File name: | 1cd85bfe37769fc4320dafb7bd073e528975e75554a4ab5a48a50126707ae9fa |
Full analysis: | https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3 |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 13:07:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 195CDEC884145A7FE9085F68F1BC795A |
SHA1: | 732FE409D5B2DA307C90BD68FE72F2347696C53D |
SHA256: | 1CD85BFE37769FC4320DAFB7BD073E528975E75554A4AB5A48A50126707AE9FA |
SSDEEP: | 1536:0FF3JKdJQG3XsKv133Y7JWmVegXIhENEKJ6rLwQsF1wT/VmgB2Cv:0FGHb3cKv13mWKeyNErLw/wT/VmgB2Cv |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Description: | - |
---|---|
Creator: | - |
Subject: | - |
Title: | - |
ModifyDate: | 2019:04:08 07:24:00Z |
---|---|
CreateDate: | 2019:04:08 07:23:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Keywords: | - |
AppVersion: | 15 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 105 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 91 |
Words: | 15 |
Pages: | 1 |
TotalEditTime: | - |
Template: | README.txt |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 2445 |
ZipCompressedSize: | 423 |
ZipCRC: | 0xf6f406a9 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3888 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\1cd85bfe37769fc4320dafb7bd073e528975e75554a4ab5a48a50126707ae9fa.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2476 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
588 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2104 | explorer.exe shell:::{8dac4e38-b146-4617-96a3-a3f839e568} | C:\Windows\explorer.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1656 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1372 | explorer.exe shell:::{8dac4e38-b146-4617-96a3-a3f839e568} | C:\Windows\explorer.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1440 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2752 | explorer.exe shell:::{8dac4e38-b146-4617-96a3-a3f839e5c68} | C:\Windows\explorer.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3876 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1008 | explorer.exe shell:::{8dac4e38-b146-4617-96a3-a3f839e5c568} | C:\Windows\explorer.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3888 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2E12.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3888 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{6A5BEDE7-8AA3-4EF1-9253-3723C9EAB1C3} | — | |
MD5:— | SHA256:— | |||
3888 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{4E99328A-639E-48CD-A669-C916579835D5} | — | |
MD5:— | SHA256:— | |||
588 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRCDEC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1640 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LAOKOHELAZ3PQZFHVT82.temp | — | |
MD5:— | SHA256:— | |||
3888 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:02A4071A6E9855C90E72EA774D0A8E37 | SHA256:8EF64BD5CBA3B5CCA667F65192FFE518D170E00D5E64CF9A2A1889A75C82B994 | |||
3888 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0633DAD7-460F-4449-991C-599E9D2B0A99}.FSD | binary | |
MD5:23C82138A97BED39B0276B2A8E48E2F0 | SHA256:3E33EB1779B7DE88B2A6E2E60172090F2BAA69495629872B69AE54751D9858CB | |||
3888 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:0152C47E2559238701B25E5E6BAB777A | SHA256:35BF0382282EEC31D2BAB747A6A6C8B9DEEED333436E314F56798BAE4C59537F | |||
3888 | WINWORD.EXE | C:\Users\admin\Desktop\~$d85bfe37769fc4320dafb7bd073e528975e75554a4ab5a48a50126707ae9fa.docx | pgc | |
MD5:425BD38AE7BFA764431E59C5179A830B | SHA256:64FB35B9301F8E65F67870B86AB348646CFFCD908AD801548EFD4400A9405871 | |||
3888 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:99EB27B55AD2BEACEA68AFEE7BA765A4 | SHA256:AB3A606A0E6D4A1E4B36A42B2150B79E3FF5F5D9AADD58A883687AA13F73B7F4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
984 | svchost.exe | OPTIONS | 301 | 23.111.134.163:80 | http://www.tfu.ae/ | US | — | — | suspicious |
3888 | WINWORD.EXE | OPTIONS | — | 23.111.134.163:80 | http://www.tfu.ae/ | US | — | — | suspicious |
3888 | WINWORD.EXE | GET | 200 | 23.111.134.163:80 | http://www.tfu.ae/README.txt | US | document | 188 Kb | suspicious |
1640 | powershell.exe | POST | — | 185.162.235.182:80 | http://185.162.235.182/None | RU | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
984 | svchost.exe | 23.111.134.163:80 | www.tfu.ae | HIVELOCITY VENTURES CORP | US | suspicious |
1640 | powershell.exe | 176.58.123.25:443 | v4.ident.me | Linode, LLC | GB | suspicious |
1640 | powershell.exe | 185.162.235.182:80 | — | Serverius Holding B.V. | RU | unknown |
3888 | WINWORD.EXE | 23.111.134.163:80 | www.tfu.ae | HIVELOCITY VENTURES CORP | US | suspicious |
984 | svchost.exe | 23.111.134.163:443 | www.tfu.ae | HIVELOCITY VENTURES CORP | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.tfu.ae |
| suspicious |
dns.msftncsi.com |
| shared |
tfu.ae |
| suspicious |
v4.ident.me |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3888 | WINWORD.EXE | Misc activity | SUSPICIOUS [PTsecurity] Download DOC file with VBAScript |
1640 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY Observed Suspicious SSL Cert (External IP Lookup - ident .me) |