File name: | 88 |
Full analysis: | https://app.any.run/tasks/f5a66e76-6e0c-45dd-8d9e-18036605fe1d |
Verdict: | Malicious activity |
Analysis date: | August 17, 2019, 15:01:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: ffwmamztsi, Subject: gnvfalglmqbllmiezy, Author: qqeugmxltmrh, Comments: czntgetcbisoyhrnsqr, Template: Normal.dotm, Last Saved By: ASUS ROG, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Aug 16 09:09:00 2019, Last Saved Time/Date: Fri Aug 16 09:09:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 656FC36F599A937CBA0F3E066F1BFEF4 |
SHA1: | 55C77FBC4F3AD2EF716D43C6D6EB1CBD1AC03A39 |
SHA256: | 1965058A5F09F362F3CF8AE2EBC1AA77A18D35D3CB87570617D2ABCEB99472CA |
SSDEEP: | 1536:rGpnTb76bd6Rd1yywQmBXF1DX3e6JIeaYNLoqpEAZD1+lCptEKEPC:STb76bd8d1jCX66JIzYxoqpD1qCptE0 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | hffuqeulzrizvefn |
Manager: | tobgifducddtypnimgwutdcjid |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:08:16 08:09:00 |
CreateDate: | 2019:08:16 08:09:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | ASUS ROG |
Template: | Normal.dotm |
Comments: | czntgetcbisoyhrnsqr |
Keywords: | - |
Author: | qqeugmxltmrh |
Subject: | gnvfalglmqbllmiezy |
Title: | ffwmamztsi |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3420 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\88.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3000 | "C:\Windows\System32\wbem\wmic.exe" process list /format:"a8Nh5.xsl" | C:\Windows\System32\wbem\wmic.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9AFC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:394497A4DBA75D0E33F5D75E46353612 | SHA256:4E2F634EB7FA1C1F4BD8C3476179D3CDB7F22DA1506824A3BF3C26ADF4627B7A | |||
3420 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:87BD855580060A76C9E649C36C3F0C54 | SHA256:9481A0A433239C05807E547AE06FC7638556ECF6765F72EC9C99739F9AB3D3F8 | |||
3420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$88.doc | pgc | |
MD5:7CCF7C164053384900053BA331C9D05E | SHA256:DBFE297556C5F3C3E8CBF051514AAE03D9229E82F935743F425D6C1899D00140 | |||
3420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\a8Nh5.xsl | xml | |
MD5:54E9EC7885028A9ADA80859C636D6525 | SHA256:33D3E25E593BF21A05C0F1D3337064B18876700847C518225B61A03556D67B41 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3000 | wmic.exe | GET | — | 210.16.100.52:80 | http://rimfaoyahv4115.com/qtra/ttqr.php?l=apqo10.j12 | IN | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3000 | wmic.exe | 210.16.100.52:80 | rimfaoyahv4115.com | Psychz Networks | IN | malicious |
Domain | IP | Reputation |
---|---|---|
rimfaoyahv4115.com |
| malicious |