File name: | ups_ilwod.doc |
Full analysis: | https://app.any.run/tasks/8536731c-fbce-49be-9a09-689778b8e47b |
Verdict: | Malicious activity |
Threats: | Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus. |
Analysis date: | August 12, 2022, 23:21:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: , Author: Isabel, Template: Normal.dot, Last Saved By: Windows, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jan 12 13:32:00 2017, Last Saved Time/Date: Thu Jan 12 13:32:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0 |
MD5: | 38DB1BCF8EC66CA66B2936A48725144A |
SHA1: | 5F8BCAE7410A194182ACB429605439DEA5BFDE61 |
SHA256: | 1079376DD36788D51AB3385811484A7B0DB50F5926FFB4E2590DDD0DDA31E71B |
SSDEEP: | 3072:3wjEWJXAOFkR2emjr27braMglbBDvjIrM:3wjZZHrKv69AM |
.doc | | | Microsoft Word document (80) |
---|
CompObjUserType: | ???????? Microsoft Office Word |
---|---|
CompObjUserTypeLen: | 31 |
HeadingPairs: |
|
TitleOfParts: | |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 11.5606 |
CharCountWithSpaces: | 2 |
Paragraphs: | 1 |
Lines: | 1 |
Bytes: | 11000 |
Company: | |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 2 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2017:01:12 13:32:00 |
CreateDate: | 2017:01:12 13:32:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Windows |
Template: | Normal.dot |
Comments: | - |
Keywords: | - |
Author: | Isabel |
Subject: | - |
Title: |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3160 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ups_ilwod.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3596 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR98B6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$s_ilwod.doc | pgc | |
MD5:C9A60C5E3FA17E7223D4D8B73C9ACB3C | SHA256:C384A85DB8115CD506C6D73C41B2A39B10CB187FDED4744D178C0C4A23505C94 | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D2232D7D7255D896578588604E19A8B0 | SHA256:8CFA012DDD8EC220855639B9F805DFF8774ABB4B3C2C0D321A2CD0D8B946691D | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:DDC35F22E3BB8C9004F3A51CE823E42A | SHA256:2C1CB1B054AAE3441822415B18743042B6834542BA5C22E78DD9A8DCFC070A45 |