File name:

ice2.doc

Full analysis: https://app.any.run/tasks/c760c094-9b59-4052-b25e-207390e60f58
Verdict: Malicious activity
Analysis date: September 02, 2021, 08:41:03
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: admin, Template: Normal, Last Saved By: Windows, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Aug 30 10:37:00 2021, Last Saved Time/Date: Mon Aug 30 10:37:00 2021, Number of Pages: 1, Number of Words: 97, Number of Characters: 12785, Security: 0
MD5:

6480699E92A13679EA6BDE827624C178

SHA1:

18101B3C16234F86B0C43071173C7E11559111D0

SHA256:

DFC093ABF3EBC7AFC2E3E4341DD069694B8FAF7F8B04F15CB674C6B74C7055B8

SSDEEP:

768:uWLniP0nXmMv4QGVp+BW87CuwJIfXAvFpjoPm/PGDQwM8OAHwrmRwua+maY:uWLniP+srVIEfJTjGQPoQwMRAHBa+ma

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2660)

    • Scans artifacts that could help determine the target

      • OfficeC2RClient.exe (PID: 564)

  • SUSPICIOUS

    • Reads the computer name

      • OfficeC2RClient.exe (PID: 564)
      • TiWorker.exe (PID: 1060)

    • Checks supported languages

      • OfficeC2RClient.exe (PID: 564)

    • Reads the date of Windows installation

      • taskmgr.exe (PID: 3408)

    • Executed via COM

      • TiWorker.exe (PID: 1060)

    • Reads Environment values

      • OfficeC2RClient.exe (PID: 564)

  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 2660)
      • taskmgr.exe (PID: 3408)

    • Reads the computer name

      • WINWORD.EXE (PID: 2660)
      • taskmgr.exe (PID: 3408)

    • Manual execution by user

      • taskmgr.exe (PID: 3408)
      • taskmgr.exe (PID: 3304)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2660)
      • OfficeC2RClient.exe (PID: 564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: ???????? Microsoft Word 97-2003
CompObjUserTypeLen: 32
HeadingPairs:
  • Название
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 12875
Paragraphs: 7
Lines: 34
Bytes: 26624
Company: -
Manager: -
Category: -
CodePage: Windows Cyrillic
Security: None
Characters: 12785
Words: 97
Pages: 1
ModifyDate: 2021:08:30 09:37:00
CreateDate: 2021:08:30 09:37:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 2
LastModifiedBy: Пользователь Windows
Template: Normal
Comments: -
Keywords: -
Author: admin
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
105
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs officec2rclient.exe taskmgr.exe no specs taskmgr.exe tiworker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
564OfficeC2RClient.exe /error PID=2660 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800706ba ShowUI=1C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Click-to-Run Client
Exit code:
1
Version:
16.0.12026.20264
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
1060C:\WINDOWS\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.16299.428_none_bae6269479a24372\TiWorker.exe -EmbeddingC:\WINDOWS\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.16299.428_none_bae6269479a24372\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.16299.428_none_bae6269479a24372\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
2660"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\ice2.doc" /o ""C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1073807364
Version:
16.0.12026.20264
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
3304"C:\WINDOWS\system32\taskmgr.exe" /4C:\WINDOWS\system32\taskmgr.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
3408"C:\WINDOWS\system32\taskmgr.exe" /4C:\WINDOWS\system32\taskmgr.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
c:\windows\system32\user32.dll
Total events
2 458
Read events
2 431
Write events
23
Delete events
4

Modification events

(PID) Process:(564) OfficeC2RClient.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(564) OfficeC2RClient.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(564) OfficeC2RClient.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(564) OfficeC2RClient.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(564) OfficeC2RClient.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(564) OfficeC2RClient.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(564) OfficeC2RClient.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(564) OfficeC2RClient.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(564) OfficeC2RClient.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(564) OfficeC2RClient.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
0
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1060TiWorker.exeC:\WINDOWS\Logs\CBS\CBS.logtext
MD5:
SHA256:
564OfficeC2RClient.exeC:\Users\admin\AppData\Local\Temp\.sestext
MD5:
SHA256:
564OfficeC2RClient.exeC:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20210902-0841.logtext
MD5:
SHA256:
564OfficeC2RClient.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-walbinary
MD5:
SHA256:
564OfficeC2RClient.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shmbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
185.53.46.11:80
http://francopublicg.com/bmdff/81345/4OeQWty831KK2b98WaBhoHsCtZxaMLdmpfjaX8b5uFG/63910/yt2nxB/77015/59pAA/8yLnkGbUicYeCPtQnMwHaMsg638wKiUWdJB/6zBuB/YYb0Ep2I7EwTtT/galax10?sid=j2GNOqeoka2THdHZh2iUVCrnXpd&sid=ck60wJogKzsBY&1OS=Xkhcn8ZMMkcm7uEg&user=lYDCXVh4VHhDBJJxQ&tY2=FQJaQNAkeGyTxP7XY&sid=hPpvER
DE
html
206 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
Microsoft Corporation
GB
whitelisted
3988
WaaSMedic.exe
51.124.78.146:443
Microsoft Corporation
GB
whitelisted
185.53.46.11:80
francopublicg.com
DE
suspicious
52.168.117.170:443
self.events.data.microsoft.com
Microsoft Corporation
US
suspicious
52.109.60.0:443
ogma.osi.office.net
Microsoft Corporation
IN
unknown
13.107.42.23:443
config.edge.skype.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.23
malicious
self.events.data.microsoft.com
  • 51.132.193.105
  • 13.89.179.8
  • 52.168.117.170
whitelisted
time.windows.com
  • 20.101.57.9
whitelisted
francopublicg.com
  • 185.53.46.11
suspicious
ogma.osi.office.net
  • 52.109.60.0
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ice2.doc