analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

e3be500493034ab2cd50e6433e425b4a_诱饵文档_paec_security

Full analysis: https://app.any.run/tasks/2db42ed2-4352-4f1a-9b4e-96d71dd994e5
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 08:18:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
macros-on-close
trojan
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: DELL, Template: Normal.dotm, Last Saved By: HomeComputer, Revision Number: 13, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:00, Create Time/Date: Thu Jun 21 14:14:00 2018, Last Saved Time/Date: Tue Mar 12 10:45:00 2019, Number of Pages: 2, Number of Words: 346, Number of Characters: 1976, Security: 0
MD5:

E3BE500493034AB2CD50E6433E425B4A

SHA1:

399E7BDA8C28E7991F68A506A9C4AE148E703AC8

SHA256:

E94659941847DAC6E5483DF31D6429C9BFB339A013079F41EA52E7FE86D7F061

SSDEEP:

3072:aFrR7B2ElQvR2O2Cieosk9BXUDAnCvZyHoAgk0kStCVhH5xvTOGxHBJNGfqDt2mR:alDKEvCbosyk0+EwkStAH5xrOGr1xR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2596)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2596)

    • Changes the autorun value in the registry

      • down.exe (PID: 2540)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2596)

    • Application was dropped or rewritten from another process

      • down.exe (PID: 2540)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2596)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: DELL
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: HomeComputer
RevisionNumber: 13
Software: Microsoft Office Word
TotalEditTime: 6.0 minutes
CreateDate: 2018:06:21 13:14:00
ModifyDate: 2019:03:12 10:45:00
Pages: 2
Words: 346
Characters: 1976
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Lines: 16
Paragraphs: 4
CharCountWithSpaces: 2318
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe cmd.exe no specs down.exe

Process information

PID
CMD
Path
Indicators
Parent process
2596"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\e3be500493034ab2cd50e6433e425b4a_诱饵文档_paec_security.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2316cmd.exe /S /Kstart C:\Users\admin\AppData\Roaming\MicrosoftServices\down.exeC:\Windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2540C:\Users\admin\AppData\Roaming\MicrosoftServices\down.exe C:\Users\admin\AppData\Roaming\MicrosoftServices\down.exe
cmd.exe
User:
admin
Company:
LocHost
Integrity Level:
MEDIUM
Description:
LocHost
Exit code:
0
Version:
4.0.0.4
Total events
1 372
Read events
743
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2596WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR65C1.tmp.cvr
MD5:
SHA256:
2596WINWORD.EXEC:\Users\admin\AppData\Roaming\MicrosoftServices\down.bmp
MD5:
SHA256:
2596WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:65A14A601AF6597AC6E48922957494B4
SHA256:0E8EE7C820D5510C7AAE1F3C795EAB1CEB347B99887978BB86C8F4DE742165CB
2596WINWORD.EXEC:\Users\admin\AppData\Roaming\MicrosoftServices\down.exeexecutable
MD5:EB29DF9A840A55B487D7D9363AFD6FD3
SHA256:7410FF00E622F4D601051CD6B0B09FAE8C041D36B18EED696851ADC29D521FEE
2540down.exeC:\Users\admin\AppData\Local\Temp4text
MD5:B154418F90402076C33FEEBBB1C53820
SHA256:ACF949AC14D51A792D96688BA6764971810609AE6E42731C994EF8ABC35B0C20
2596WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$be500493034ab2cd50e6433e425b4a_诱饵文档_paec_security.docpgc
MD5:B3AFE363811006DCEC9FBAC7EA9B3508
SHA256:723853F9EF936CC0EEDF4D60A4DDBB09ADC2ACE7C316345097D214C6A9D7D619
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2540
down.exe
GET
404
188.241.58.61:80
http://global-news.center/img/24/User-PC/wcsr
RO
html
336 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2540
down.exe
188.241.58.60:37730
THC Projects SRL
RO
suspicious
2540
down.exe
188.241.58.60:21
THC Projects SRL
RO
suspicious
2540
down.exe
188.241.58.61:80
global-news.center
THC Projects SRL
RO
suspicious

DNS requests

Domain
IP
Reputation
global-news.center
  • 188.241.58.61
malicious

Threats

PID
Process
Class
Message
2540
down.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2540
down.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
e3be500493034ab2cd50e6433e425b4a_诱饵文档_paec_security