analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1d7753da26919b5ebe311139ddf5c6f1.doc

Full analysis: https://app.any.run/tasks/8545db43-c747-405c-9321-21ea96a94602
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 11, 2019, 01:47:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-close
opendir
loader
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: admin, Template: Normal.dotm, Last Saved By: venkatesh irkal, Revision Number: 15, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Mon Oct 16 21:38:00 2017, Last Saved Time/Date: Thu Jan 10 06:50:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

1D7753DA26919B5EBE311139DDF5C6F1

SHA1:

F6C6DB613123BB5F48723C828DB012FAB413713C

SHA256:

D35BF32EB9D9C9B5140572AE01CC263B2DCFCC72A4B05A6BFA12A2A322E2626F

SSDEEP:

3072:7Dn7Ut+QUr0G7p9kjqsZoXljGAlnAEO2UwP6+5Zql:HGer0G7LpuoXcA5TpS6U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2428)
    • Runs app for hidden code execution

      • TRDUZDBHP.exe (PID: 3336)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2840)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2840)
    • Writes to a start menu file

      • TRDUZDBHP.exe (PID: 3336)
    • Application was dropped or rewritten from another process

      • TRDUZDBHP.exe (PID: 3336)
      • TRDUZDBHP.exe (PID: 3020)
    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 2840)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3272)
      • TRDUZDBHP.exe (PID: 3336)
    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2840)
    • Starts CMD.EXE for commands execution

      • TRDUZDBHP.exe (PID: 3336)
    • Creates files in the user directory

      • cmd.exe (PID: 3272)
      • TRDUZDBHP.exe (PID: 3336)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3272)
    • Application launched itself

      • TRDUZDBHP.exe (PID: 3336)
    • Connects to unusual port

      • TRDUZDBHP.exe (PID: 3020)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2840)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2019:01:10 06:50:00
CreateDate: 2017:10:16 20:38:00
TotalEditTime: 2.0 minutes
Software: Microsoft Office Word
RevisionNumber: 15
LastModifiedBy: venkatesh irkal
Template: Normal.dotm
Keywords: -
Author: admin
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winword.exe trduzdbhp.exe cmd.exe reg.exe trduzdbhp.exe

Process information

PID
CMD
Path
Indicators
Parent process
2840"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\1d7753da26919b5ebe311139ddf5c6f1.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3336"C:\Users\admin\AppData\Local\Temp\TRDUZDBHP.exe" C:\Users\admin\AppData\Local\Temp\TRDUZDBHP.exe
WINWORD.EXE
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
MEDIUM
Description:
EaseUS Data Recovery Wizard
Exit code:
0
Version:
12.6.0
3272"cmd.exe"C:\Windows\system32\cmd.exe
TRDUZDBHP.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2428reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Roaming\Oracle\Oracle.exe.lnk" /fC:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3020"C:\Users\admin\AppData\Local\Temp\TRDUZDBHP.exe"C:\Users\admin\AppData\Local\Temp\TRDUZDBHP.exe
TRDUZDBHP.exe
User:
admin
Company:
CHENGDU YIWO Tech Development Co., Ltd
Integrity Level:
MEDIUM
Description:
EaseUS Data Recovery Wizard
Version:
12.6.0
Total events
1 374
Read events
1 024
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
0
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
2840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6B3E.tmp.cvr
MD5:
SHA256:
2840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF3E7CC5EDE1640EED.TMP
MD5:
SHA256:
2840WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8044F728-7271-4F6C-9029-E8E80D900DE5}.tmp
MD5:
SHA256:
2840WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{91D620CD-C158-426E-A2A6-8120E5C76FAA}.tmp
MD5:
SHA256:
2840WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:937C7F34EF666E30C118260C7F331AC8
SHA256:5C0F5D032F0C9B6883A60E30E456753168AE38564338DDD40739707B0FFE3C77
3336TRDUZDBHP.exeC:\Users\admin\AppData\Roaming\Oracle\Oracle.exe.lnklnk
MD5:D7E3E303C6BB44F5AC51BE7450F1DFAC
SHA256:E09021F19F693A4C7A62C1822C8BC020FF6E42FD5BA1678D14BF83C942CB3E18
2840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$7753da26919b5ebe311139ddf5c6f1.docpgc
MD5:2C22CD1C54A22E33BD45B4970D8BFB96
SHA256:A3EBF19D7CC36B6625A8648CF93D225956B1E67D25C969061123C2F779D3A50D
2840WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\rl[1].comexecutable
MD5:88B3F63DA22159453B4EB5582887AA84
SHA256:5F49A772276BF7AEA9D9E0BA1CC0F6205B4F21C26A5DF69E0266D3166D488715
3272cmd.exeC:\Users\admin\AppData\Roaming\Oracle\Oracle.exeexecutable
MD5:88B3F63DA22159453B4EB5582887AA84
SHA256:5F49A772276BF7AEA9D9E0BA1CC0F6205B4F21C26A5DF69E0266D3166D488715
3336TRDUZDBHP.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Oracle.exe.lnklnk
MD5:842A928B3D221E960DAAA14D4E264725
SHA256:C6719CA1F819F8788B7F212BB4291B09FD9FEE6927A65EAAF958ECB33910FD32
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
40
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2840
WINWORD.EXE
GET
200
145.14.144.124:80
http://oebuplo.000webhostapp.com/uploads/rl.com
US
executable
529 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2840
WINWORD.EXE
145.14.144.124:80
oebuplo.000webhostapp.com
Hostinger International Limited
US
shared
3020
TRDUZDBHP.exe
192.152.0.84:9949
pdpaso.omnirat.cf
Choopa, LLC
US
unknown

DNS requests

Domain
IP
Reputation
oebuplo.000webhostapp.com
  • 145.14.144.124
shared
pdpaso.omnirat.cf
  • 192.152.0.84
suspicious

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
2840
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2840
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
No debug info