| File name: | economic relations.doc |
| Full analysis: | https://app.any.run/tasks/1be25f29-b658-4f49-993f-ba8dd2f31a5f |
| Verdict: | Malicious activity |
| Analysis date: | August 25, 2021, 13:40:29 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 949, Author: User, Template: Normal.dotm, Last Saved By: User, Revision Number: 6, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Jul 28 01:32:00 2021, Last Saved Time/Date: Wed Jul 28 01:33:00 2021, Number of Pages: 12, Number of Words: 3742, Number of Characters: 21335, Security: 0 |
| MD5: | 9B1CA0408E33C43970B87C4C380B134F |
| SHA1: | 2FADFAEF5179FE69BFECBD9ADEBD8F6A50615FA4 |
| SHA256: | D283A0D5CFED4D212CD76497920CF820472C5F138FD061F25E3CDDF65190283F |
| SSDEEP: | 768:lhfdrQHFZPSu14mEJc1icjEocMBf0Nxi/qNafupsP0ZzB5:45Aoc2uxwq/v5 |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 1864)
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 1864)
Drops executable file immediately after starts
- csc.exe (PID: 1480)
Scans artifacts that could help determine the target
- powershell.exe (PID: 724)
SUSPICIOUS
Checks supported languages
- conhost.exe (PID: 4376)
- cmd.exe (PID: 1324)
- wscript.exe (PID: 1400)
- cmd.exe (PID: 1828)
- conhost.exe (PID: 4416)
- cmd.exe (PID: 3536)
- conhost.exe (PID: 1328)
- cmd.exe (PID: 3484)
- powershell.exe (PID: 724)
- wscript.exe (PID: 4584)
- cvtres.exe (PID: 2792)
- conhost.exe (PID: 3636)
- cmd.exe (PID: 4736)
- expand.exe (PID: 4284)
- csc.exe (PID: 1480)
- cmd.exe (PID: 4748)
Executes scripts
- cmd.exe (PID: 3536)
- wscript.exe (PID: 1400)
Reads the computer name
- wscript.exe (PID: 1400)
- wscript.exe (PID: 4584)
- powershell.exe (PID: 724)
Reads the date of Windows installation
- WINWORD.EXE (PID: 1864)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3536)
- wscript.exe (PID: 1400)
- powershell.exe (PID: 724)
Reads default file associations for system extensions
- WINWORD.EXE (PID: 1864)
Application launched itself
- cmd.exe (PID: 3536)
- wscript.exe (PID: 1400)
Executes PowerShell scripts
- wscript.exe (PID: 1400)
Executable content was dropped or overwritten
- csc.exe (PID: 1480)
Drops a file with a compile date too recent
- csc.exe (PID: 1480)
INFO
Reads CPU info
- WINWORD.EXE (PID: 1864)
Checks supported languages
- WINWORD.EXE (PID: 1864)
- findstr.exe (PID: 4384)
- findstr.exe (PID: 1036)
- findstr.exe (PID: 4964)
Reads the computer name
- WINWORD.EXE (PID: 1864)
Reads settings of System Certificates
- WINWORD.EXE (PID: 1864)
- powershell.exe (PID: 724)
Checks Windows Trust Settings
- wscript.exe (PID: 1400)
- wscript.exe (PID: 4584)
- powershell.exe (PID: 724)
- WINWORD.EXE (PID: 1864)
Creates files in the user directory
- WINWORD.EXE (PID: 1864)
Reads Environment values
- WINWORD.EXE (PID: 1864)
Reads the software policy settings
- powershell.exe (PID: 724)
- WINWORD.EXE (PID: 1864)
Scans artifacts that could help determine the target
- WINWORD.EXE (PID: 1864)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 1864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | User |
| Keywords: | - |
| Comments: | - |
| Template: | Normal.dotm |
| LastModifiedBy: | User |
| RevisionNumber: | 6 |
| Software: | Microsoft Office Word |
| TotalEditTime: | 1.0 minutes |
| CreateDate: | 2021:07:28 00:32:00 |
| ModifyDate: | 2021:07:28 00:33:00 |
| Pages: | 12 |
| Words: | 3742 |
| Characters: | 21335 |
| Security: | None |
| Company: | - |
| Lines: | 177 |
| Paragraphs: | 50 |
| CharCountWithSpaces: | 25027 |
| AppVersion: | 15 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CodePage: | Windows Korean (Unified Hangul Code) |
| Hyperlinks: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
107
Monitored processes
20
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1864 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\economic relations.doc" /o "" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 16.0.12026.20264 Modules
| |||||||||||||||
| 3536 | cmd /c cd /d %USERPROFILE% && type "C:\Users\admin\Desktop\economic relations.doc" | findstr /r "^var" > y.js && wscript y.js "C:\Users\admin\Desktop\economic relations.doc" | C:\WINDOWS\SYSTEM32\cmd.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4376 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | \??\C:\WINDOWS\system32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1324 | C:\WINDOWS\system32\cmd.exe /S /D /c" type "C:\Users\admin\Desktop\economic relations.doc" " | C:\WINDOWS\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4384 | findstr /r "^var" | C:\WINDOWS\system32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1400 | wscript y.js "C:\Users\admin\Desktop\economic relations.doc" | C:\WINDOWS\system32\wscript.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft � Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 1828 | "C:\Windows\System32\cmd.exe" /c findstr /r "^dHJ5I" "C:\Users\admin\Desktop\economic relations.doc" > temp.txt | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4416 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | \??\C:\WINDOWS\system32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 4964 | findstr /r "^dHJ5I" "C:\Users\admin\Desktop\economic relations.doc" | C:\WINDOWS\system32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3484 | "C:\Windows\System32\cmd.exe" /c findstr /r "^QWRkL" "C:\Users\admin\Desktop\economic relations.doc" > temp.txt | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
10 064
Read events
9 807
Write events
222
Delete events
35
Modification events
| (PID) Process: | (1864) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 0 |
Value: 017012000000001000284FFA2E04000000000000000500000000000000 | |||
| (PID) Process: | (1864) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\WINWORD\1864 |
| Operation: | write | Name: | 0 |
Value: 0B0E1059B7952B449CCE4EA79ADB720BE26AF623004696998CEBECB6E6EB016A0410240044FA5D64A89E01008500A907556E6B6E6F776E00 | |||
| (PID) Process: | (1864) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (1864) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 2 | |||
| (PID) Process: | (1864) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | fr-fr |
Value: 2 | |||
| (PID) Process: | (1864) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | es-es |
Value: 2 | |||
| (PID) Process: | (1864) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-it |
Value: 2 | |||
| (PID) Process: | (1864) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ja-jp |
Value: 2 | |||
| (PID) Process: | (1864) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ko-kr |
Value: 2 | |||
| (PID) Process: | (1864) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | pt-br |
Value: 2 | |||
Executable files
1
Suspicious files
8
Text files
14
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1864 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:278DD1EE1FC22EAC53B3CE3898082F65 | SHA256:0A1DA3627C03999BA7440BF737F519F846B2817EA3826A224F43F2426FC30996 | |||
| 1864 | WINWORD.EXE | C:\Users\admin\Desktop\~$onomic relations.doc | pgc | |
MD5:440AC1677D6BD3FC9118EF177515C1F9 | SHA256:24554A2A29BF123D786DEE310BADB28A7257D58449E1A6ECF277DB05DFE91DDB | |||
| 4384 | findstr.exe | C:\Users\admin\y.js | text | |
MD5:3E93E0E991ADC9641910E3EC1F44A5DC | SHA256:7F82540A6B3FC81D581450DBDF7DEC7AD45D2984D3799084B29150BA91C004FD | |||
| 1864 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:E3B55C39FFDF8DDB88A4AAAA1B4D04F8 | SHA256:AEF6910F074BF7E4CE9809D58F1F10D92DA74C1B224FA51023B33D0348EBBB0F | |||
| 724 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1hy3cq2p.pqn.psm1 | text | |
MD5:98950EEB5A59839D9F8B186849B71C50 | SHA256:8F32FB5E538F01D5EA994B4E7285DAA8D7A1E106BC50357744DC5CD9708BD7BA | |||
| 1864 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\economic relations.doc.LNK | lnk | |
MD5:C0EE54F7817872A4BF2A152394000578 | SHA256:DEFB70D106F1812FD66C62F74E61E358ADABD23F3EB99539ECB5B009EF2362EF | |||
| 1828 | cmd.exe | C:\Users\admin\temp.txt | text | |
MD5:1F322F1BFD9DFE0AC531AC2DA9AED3AD | SHA256:BE6D81013E3A3E2B1855EA973ED0B08D77F8FFE96111EC4CA411175566D67C82 | |||
| 1400 | wscript.exe | C:\Users\admin\y.ps1 | text | |
MD5:DB7ED25A92793ABA319C08D67CA8BB17 | SHA256:617F733C05B42048C0399CEEA50D6E342A4935344BAD85BBA2F8215937BC0B83 | |||
| 724 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_abpj4ako.gfb.ps1 | text | |
MD5:98950EEB5A59839D9F8B186849B71C50 | SHA256:8F32FB5E538F01D5EA994B4E7285DAA8D7A1E106BC50357744DC5CD9708BD7BA | |||
| 724 | powershell.exe | C:\Users\admin\AppData\Local\Temp\0aj5fjcr.0.cs | text | |
MD5:60C4D5DD1D227A40FB4BA01716ABA6E2 | SHA256:248CF0409636FE61A22C8EBF50D2A0E01DB609568DED2D5047B0841B09712B99 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
7
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1864 | WINWORD.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D | US | der | 471 b | whitelisted |
724 | powershell.exe | GET | 403 | 185.176.43.106:80 | http://takemetoyouheart.c1.biz/index.php?user_id=319 | BG | html | 110 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1864 | WINWORD.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1864 | WINWORD.EXE | 13.107.42.23:443 | config.edge.skype.com | Microsoft Corporation | US | suspicious |
1864 | WINWORD.EXE | 13.69.109.130:443 | self.events.data.microsoft.com | Microsoft Corporation | NL | suspicious |
724 | powershell.exe | 185.176.43.106:80 | takemetoyouheart.c1.biz | Zetta Hosting Solutions LLC. | BG | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.edge.skype.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
takemetoyouheart.c1.biz |
| malicious |
ocsp.digicert.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |