File name: | inv-7381.doc |
Full analysis: | https://app.any.run/tasks/4dbd78a8-0ca6-4ea9-a4a0-fcd1cdb483d9 |
Verdict: | Malicious activity |
Threats: | Dridex is a very evasive and technically complex banking trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous. |
Analysis date: | July 18, 2019, 13:17:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 4C0908BCBC60802B07FB62217312FE4E |
SHA1: | E62E4CA507724A28F563DF8C027053D2ED2621FE |
SHA256: | 2D1BFF7952F2C570CC768674D38DD271654FF6816EB1F7511170D96D553E336F |
SSDEEP: | 1536:l0CyY2/xgTYYSEVC5mlagcO1LhC3ODy1lVOoeRA5wY:2CUxsZvC5mlagcyC3v1lVOo7GY |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3748 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\inv-7381.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1252 | wmic os get /format:"C:\\Windows\\Temp\\aXwZvnt48.xsl" | C:\Windows\System32\Wbem\wmic.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147614729 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2812 | "C:\Windows\Temp\awMiOFl.exe" | C:\Windows\Temp\awMiOFl.exe | wmic.exe | |
User: admin Company: Generated for JEDI. www.delphi-jedi.org Integrity Level: MEDIUM Description: DirectX 8.1 D3DX8 DLL for JEDI projects Version: 8.1.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF666.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF42CF141A5B778722.TMP | — | |
MD5:— | SHA256:— | |||
3748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF2493B9197E45A484.TMP | — | |
MD5:— | SHA256:— | |||
3748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF467B8D4BCF6B41AA.TMP | — | |
MD5:— | SHA256:— | |||
3748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF49B6A93E6D668D9F.TMP | — | |
MD5:— | SHA256:— | |||
3748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF492594CDE9B19A91.TMP | — | |
MD5:— | SHA256:— | |||
3748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF23D0D86D22D378F9.TMP | — | |
MD5:— | SHA256:— | |||
3748 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1AE91485.png | — | |
MD5:— | SHA256:— | |||
3748 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\inv-7381.doc.LNK | lnk | |
MD5:87073DDC2048A568CC0200BC840AFB2A | SHA256:777AF765C80BA49765C3A33F04669AC5AA98AA262F824B9F662CD3FE02A3A309 | |||
1252 | wmic.exe | C:\windows\temp\awMiOFl.exe | executable | |
MD5:BBDC437A8908E32B7F1243F819DC26B0 | SHA256:08A00C9BE7DD2E64E9B0F6EA85F159275C913FAF0AAD51884A1EEAB3822AF246 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1252 | wmic.exe | GET | 200 | 23.229.224.0:80 | http://stingersrestaurant.com/wp-admin/js/firefox.bin | US | executable | 138 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1252 | wmic.exe | 23.229.224.0:80 | stingersrestaurant.com | GoDaddy.com, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
stingersrestaurant.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1252 | wmic.exe | A Network Trojan was detected | ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin |
1252 | wmic.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1252 | wmic.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
Process | Message |
---|---|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|
awMiOFl.exe | Installing...
|