analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Booking - 1511195841.doc

Full analysis: https://app.any.run/tasks/fa135a99-9a57-4b9a-9187-bc2ab5829187
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 19, 2019, 15:52:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
loader
ransomware
opendir
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Jun 19 19:26:00 2019, Last Saved Time/Date: Wed Jun 19 10:29:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

61D493D1DBE1947A337E664BBFF9E21B

SHA1:

0F5B473AE4E46401E13505188F24009C8F18A34A

SHA256:

E9736F2494AAB6CD9514D9596E1AD9A2B85E6B6457F5D06934F8E5E402A59176

SSDEEP:

3072:sKEcYSUEVu228iY7+V+nwbJ26iJqjJoiTqciJqAkmkj9JxXIRn0:S5SUx9j2lkF7d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 1684)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1684)

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 1684)

    • Application was dropped or rewritten from another process

      • Compatibility-mode.exe (PID: 2596)
      • Compatibility-mode.exe (PID: 2692)

    • Deletes shadow copies

      • cmd.exe (PID: 1136)

    • Dropped file may contain instructions of ransomware

      • Compatibility-mode.exe (PID: 2692)

    • Renames files like Ransomware

      • Compatibility-mode.exe (PID: 2692)

    • Changes settings of System certificates

      • Compatibility-mode.exe (PID: 2692)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 1684)

    • Application launched itself

      • Compatibility-mode.exe (PID: 2596)

    • Starts CMD.EXE for commands execution

      • Compatibility-mode.exe (PID: 2692)

    • Executed as Windows Service

      • vssvc.exe (PID: 2444)

    • Creates files like Ransomware instruction

      • Compatibility-mode.exe (PID: 2692)

    • Creates files in the program directory

      • Compatibility-mode.exe (PID: 2692)

    • Adds / modifies Windows certificates

      • Compatibility-mode.exe (PID: 2692)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1684)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 1684)

    • Dropped object may contain TOR URL's

      • Compatibility-mode.exe (PID: 2692)

    • Manual execution by user

      • NOTEPAD.EXE (PID: 1180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
Template: Normal
LastModifiedBy: Administrator
RevisionNumber: 2
Software: Microsoft Office Word
TotalEditTime: 1.0 minutes
CreateDate: 2019:06:19 18:26:00
ModifyDate: 2019:06:19 09:29:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Bytes: 11000
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe compatibility-mode.exe no specs compatibility-mode.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1684"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Booking - 1511195841.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
2596"C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exe" C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exeWINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2692"C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exe" C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exe
Compatibility-mode.exe
User:
admin
Integrity Level:
HIGH
1136"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\SysWOW64\cmd.exeCompatibility-mode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2580vssadmin.exe Delete Shadows /All /Quiet C:\Windows\SysWOW64\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2444C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1180"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\cyhf672-readme.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 416
Read events
1 035
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
143
Text files
1
Unknown types
6

Dropped files

PID
Process
Filename
Type
1684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDE6B.tmp.cvr
MD5:
SHA256:
2692Compatibility-mode.exeC:\Recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\Winre.wim
MD5:
SHA256:
2692Compatibility-mode.exeC:\Recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\boot.sdi
MD5:
SHA256:
2692Compatibility-mode.exec:\recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\Winre.wim.cyhf672
MD5:
SHA256:
1684WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$oking - 1511195841.docpgc
MD5:E5A551CBFD97F61D8DE42E739360A4AD
SHA256:453912D00AD9084ADD88B97A3762E40D475BF077CA6A31857972060319B8CDD3
2692Compatibility-mode.exeC:\program files\cyhf672-readme.txtbinary
MD5:DD909E537A980D9ECC710E7DCC0CC273
SHA256:5705E1E904120DD94F1333EBBC7663E3177BCE33DBA1627477ECA2199C133431
2692Compatibility-mode.exeC:\recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\cyhf672-readme.txtbinary
MD5:DD909E537A980D9ECC710E7DCC0CC273
SHA256:5705E1E904120DD94F1333EBBC7663E3177BCE33DBA1627477ECA2199C133431
2692Compatibility-mode.exeC:\Users\admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
MD5:
SHA256:
1684WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\prola[1].exeexecutable
MD5:B669889844ECDB2DBF0B6FE93306E31A
SHA256:9576F4DAC40B46CAC84F6F81D8CFA78C7AFA54F26368CD8EEFF5F216AF5BD248
2692Compatibility-mode.exeC:\program files (x86)\cyhf672-readme.txtbinary
MD5:DD909E537A980D9ECC710E7DCC0CC273
SHA256:5705E1E904120DD94F1333EBBC7663E3177BCE33DBA1627477ECA2199C133431
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
128
DNS requests
96
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1684
WINWORD.EXE
GET
200
2.185.239.164:80
http://btta.xyz/prola.exe
IR
executable
378 Kb
malicious
2692
Compatibility-mode.exe
GET
200
192.35.177.64:80
http://apps.identrust.com/roots/dstrootcax3.p7c
US
cat
893 b
shared
2692
Compatibility-mode.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt?9ab7c1c1fc7648da
US
der
914 b
whitelisted
2692
Compatibility-mode.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt?e57873237d26d5cc
US
der
993 b
whitelisted
2692
Compatibility-mode.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2b0e034bfaff30a9
US
compressed
56.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1684
WINWORD.EXE
2.185.239.164:80
btta.xyz
Iran Telecommunication Company PJS
IR
suspicious
2692
Compatibility-mode.exe
192.35.177.64:80
apps.identrust.com
IdenTrust
US
malicious
2692
Compatibility-mode.exe
166.62.108.43:443
luvbec.com
GoDaddy.com, LLC
US
malicious
2692
Compatibility-mode.exe
149.210.195.135:443
salonlamar.nl
Transip B.V.
NL
malicious
2692
Compatibility-mode.exe
157.230.253.64:443
babysitting-hk.helpergo.co
Joao Carlos de Almeida Silveira trading as Bitcanal
US
suspicious
2692
Compatibility-mode.exe
103.23.22.248:443
alharsunindo.com
PT Infinys System Indonesia
ID
suspicious
2692
Compatibility-mode.exe
37.221.193.90:443
tages-geldvergleich.de
netcup GmbH
DE
unknown
2692
Compatibility-mode.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2692
Compatibility-mode.exe
104.25.143.36:443
amco.net.au
Cloudflare Inc
US
shared
2692
Compatibility-mode.exe
45.76.45.105:443
triplettagaite.fr
Choopa, LLC
FR
unknown

DNS requests

Domain
IP
Reputation
btta.xyz
  • 2.185.239.164
  • 193.107.99.167
  • 62.73.70.146
  • 190.140.53.138
  • 197.255.246.6
  • 95.43.57.155
  • 41.110.200.194
  • 188.254.186.158
  • 2.185.146.116
  • 37.152.176.90
malicious
luvbec.com
  • 166.62.108.43
suspicious
salonlamar.nl
  • 149.210.195.135
suspicious
alharsunindo.com
  • 103.23.22.248
suspicious
babysitting-hk.helpergo.co
  • 157.230.253.64
suspicious
apps.identrust.com
  • 192.35.177.64
shared
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
amco.net.au
  • 104.25.143.36
  • 104.25.144.36
suspicious
nuohous.com
  • 185.55.85.6
suspicious
grancanariaregional.com
  • 77.104.183.21
suspicious

Threats

PID
Process
Class
Message
1684
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
1684
WINWORD.EXE
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1684
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
2692
Compatibility-mode.exe
Not Suspicious Traffic
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Booking - 1511195841.doc