File name: | AramexND-84927837484.doc |
Full analysis: | https://app.any.run/tasks/911ecd3e-8ce0-43bd-be73-9e1b17239790 |
Verdict: | Malicious activity |
Analysis date: | June 18, 2019, 17:17:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 0729BB3DC7ABC15AF14D287671F03BB6 |
SHA1: | 6751DA7C68247D50C8D7558D932EACEE715B1A21 |
SHA256: | 2CA1717E9907FC9655D24BF1A364847D0B90CF1F562FB53BA1854D22E3AD28DC |
SSDEEP: | 6144:4PiGG8DYf2dzxoLsofhzA0f0NhI4M0vpLRQdS:4Pi+q2dxofhzRfwSAvws |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x7fcf3406 |
ZipCompressedSize: | 386 |
ZipUncompressedSize: | 1460 |
ZipFileName: | [Content_Types].xml |
Title: | - |
---|---|
Subject: | - |
Creator: | HONGKONG |
Description: | - |
Keywords: | - |
---|---|
LastModifiedBy: | HONGKONG |
RevisionNumber: | 3 |
CreateDate: | 2019:06:17 17:46:00Z |
ModifyDate: | 2019:06:17 17:46:00Z |
Template: | Normal |
TotalEditTime: | - |
Pages: | 1 |
Words: | 2 |
Characters: | 18 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 19 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 12 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2996 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\AramexND-84927837484.doc.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3864 | "C:\Users\admin\AppData\Local\Temp\Aramiex-HH.exe" | C:\Users\admin\AppData\Local\Temp\Aramiex-HH.exe | WINWORD.EXE | |
User: admin Integrity Level: MEDIUM Description: Elvira Exit code: 0 Version: 0.0.0.0 | ||||
3088 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\Aramiex-HH.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | Aramiex-HH.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3820 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\Aramiex-HH.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | Aramiex-HH.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2224 | "C:\Users\admin\AppData\Local\Temp\Aramiex-HH.exe" | C:\Users\admin\AppData\Local\Temp\Aramiex-HH.exe | Aramiex-HH.exe | |
User: admin Integrity Level: MEDIUM Description: Elvira Version: 0.0.0.0 | ||||
252 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | ctfmon.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3128 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2996 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREADB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2996 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:AA7E65066D67A6687DBA1E4EA63A6899 | SHA256:2DEB72921063B9360B1485ACED406CE3B59A82CB5AD9C6B1CDD7B2B8132130C4 | |||
252 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AramexND-84927837484.doc.docx.lnk | lnk | |
MD5:4501D36DC9A7713EA482119202FBB02A | SHA256:A15912E030C5C4E2696BAEF95AAB49D26CD4EF1D7AE14389C2D2D974C053EFC5 | |||
252 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\a7bd71699cd38d1c.automaticDestinations-ms | automaticdestinations-ms | |
MD5:BAE650142A610BA6AF7E478BB052C64E | SHA256:C89FAA82306EE511595EF556019DB3D4B54EF2A36BA93F008FB20B9F16A46C90 | |||
2996 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5B13D3110B3C53080001F07EAF41EB1F | SHA256:E1C5D288EFD6B34E273A132FEDA873D49D97EC0BEE29771D439AAA9B3A705F76 | |||
2996 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\33735551.emf | emf | |
MD5:F412B87F5F187D76B3619554326B3E9A | SHA256:1F0C77BA720E5231E30E57DFD0E76D0986C5FA082F5CE5908C076617614A9A00 | |||
2996 | WINWORD.EXE | C:\Users\admin\Desktop\~$amexND-84927837484.doc.docx | pgc | |
MD5:61CA994B975EC482F4E118CB9A2C7C86 | SHA256:F5AC10B9B1539817DE4EEFF5C564AF4CD214F5A04415D5A32F34C67F0CE1FD35 | |||
252 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061820190619\index.dat | dat | |
MD5:AF61F8DAFC82CE0A9205C6D8B3C4D47A | SHA256:BC5616DFF7000D8FA708D4A1782498E275B9775AC85892C8F0D895BD0491765C | |||
2996 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\AramexND-84927837484.doc.docx.LNK | lnk | |
MD5:50A60AD060EF339A57AC39426E05CC81 | SHA256:F008EE63788940E833705B41C87E47B8B07D72D6CF21777A0A515E8A5D97ADE5 | |||
2996 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Aramiex-HH.exe | executable | |
MD5:37EE2808D028ABA3CEFB1BF93747349B | SHA256:55C797CD66E851BE9A4CEC4DA825109F9C27864EBFC7FC2C24AFED32BBBDEB45 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2224 | Aramiex-HH.exe | 178.239.21.24:4040 | — | Telekomunikacije Republike Srpske akcionarsko drustvo Banja Luka | BA | malicious |
Process | Message |
---|---|
Aramiex-HH.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
Aramiex-HH.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
Aramiex-HH.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
Aramiex-HH.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|