:
admin
Company:
caPCOM
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.02.0005
2980C:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXETOPTOP~2.EXE
User:
admin
Company:
caPCOM
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.02.0005
2164C:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXETOPTOP~2.EXE
User:
admin
Company:
caPCOM
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.02.0005
1432C:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXETOPTOP~2.EXE
User:
admin
Company:
caPCOM
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.02.0005
1840C:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXETOPTOP~2.EXE
User:
admin
Company:
caPCOM
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.02.0005
2064C:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXETOPTOP~2.EXE
User:
admin
Company:
caPCOM
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.02.0005
4028C:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXETOPTOP~2.EXE
User:
admin
Company:
caPCOM
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.02.0005
1780C:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXETOPTOP~2.EXE
User:
admin
Company:
caPCOM
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.02.0005
Total events
981
Read events
821
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
47
Text files
49
Unknown types
3

Dropped files

PID
Process
Filename
Type
2620WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD1D0.tmp.cvr
MD5:
SHA256:
2620WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF900C07CC8FFF92B4.TMP
MD5:
SHA256:
2620WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFBD5A88E66C10CDE6.TMP
MD5:
SHA256:
2620WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF92D70AFDC8F4176F.TMP
MD5:
SHA256:
2620WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF2D11B3FD541E08EF.TMP
MD5:
SHA256:
2620WINWORD.EXEC:\Users\admin\AppData\Local\Temp\msoE8D3.tmp
MD5:
SHA256:
2620WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF6A71B51967910B89.TMP
MD5:
SHA256:
2620WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFD3598920F5FFBC9D.TMP
MD5:
SHA256:
2620WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D0C8983.png
MD5:
SHA256:
868felldistanceyearshipmentminorityplastics.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\TOPTOP~2.EXE
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2620
WINWORD.EXE
GET
200
104.244.76.73:80
http://1xv4.com/due.jpg
US
executable
1.17 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2620
WINWORD.EXE
104.244.76.73:80
1xv4.com
FranTech Solutions
US
malicious

DNS requests

Domain
IP
Reputation
1xv4.com
  • 104.244.76.73
malicious

Threats

PID
Process
Class
Message
2620
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2620
WINWORD.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2620
WINWORD.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
102.doc