analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

d569e280ab3ad0e8307986371ccb1d56d82549249ef8399dd2691fb75bbe76ea.doc

Full analysis: https://app.any.run/tasks/8b8f9993-95d7-457b-a57c-22e2487118bc
Verdict: Malicious activity
Analysis date: March 21, 2019, 02:43:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Last Saved By: user, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Mar 20 00:13:00 2019, Last Saved Time/Date: Wed Mar 20 00:14:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0
MD5:

C496C3125A1B37C4C9D0B6A2B08DC628

SHA1:

ED42C422B4B6D414B7917B7A3178F5DBA165EA57

SHA256:

D569E280AB3AD0E8307986371CCB1D56D82549249EF8399DD2691FB75BBE76EA

SSDEEP:

1536:0khD0tEVnJi1XEP0Gft8xr0GwekXCyJe5ecE9T:OQMdz98SyP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • opf.exe (PID: 1472)
      • tquuoei.exe (PID: 180)
      • tquuoei.exe (PID: 3968)
      • opf.exe (PID: 2936)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 928)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 928)
    • Changes the autorun value in the registry

      • opf.exe (PID: 1472)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • tquuoei.exe (PID: 3968)
    • Application launched itself

      • tquuoei.exe (PID: 180)
      • opf.exe (PID: 1472)
    • Connects to unusual port

      • opf.exe (PID: 2936)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 928)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 928)
    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 928)
      • tquuoei.exe (PID: 3968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: user
RevisionNumber: 2
Software: Microsoft Office Word
TotalEditTime: 1.0 minutes
CreateDate: 2019:03:20 00:13:00
ModifyDate: 2019:03:20 00:14:00
Pages: 1
Words: -
Characters: 2
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Bytes: 11000
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 2
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
5
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start winword.exe tquuoei.exe no specs tquuoei.exe opf.exe opf.exe

Process information

PID
CMD
Path
Indicators
Parent process
928"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\d569e280ab3ad0e8307986371ccb1d56d82549249ef8399dd2691fb75bbe76ea.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
180"C:\Users\admin\AppData\Local\Temp\tquuoei.exe" C:\Users\admin\AppData\Local\Temp\tquuoei.exeWINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
fiNarEa S.A. SWITZErland
Exit code:
0
Version:
1.06.0002
3968"C:\Users\admin\AppData\Local\Temp\tquuoei.exe" C:\Users\admin\AppData\Local\Temp\tquuoei.exe
tquuoei.exe
User:
admin
Integrity Level:
MEDIUM
Description:
fiNarEa S.A. SWITZErland
Exit code:
0
Version:
1.06.0002
1472"C:\Users\admin\AppData\Local\Temp\opf.exe" C:\Users\admin\AppData\Local\Temp\opf.exe
tquuoei.exe
User:
admin
Integrity Level:
MEDIUM
Description:
fiNarEa S.A. SWITZErland
Exit code:
0
Version:
1.06.0002
2936"C:\Users\admin\AppData\Local\Temp\opf.exe" C:\Users\admin\AppData\Local\Temp\opf.exe
opf.exe
User:
admin
Integrity Level:
MEDIUM
Description:
fiNarEa S.A. SWITZErland
Version:
1.06.0002
Total events
1 012
Read events
944
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
3
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR89D8.tmp.cvr
MD5:
SHA256:
928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7F3A8AD10DA460D1.TMP
MD5:
SHA256:
928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79D0D1AD-D394-4288-8013-58CF77D6D807}.tmp
MD5:
SHA256:
928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AEDC2C8A-68E0-4450-B6E2-CE5B4F4FDE11}.tmp
MD5:
SHA256:
3968tquuoei.exeC:\Users\admin\AppData\Local\Temp\opf.exeexecutable
MD5:860B2A17B397F798720FFD627B2F7FBE
SHA256:D52C55C67E0ADAA589D3C099E0D2437C3D61939280AD472E498CFB8C1A96B416
928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\irsnotices[1].exeexecutable
MD5:B41358ED77F49E718EBF5DDC51B0AA2F
SHA256:BEF054C8FBFC0350CC91C2ADA7C5C82946A6FEEA8653A27F8EDEF4A73DF0F314
1472opf.exeC:\Users\admin\AppData\Local\Temp\~DF4F8275BB2F8B6340.TMPbinary
MD5:86DFDE1B74675C77205C2B4EA6891FAA
SHA256:90F889E8724D385B2672854204C5308FE1402DF36B4D15C1E774D333BCE1C7AF
928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\tquuoei.exeexecutable
MD5:B41358ED77F49E718EBF5DDC51B0AA2F
SHA256:BEF054C8FBFC0350CC91C2ADA7C5C82946A6FEEA8653A27F8EDEF4A73DF0F314
180tquuoei.exeC:\Users\admin\AppData\Local\Temp\~DF5991348177A3BE28.TMPbinary
MD5:86DFDE1B74675C77205C2B4EA6891FAA
SHA256:90F889E8724D385B2672854204C5308FE1402DF36B4D15C1E774D333BCE1C7AF
928WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:078AF9604B957CE548ED85D7A40F732C
SHA256:F55335BC6AC76DAAA66A0048400E11F2944A73A6555B7860BBB422EE71940469
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2936
opf.exe
185.101.94.172:2019
www.relatingclause.com
Mike Kaldig
DE
malicious
928
WINWORD.EXE
199.192.23.117:443
jetlagcanstand.info
US
unknown

DNS requests

Domain
IP
Reputation
jetlagcanstand.info
  • 199.192.23.117
unknown
www.relatingclause.com
  • 185.101.94.172
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info