analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

_._

Full analysis: https://app.any.run/tasks/e407688e-4a54-47dd-aa6b-ff35769a2135
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 14:04:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
gozi
ursnif
trojan
stealer
predator
loader
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Spooler 72A6E0BB-B4DB-4EE7-97B7-783CF2E7CF1C, Subject: 525c81c0-4021-4cf1-869e-619743cb6502, Author: SPOOL-Comp\\35_BOB, Comments: ys lpinsaxfv, Template: Normal, Last Saved By: Windows, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Aug 6 10:17:00 2019, Last Saved Time/Date: Wed Oct 9 09:52:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

D362E30C3DA407B6A48982F1F9B6C1F0

SHA1:

F4C0E91F7D3D51B0B001B5D1F35B61E1820EEAE1

SHA256:

FAD51C74CBFC908697729B386F17FC1586C08C5847557FCDB6095A6436FB8FD5

SSDEEP:

768:ZepcK96Rlna4mcRjAtoXke3sqp5/Rx3yQVlmD3xz99m5NrEWpz:Zep996LZm2623h/RRyQV8D33BWh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes scripts

      • WINWORD.EXE (PID: 2208)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2208)

    • Application was dropped or rewritten from another process

      • 20411.exe (PID: 676)

    • URSNIF was detected

      • WScript.exe (PID: 2932)

    • PREDATOR was detected

      • 20411.exe (PID: 676)

    • Connects to CnC server

      • 20411.exe (PID: 676)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 2932)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 2208)

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 2932)

    • Reads Internet Cache Settings

      • WScript.exe (PID: 2932)

    • Creates files in the user directory

      • 20411.exe (PID: 676)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2932)

    • Creates files in the program directory

      • WScript.exe (PID: 2932)

    • Reads the cookies of Google Chrome

      • 20411.exe (PID: 676)

    • Starts CMD.EXE for commands execution

      • 20411.exe (PID: 676)

    • Searches for installed software

      • 20411.exe (PID: 676)

    • Starts CMD.EXE for self-deleting

      • 20411.exe (PID: 676)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 2208)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2208)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2208)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2208)

    • Reads settings of System Certificates

      • WScript.exe (PID: 2932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
TitleOfParts:
  • ffwmamztsi
  • ffwmamztsi
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
CharCountWithSpaces: 1
Paragraphs: 1
Lines: 1
Bytes: 27648
Company: -
Manager: Manager acbfc7dd-1092-48ff-b8df-00d8527a54ae
CodePage: Windows Cyrillic
Security: None
Characters: 1
Words: -
Pages: 1
ModifyDate: 2019:10:09 08:52:00
CreateDate: 2019:08:06 09:17:00
TotalEditTime: 1.0 minutes
Software: Microsoft Office Word
RevisionNumber: 7
LastModifiedBy: Пользователь Windows
Template: Normal
Comments: ys lpinsaxfv
Keywords: -
Author: SPOOL-Comp\\35_BOB
Subject: 525c81c0-4021-4cf1-869e-619743cb6502
Title: Spooler 72A6E0BB-B4DB-4EE7-97B7-783CF2E7CF1C
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start rundll32.exe no specs winword.exe no specs #URSNIF wscript.exe #PREDATOR 20411.exe cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\_._C:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2208"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\doc.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
2932"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\nayptiyiyx.js" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
676"C:\ProgramData\20411.exe" C:\ProgramData\20411.exe
WScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2480"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\ProgramData\20411.exe"C:\Windows\SysWOW64\cmd.exe20411.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2104ping 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 346
Read events
813
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
2208WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRC1A4.tmp.cvr
MD5:
SHA256:
2208WINWORD.EXEC:\Windows\Temp\nayptiyiyx.jstext
MD5:E5D00A730D777920B9F868FC4CF3273F
SHA256:C1C8BF3AD2274C696FDF618FB6E6D53B75ED6A9911CCACE078A336E653EDBF32
2932WScript.exeC:\ProgramData\20411.exeexecutable
MD5:D54DFBF928D1364872E93A4E48F87271
SHA256:3EA62E2C2337F27784B7726FB704914A9DD0E5E6D6F4254B7971C058CC2C01E6
2932WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\Toqis[1].phpexecutable
MD5:D54DFBF928D1364872E93A4E48F87271
SHA256:3EA62E2C2337F27784B7726FB704914A9DD0E5E6D6F4254B7971C058CC2C01E6
2208WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:F57C4E9ED3B29A11DEF3DFEA2071FA53
SHA256:711DDFB9C7512A241E617A6215B6F991220F69479B45474980594928BDC938B6
2208WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\doc.doc.LNKlnk
MD5:AE86901874022C17058CBC35DB1AC319
SHA256:82A36F89E62FA9ADA7237278F80D2145992466D0720C750EFCA6C606A061C57F
2208WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:42B965C8A27152746A46E182E90C720F
SHA256:A84CAF2D004E6FD7AB30D495127F25F1EB07B8DF02A2C317D3759EEE0B0DD562
67620411.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\F6PZ6F2P.txttext
MD5:5AA62F3C640092055B23F68E90AC3E81
SHA256:45B9911967AEF039E61135B0AC7E8C074AB75D0E51816360BC39416CF50316CA
2208WINWORD.EXEC:\Users\admin\Desktop\~$doc.docpgc
MD5:3FA0980A953F409A3E3DA8EDE068BCFA
SHA256:AEE29B639948DB90FB03D6914CFA9A82CD502AC65B0FDB2FFAE251EFD41F32F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
6
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2932
WScript.exe
GET
404
85.143.222.152:80
http://zelinopats.com/angosz/cecolf.php?l=icath3.tar
RU
malicious
676
20411.exe
POST
200
47.88.101.83:80
http://gacraze0710.com/api/check.get
US
text
136 b
malicious
2932
WScript.exe
GET
404
184.30.217.76:443
https://www.trendmicro.com/de_de/404.html
NL
html
72.4 Kb
whitelisted
2932
WScript.exe
GET
404
104.109.84.249:443
https://docs.microsoft.com/en-us/aspnet/index/404
NL
html
16.6 Kb
whitelisted
2932
WScript.exe
GET
404
104.109.84.249:443
https://docs.microsoft.com/en-us/office/index/404
NL
html
16.6 Kb
whitelisted
2932
WScript.exe
GET
200
162.244.32.162:80
http://seetelcury.com/Toqis.php
US
executable
538 Kb
suspicious
676
20411.exe
POST
200
47.88.101.83:80
http://gacraze0710.com/api/gate.get?p1=2&p2=15&p3=0&p4=0&p5=0&p6=0&p7=0&p8=0&p9=0&p10=YGFhKf21IbygzqkzseBNx2QBMxUJbMVilqO8
US
binary
1 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2932
WScript.exe
184.30.217.76:443
www.trendmicro.com
Akamai International B.V.
NL
unknown
85.143.222.152:80
zelinopats.com
Trader soft LLC
RU
malicious
2932
WScript.exe
104.109.84.249:443
docs.microsoft.com
Akamai International B.V.
NL
whitelisted
676
20411.exe
47.88.101.83:80
gacraze0710.com
Alibaba (China) Technology Co., Ltd.
US
malicious
2932
WScript.exe
162.244.32.162:80
seetelcury.com
Hosting Solution Ltd.
US
suspicious

DNS requests

Domain
IP
Reputation
docs.microsoft.com
  • 104.109.84.249
whitelisted
www.trendmicro.com
  • 184.30.217.76
whitelisted
zelinopats.com
  • 85.143.222.152
malicious
seetelcury.com
  • 162.244.32.162
suspicious
gacraze0710.com
  • 47.88.101.83
malicious

Threats

PID
Process
Class
Message
2932
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] MalDoc Requesting Ursnif Payload
2932
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
676
20411.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
_._