analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

d8f8825195f6b8a93ec606957931edcd2597f826a2979facc5a0c0879bba95c2.doc

Full analysis: https://app.any.run/tasks/535525d9-2017-4778-b6be-35ff4bbf00b3
Verdict: Malicious activity
Analysis date: May 20, 2019, 09:40:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

745FBF3B9B82947BC8601D3BAA16E329

SHA1:

7BBFD8391D2E4CA7B0F1425850FA20FBA3F696FC

SHA256:

D8F8825195F6B8A93EC606957931EDCD2597F826A2979FACC5A0C0879BBA95C2

SSDEEP:

98304:D7LCl9sJU3lTx9pgEtKy4Dpu34zQHy46BaCQ:Dquwlt9pgsn34zQSZBaj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3452)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3452)
    • Application was dropped or rewritten from another process

      • ms.exe (PID: 3056)
      • 8569a.exe (PID: 1780)
      • 8569a.exe (PID: 316)
    • Loads the Task Scheduler COM API

      • sdclt.exe (PID: 2204)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ms.exe (PID: 3056)
    • Creates files in the program directory

      • WINWORD.EXE (PID: 3452)
    • Executes application which crashes

      • ms.exe (PID: 3056)
    • Executed via Task Scheduler

      • rundll32.exe (PID: 292)
      • rundll32.exe (PID: 3216)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3452)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3452)
    • Application was crashed

      • sdclt.exe (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0xa1fe8fa1
ZipCompressedSize: 430
ZipUncompressedSize: 1768
ZipFileName: [Content_Types].xml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe ms.exe sdclt.exe no specs ntvdm.exe no specs sdclt.exe rundll32.exe no specs 8569a.exe rundll32.exe no specs 8569a.exe utilman.exe no specs esentutl.exe no specs windowsanytimeupgradeui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3452"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\d8f8825195f6b8a93ec606957931edcd2597f826a2979facc5a0c0879bba95c2.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3056C:\ProgramData\Memsys\ms.exeC:\ProgramData\Memsys\ms.exe
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2204 /create /tn 90059c37-1320-41a4-b58d-2b75a9850d2f0 /tr "rundll32.exe url.dll,OpenURLA "C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe"" /st 00:00 /sc daily /du 9999:59 /ri 1 /fC:\Windows\System32\sdclt.exems.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Windows Backup
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1276"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exems.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2340"C:\Windows\System32\sdclt.exe"C:\Windows\System32\sdclt.exe
ms.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Windows Backup
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
292rundll32.exe url.dll,OpenURLA C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exeC:\Windows\system32\rundll32.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1780"C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe" C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe
rundll32.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3216rundll32.exe url.dll,OpenURLA C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exeC:\Windows\system32\rundll32.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
316"C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe" C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe
rundll32.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2160"C:\Windows\System32\Utilman.exe"C:\Windows\System32\Utilman.exe8569a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Utility Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 213
Read events
836
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3452WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR147A.tmp.cvr
MD5:
SHA256:
3452WINWORD.EXEC:\Users\admin\AppData\Local\Temp\mso17BD.tmp
MD5:
SHA256:
1276ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs18CB.tmp
MD5:
SHA256:
1276ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs18DB.tmp
MD5:
SHA256:
3452WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1C3731FA96EBDD2B59DD9077E7304E50
SHA256:90231EF6597C66760A15F548BBB57E7F36AE0729947BF09439BF18DB568920C7
3452WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$f8825195f6b8a93ec606957931edcd2597f826a2979facc5a0c0879bba95c2.docpgc
MD5:D403D070C1B3313E1FADB63346ACA762
SHA256:C8129ED01176AA0FC3821553FF1354CA3CB7FB8B225FCF063115CE27CB7E8BDF
3452WINWORD.EXEC:\ProgramData\Memsys\ms.exeexecutable
MD5:2397D13C8CC78829AD0FBBF046C31B32
SHA256:B23991F31319DCAECF034CEE98A71150A9C20BB39787F37F505A29244C6C65DF
3056ms.exeC:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exeexecutable
MD5:2397D13C8CC78829AD0FBBF046C31B32
SHA256:B23991F31319DCAECF034CEE98A71150A9C20BB39787F37F505A29244C6C65DF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2340
sdclt.exe
GET
109.234.34.48:80
http://109.234.34.48/bin/cpu.exe
RU
suspicious
1968
WindowsAnytimeUpgradeui.exe
GET
109.234.34.48:80
http://109.234.34.48/bin/cpu.exe
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2340
sdclt.exe
109.234.34.48:80
Webzilla B.V.
RU
suspicious
1968
WindowsAnytimeUpgradeui.exe
109.234.34.48:80
Webzilla B.V.
RU
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
2340
sdclt.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2340
sdclt.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
Process
Message
ms.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
sdclt.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
8569a.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
8569a.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
WindowsAnytimeUpgradeui.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------