File name: | 20lyhvk2.docx |
Full analysis: | https://app.any.run/tasks/f8daacb9-d9fa-4d8f-bff7-5f4f4aae9138 |
Verdict: | Malicious activity |
Analysis date: | July 13, 2020, 03:00:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 25C2D3489105F9DE292822E0F7351F55 |
SHA1: | CAD3EECE0F63D196DF7EEEE2FA13025D89AFAB8E |
SHA256: | 27AA9D080C31365ACEDF43D603B3997D15730C13EDA323ED3EF4152E54579E38 |
SSDEEP: | 12288:3I2fETt7e/a4fj8ltgOfF+ew9GMWnyVLJ9gf1yN8D1tskoS2Q:4METt6C4bwtgc+Z9QOd9m4C7oS2Q |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | Irene |
---|
ModifyDate: | 2020:07:07 03:39:00Z |
---|---|
CreateDate: | 2020:07:04 23:51:00Z |
RevisionNumber: | 55 |
LastModifiedBy: | Anxin Lin |
AppVersion: | 16 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 60307 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 120 |
Lines: | 428 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 51409 |
Words: | 9018 |
Pages: | 65 |
TotalEditTime: | 1.8 hours |
Template: | Normal |
ZipFileName: | docProps/app.xml |
---|---|
ZipUncompressedSize: | 979 |
ZipCompressedSize: | 475 |
ZipCRC: | 0x24cd2445 |
ZipModifyDate: | 2020:07:12 19:42:11 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2268 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\20lyhvk2.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2212 | "C:\Program Files\Internet Explorer\iexplore.exe" https://raw.githubusercontent.com/wujieliulan/download/master/u.zip? | C:\Program Files\Internet Explorer\iexplore.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1508 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2212 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
4072 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\u.zip" | C:\Program Files\WinRAR\WinRAR.exe | iexplore.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1700 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa4072.8160\u1902.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa4072.8160\u1902.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM | ||||
3772 | C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2376 | C:\Users\admin\AppData\Local\Temp\Rar$EXa4072.8160\utmp\u.exe -L="127.0.0.1:9666" -CID="40e0c2f6", -ProgPath="C:\Users\admin\AppData\Local\Temp\Rar$EXa4072.8160\\" -TmpPath="C:\Users\admin\AppData\Local\Temp\Rar$EXa4072.8160\utmp\\" -ConnMode=0 -version="1902100" | C:\Users\admin\AppData\Local\Temp\Rar$EXa4072.8160\utmp\u.exe | u1902.exe | |
User: admin Integrity Level: MEDIUM | ||||
3760 | "C:\Program Files\Google\Chrome\Application\chrome.exe" http://ultrasurf.us/search.htm | C:\Program Files\Google\Chrome\Application\chrome.exe | u1902.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3624 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6005a9d0,0x6005a9e0,0x6005a9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 | ||||
3932 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3764 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2268 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7541.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2268 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CabC314.tmp | — | |
MD5:— | SHA256:— | |||
2268 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\TarC315.tmp | — | |
MD5:— | SHA256:— | |||
2268 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\u[1].zip | — | |
MD5:— | SHA256:— | |||
1508 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabCD35.tmp | — | |
MD5:— | SHA256:— | |||
1508 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\CabCD36.tmp | — | |
MD5:— | SHA256:— | |||
1508 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarCD38.tmp | — | |
MD5:— | SHA256:— | |||
1508 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\TarCD37.tmp | — | |
MD5:— | SHA256:— | |||
2212 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF42990D098C0FB127.TMP | — | |
MD5:— | SHA256:— | |||
2212 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\u.zip.hh7zvw8.partial:Zone.Identifier | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2268 | WINWORD.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEA7DhnK6vbZVWuDNUnGhjDo%3D | US | der | 471 b | whitelisted |
2268 | WINWORD.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2376 | u.exe | 152.199.19.161:443 | do.skype.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2268 | WINWORD.EXE | 3.230.235.205:443 | git.io | — | US | suspicious |
2268 | WINWORD.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2376 | u.exe | 72.52.87.179:443 | — | Hurricane Electric, Inc. | US | suspicious |
2268 | WINWORD.EXE | 151.101.0.133:443 | raw.githubusercontent.com | Fastly | US | malicious |
1508 | iexplore.exe | 151.101.0.133:443 | raw.githubusercontent.com | Fastly | US | malicious |
2376 | u.exe | 45.95.98.179:443 | — | — | — | unknown |
Domain | IP | Reputation |
---|---|---|
git.io |
| shared |
ocsp.digicert.com |
| whitelisted |
raw.githubusercontent.com |
| shared |
do.skype.com |
| whitelisted |
github.com |
| shared |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
github.githubassets.com |
| whitelisted |
avatars0.githubusercontent.com |
| whitelisted |
avatars1.githubusercontent.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2376 | u.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Possible JA3 UltraSurf Proxy Anonymizer |
2376 | u.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Possible JA3 UltraSurf Proxy Anonymizer |
2376 | u.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] Possible JA3 UltraSurf Proxy Anonymizer |