analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.mineco-gov.es/Anuncio%20importante.doc

Full analysis: https://app.any.run/tasks/3b588dfe-2538-48d3-9488-cf0cef3f0948
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 12:40:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
Indicators:
MD5:

F125EEC82E7FD887C0B93873A256D978

SHA1:

8F7690DAFFFE697C856B268A0E72499DCF207649

SHA256:

F286B50F2A25EEC69AFD092482DE36AF7C3C1403B27F52F8954E648F0E84C761

SSDEEP:

3:N8DSLACGHubISoQKGn:2OLA1HeILQd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 624)

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 624)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 624)

    • Application was dropped or rewritten from another process

      • zczjgiqco.exe (PID: 2772)

    • Downloads executable files from IP

      • WINWORD.EXE (PID: 624)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • chrome.exe (PID: 532)
      • WINWORD.EXE (PID: 624)

    • Application launched itself

      • WINWORD.EXE (PID: 624)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 624)

    • Executable content was dropped or overwritten

      • zczjgiqco.exe (PID: 2772)

  • INFO

    • Creates files in the user directory

      • chrome.exe (PID: 532)
      • WINWORD.EXE (PID: 624)

    • Manual execution by user

      • explorer.exe (PID: 2776)

    • Reads the hosts file

      • chrome.exe (PID: 532)
      • chrome.exe (PID: 324)

    • Application launched itself

      • chrome.exe (PID: 532)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 532)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1016)
      • WINWORD.EXE (PID: 624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
17
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winword.exe winword.exe no specs zczjgiqco.exe

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.mineco-gov.es/Anuncio%20importante.doc"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3980"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6ed2a9d0,0x6ed2a9e0,0x6ed2a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2400"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=992 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2876"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,7239063143642065153,6610828807945548416,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=14125136795696872257 --mojo-platform-channel-handle=1052 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
324"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,7239063143642065153,6610828807945548416,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=7515424782394322208 --mojo-platform-channel-handle=1592 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1976"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,7239063143642065153,6610828807945548416,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10743431468518659566 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2872"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,7239063143642065153,6610828807945548416,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10803335101885322689 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
492"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,7239063143642065153,6610828807945548416,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9526323525552035771 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2768"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,7239063143642065153,6610828807945548416,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=16840922429451803285 --mojo-platform-channel-handle=3516 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2776"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 734
Read events
2 521
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
17
Text files
81
Unknown types
5

Dropped files

PID
Process
Filename
Type
532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old
MD5:
SHA256:
532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\c8f79c63-a700-4067-a759-27923b262107.tmp
MD5:
SHA256:
532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF39aa06.TMPtext
MD5:3D551B6E929CF62F7AA66091E718704B
SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404
532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:213AE3DA120D7862D60B5763B6C9D466
SHA256:5736534D6EE654C1BF1A8E79E73330AF58F622E8657285330D2C7189A55604F4
532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF39a9e6.TMPtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF39a969.TMPtext
MD5:213AE3DA120D7862D60B5763B6C9D466
SHA256:5736534D6EE654C1BF1A8E79E73330AF58F622E8657285330D2C7189A55604F4
532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF39a8dd.TMPtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
532chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
17
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
624
WINWORD.EXE
GET
200
181.143.146.58:80
http://181.143.146.58/System32.exe
CO
executable
465 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
172.217.22.67:443
ssl.gstatic.com
Google Inc.
US
whitelisted
324
chrome.exe
172.217.18.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
324
chrome.exe
172.217.22.67:443
ssl.gstatic.com
Google Inc.
US
whitelisted
324
chrome.exe
104.24.99.58:443
www.mineco-gov.es
Cloudflare Inc
US
suspicious
324
chrome.exe
172.217.23.110:443
sb-ssl.google.com
Google Inc.
US
whitelisted
324
chrome.exe
216.58.208.45:443
accounts.google.com
Google Inc.
US
whitelisted
324
chrome.exe
216.58.207.36:443
www.google.com
Google Inc.
US
whitelisted
324
chrome.exe
172.217.18.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
324
chrome.exe
216.58.210.3:443
www.gstatic.com
Google Inc.
US
whitelisted
324
chrome.exe
172.217.22.78:443
clients4.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.mineco-gov.es
  • 104.24.99.58
  • 104.24.98.58
malicious
clientservices.googleapis.com
  • 172.217.18.3
whitelisted
accounts.google.com
  • 216.58.208.45
shared
sb-ssl.google.com
  • 172.217.23.110
whitelisted
www.google.com
  • 216.58.207.36
whitelisted
ssl.gstatic.com
  • 172.217.22.67
whitelisted
www.gstatic.com
  • 216.58.210.3
whitelisted
safebrowsing.google.com
  • 216.58.205.238
whitelisted
clients4.google.com
  • 172.217.22.78
whitelisted
clients1.google.com
  • 172.217.22.78
whitelisted

Threats

PID
Process
Class
Message
624
WINWORD.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
624
WINWORD.EXE
A Network Trojan was detected
ET TROJAN Possible Malicious Macro DL EXE Feb 2016
624
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
624
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
624
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
624
WINWORD.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mineco-gov.es/Anuncio%20importante.doc