URL:

http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475/Letter%20To%20Self%20Assignment%20Sheet.doc

Full analysis: https://app.any.run/tasks/75d3276f-dc18-4ed6-8d68-8d60b3c5c46e
Verdict: Malicious activity
Analysis date: January 18, 2019, 03:48:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

84E8381C264FB0E1339DBDD2EF43F196

SHA1:

7D59CC2AFAFFA42D8D4742649AC39A7E17E7427C

SHA256:

E2E50FC1677A0F606993870807B988DAD042326B0B084C4689B2D80612145669

SSDEEP:

3:N1KJS4fcRJdVEKfEx0vAYdFXuyEXOieG2NAAR1KG:Cc4G6KcaoeMyKdqlR1d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2204)

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 2204)

    • Application launched itself

      • WINWORD.EXE (PID: 2204)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2204)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2924)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2204)
      • WINWORD.EXE (PID: 3244)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3212)
      • iexplore.exe (PID: 2924)

    • Application launched itself

      • iexplore.exe (PID: 2924)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2204)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winword.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2204"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2924"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3212"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2924 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3244"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
Total events
2 078
Read events
1 385
Write events
676
Delete events
17

Modification events

(PID) Process:(2924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{F18E79C1-1AD3-11E9-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2924) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307010005001200030030002A005200
Executable files
0
Suspicious files
30
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
2924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2204WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2F10.tmp.cvr
MD5:
SHA256:
2204WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{AFDB0237-9866-4711-B6CC-02500D91725C}
MD5:
SHA256:
2204WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{FB088509-85EE-4C86-B55B-0E9D1D493C2D}
MD5:
SHA256:
2924iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF3DC94C05DD4AA541.TMP
MD5:
SHA256:
2924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{F18E79C2-1AD3-11E9-BAD8-5254004A04AF}.dat
MD5:
SHA256:
2204WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:
SHA256:
2924iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF62F76288322531C4.TMP
MD5:
SHA256:
2924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F18E79C1-1AD3-11E9-BAD8-5254004A04AF}.dat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
9
DNS requests
2
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2204
WINWORD.EXE
OPTIONS
503
64.147.114.118:80
http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475/
US
malicious
2204
WINWORD.EXE
HEAD
200
64.147.114.118:80
http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475/Letter%20To%20Self%20Assignment%20Sheet.doc
US
malicious
2204
WINWORD.EXE
OPTIONS
503
64.147.114.118:80
http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475/
US
malicious
2204
WINWORD.EXE
OPTIONS
503
64.147.114.118:80
http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475/
US
malicious
2204
WINWORD.EXE
GET
200
64.147.114.118:80
http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475/Letter%20To%20Self%20Assignment%20Sheet.doc
US
document
9.28 Kb
malicious
2924
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
976
svchost.exe
OPTIONS
301
64.147.114.118:80
http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475
US
html
270 b
malicious
2204
WINWORD.EXE
HEAD
200
64.147.114.118:80
http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475/Letter%20To%20Self%20Assignment%20Sheet.doc
US
compressed
9.28 Kb
malicious
2204
WINWORD.EXE
HEAD
200
64.147.114.118:80
http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475/Letter%20To%20Self%20Assignment%20Sheet.doc
US
malicious
976
svchost.exe
OPTIONS
503
64.147.114.118:80
http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475/
US
html
270 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3212
iexplore.exe
64.147.114.118:80
www.palmerschools.org
The New York Internet Company
US
malicious
2204
WINWORD.EXE
64.147.114.118:80
www.palmerschools.org
The New York Internet Company
US
malicious
2924
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
976
svchost.exe
64.147.114.118:80
www.palmerschools.org
The New York Internet Company
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.palmerschools.org
  • 64.147.114.118
malicious

Threats

PID
Process
Class
Message
2204
WINWORD.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source
2204
WINWORD.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source
2204
WINWORD.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.palmerschools.org/ourpages/auto/2017/1/25/50852475/Letter%20To%20Self%20Assignment%20Sheet.doc