File name:	_._
Full analysis:	https://app.any.run/tasks/e407688e-4a54-47dd-aa6b-ff35769a2135
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. Malware Trends Tracker >>>
Analysis date:	October 09, 2019, 14:04:15
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	macros macros-on-open gozi ursnif trojan stealer predator loader
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Spooler 72A6E0BB-B4DB-4EE7-97B7-783CF2E7CF1C, Subject: 525c81c0-4021-4cf1-869e-619743cb6502, Author: SPOOL-Comp\\35_BOB, Comments: ys lpinsaxfv, Template: Normal, Last Saved By: Windows, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Aug 6 10:17:00 2019, Last Saved Time/Date: Wed Oct 9 09:52:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:	D362E30C3DA407B6A48982F1F9B6C1F0
SHA1:	F4C0E91F7D3D51B0B001B5D1F35B61E1820EEAE1
SHA256:	FAD51C74CBFC908697729B386F17FC1586C08C5847557FCDB6095A6436FB8FD5
SSDEEP:	768:ZepcK96Rlna4mcRjAtoXke3sqp5/Rx3yQVlmD3xz99m5NrEWpz:Zep996LZm2623h/RRyQV8D33BWh

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

Title:	Spooler 72A6E0BB-B4DB-4EE7-97B7-783CF2E7CF1C
Subject:	525c81c0-4021-4cf1-869e-619743cb6502
Author:	SPOOL-Comp\\35_BOB
Keywords:	-
Comments:	ys lpinsaxfv
Template:	Normal
LastModifiedBy:	Пользователь Windows
RevisionNumber:	7
Software:	Microsoft Office Word
TotalEditTime:	1.0 minutes
CreateDate:	2019:08:06 09:17:00
ModifyDate:	2019:10:09 08:52:00
Pages:	1
Words:	-
Characters:	1
Security:	None
CodePage:	Windows Cyrillic
Manager:	Manager acbfc7dd-1092-48ff-b8df-00d8527a54ae
Company:	-
Bytes:	27648
Lines:	1
Paragraphs:	1
CharCountWithSpaces:	1
AppVersion:	16
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	ffwmamztsi ffwmamztsi
HeadingPairs:	Title 1 Название 1
CompObjUserTypeLen:	32
CompObjUserType:	Microsoft Word 97-2003 Document


(PID) Process:	(2208) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	$=!
Value: 243D2100A0080000010000000000000000000000
(PID) Process:	(2208) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(2208) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(2208) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	WORDFiles
Value: 1330184235
(PID) Process:	(2208) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1330184318
(PID) Process:	(2208) WINWORD.EXE	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:	write	Name:	ProductFiles
Value: 1330184319
(PID) Process:	(2208) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:	write	Name:	MTTT
Value: A0080000BCAA9B83AA7ED50100000000
(PID) Process:	(2208) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	m!!
Value: 6D212100A008000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2208) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	delete value	Name:	m!!
Value: 6D212100A008000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:	(2208) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
2208	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVRC1A4.tmp.cvr		—
		MD5:—	SHA256:—
2208	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\doc.doc.LNK		lnk
		MD5:—	SHA256:—
2208	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:—	SHA256:—
2208	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd		tlb
		MD5:—	SHA256:—
2208	WINWORD.EXE	C:\Windows\Temp\nayptiyiyx.js		text
		MD5:—	SHA256:—
2932	WScript.exe	C:\ProgramData\20411.exe		executable
		MD5:—	SHA256:—
676	20411.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\F6PZ6F2P.txt		text
		MD5:—	SHA256:—
2932	WScript.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\Toqis[1].php		executable
		MD5:—	SHA256:—
2208	WINWORD.EXE	C:\Users\admin\Desktop\~$doc.doc		pgc
		MD5:3FA0980A953F409A3E3DA8EDE068BCFA	SHA256:AEE29B639948DB90FB03D6914CFA9A82CD502AC65B0FDB2FFAE251EFD41F32F5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2932	WScript.exe	GET	404	104.109.84.249:443	https://docs.microsoft.com/en-us/aspnet/index/404	NL	html	16.6 Kb	whitelisted
2932	WScript.exe	GET	404	184.30.217.76:443	https://www.trendmicro.com/de_de/404.html	NL	html	72.4 Kb	whitelisted
676	20411.exe	POST	200	47.88.101.83:80	http://gacraze0710.com/api/check.get	US	text	136 b	malicious
676	20411.exe	POST	200	47.88.101.83:80	http://gacraze0710.com/api/gate.get?p1=2&p2=15&p3=0&p4=0&p5=0&p6=0&p7=0&p8=0&p9=0&p10=YGFhKf21IbygzqkzseBNx2QBMxUJbMVilqO8	US	binary	1 b	malicious
2932	WScript.exe	GET	404	85.143.222.152:80	http://zelinopats.com/angosz/cecolf.php?l=icath3.tar	RU	—	—	malicious
2932	WScript.exe	GET	200	162.244.32.162:80	http://seetelcury.com/Toqis.php	US	executable	538 Kb	suspicious
2932	WScript.exe	GET	404	104.109.84.249:443	https://docs.microsoft.com/en-us/office/index/404	NL	html	16.6 Kb	whitelisted

Domain	IP	Reputation
docs.microsoft.com	104.109.84.249	whitelisted
www.trendmicro.com	184.30.217.76	whitelisted
zelinopats.com	85.143.222.152	malicious
seetelcury.com	162.244.32.162	suspicious
gacraze0710.com	47.88.101.83	malicious

PID	Process	Class	Message
2932	WScript.exe	A Network Trojan was detected	MALWARE [PTsecurity] MalDoc Requesting Ursnif Payload
2932	WScript.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
676	20411.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin

PID	Process	IP	Domain	ASN	CN	Reputation
2932	WScript.exe	104.109.84.249:443	docs.microsoft.com	Akamai International B.V.	NL	whitelisted
2932	WScript.exe	184.30.217.76:443	www.trendmicro.com	Akamai International B.V.	NL	unknown
—	—	85.143.222.152:80	zelinopats.com	Trader soft LLC	RU	malicious
2932	WScript.exe	162.244.32.162:80	seetelcury.com	Hosting Solution Ltd.	US	suspicious
676	20411.exe	47.88.101.83:80	gacraze0710.com	Alibaba (China) Technology Co., Ltd.	US	malicious

General Info

_._

D362E30C3DA407B6A48982F1F9B6C1F0

F4C0E91F7D3D51B0B001B5D1F35B61E1820EEAE1

FAD51C74CBFC908697729B386F17FC1586C08C5847557FCDB6095A6436FB8FD5

768:ZepcK96Rlna4mcRjAtoXke3sqp5/Rx3yQVlmD3xz99m5NrEWpz:Zep996LZm2623h/RRyQV8D33BWh

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

URSNIF was detected

Unusual execution from Microsoft Office

Downloads executable files from the Internet

Executes scripts

Connects to CnC server

PREDATOR was detected

SUSPICIOUS

Reads the cookies of Google Chrome

Reads the machine GUID from the registry

Creates files in the program directory

Executable content was dropped or overwritten

Creates files in the Windows directory

Creates files in the user directory

Searches for installed software

Reads Internet Cache Settings

Starts CMD.EXE for self-deleting

Starts CMD.EXE for commands execution

INFO

Manual execution by user

Reads settings of System Certificates

Reads the machine GUID from the registry

Creates files in the user directory

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings