File name: | Жопа.docx |
Full analysis: | https://app.any.run/tasks/5288e6ca-487c-45a1-9547-521f48da56d1 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 19:53:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Artem Korchak, Template: Normal.dotm, Last Saved By: , Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 05:00, Create Time/Date: Thu Mar 21 19:35:00 2019, Last Saved Time/Date: Thu Mar 21 19:40:00 2019, Number of Pages: 1, Number of Words: 2, Number of Characters: 18, Security: 0 |
MD5: | C5E3E8219D723414AEF27276669909E7 |
SHA1: | B5A54CC01F4DE4D28093315BA7577F48C11C2EC6 |
SHA256: | 2ED68B2F6532274E99E9015257E5D04A2586B53ABE6FE16A9852D57851548A74 |
SSDEEP: | 1536:ftGVQmWShgdodgCG0sQAeGCCGQCCgCG0sQAiIQy91lbpG717h2Thh9px0E2s:fyzgdPsLe6 |
Sensitivity: | Confidential Finance |
---|---|
MSIP_Label_fec81c06-2398-460b-8d96-29808e0c7ac6_Extended_MSFT_Method: | Manual |
MSIP_Label_fec81c06-2398-460b-8d96-29808e0c7ac6_Parent: | 3c690079-49de-422d-a19e-fa9ac2582ab2 |
MSIP_Label_fec81c06-2398-460b-8d96-29808e0c7ac6_Application: | Microsoft Azure Information Protection |
MSIP_Label_fec81c06-2398-460b-8d96-29808e0c7ac6_Name: | Finance |
MSIP_Label_fec81c06-2398-460b-8d96-29808e0c7ac6_SetDate: | 2019-03-21T19:40:11.1525388Z |
MSIP_Label_fec81c06-2398-460b-8d96-29808e0c7ac6_Owner: | [email protected] |
MSIP_Label_fec81c06-2398-460b-8d96-29808e0c7ac6_SiteId: | 0ac3a7f5-21b0-4a18-82aa-888744bec5b8 |
MSIP_Label_fec81c06-2398-460b-8d96-29808e0c7ac6_Enabled: | |
MSIP_Label_3c690079-49de-422d-a19e-fa9ac2582ab2_Extended_MSFT_Method: | Manual |
MSIP_Label_3c690079-49de-422d-a19e-fa9ac2582ab2_Application: | Microsoft Azure Information Protection |
MSIP_Label_3c690079-49de-422d-a19e-fa9ac2582ab2_Name: | Confidential |
MSIP_Label_3c690079-49de-422d-a19e-fa9ac2582ab2_SetDate: | 2019-03-21T19:40:11.1525388Z |
MSIP_Label_3c690079-49de-422d-a19e-fa9ac2582ab2_Owner: | [email protected] |
MSIP_Label_3c690079-49de-422d-a19e-fa9ac2582ab2_SiteId: | 0ac3a7f5-21b0-4a18-82aa-888744bec5b8 |
MSIP_Label_3c690079-49de-422d-a19e-fa9ac2582ab2_Enabled: | |
CodePage: | Windows Cyrillic |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 19 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
Security: | None |
Characters: | 18 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2019:03:21 19:40:00 |
CreateDate: | 2019:03:21 19:35:00 |
TotalEditTime: | 5.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | Корчак Артём Сергеевич |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Artem Korchak |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
688 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Жопа.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1924 | "C:\Windows\system32\rmactivate.exe" | C:\Windows\system32\rmactivate.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Rights Management Services Activation for Desktop Security Processor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1252 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
688 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR86F9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
688 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ServiceLocator[1].asmx | — | |
MD5:— | SHA256:— | |||
1924 | rmactivate.exe | C:\Users\admin\AppData\Local\Temp\CabBBB5.tmp | — | |
MD5:— | SHA256:— | |||
1924 | rmactivate.exe | C:\Users\admin\AppData\Local\Temp\TarBBB6.tmp | — | |
MD5:— | SHA256:— | |||
688 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ErrorPageTemplate[1] | — | |
MD5:— | SHA256:— | |||
688 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\errorPageStrings[1] | — | |
MD5:— | SHA256:— | |||
688 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF16C80CD71449465B.TMP | — | |
MD5:— | SHA256:— | |||
688 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79D0D1AD-D394-4288-8013-58CF77D6D807}.tmp | — | |
MD5:— | SHA256:— | |||
1924 | rmactivate.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 | binary | |
MD5:3159DF40CF2440813A331B980DDB0598 | SHA256:D633C811D0C89197084C2F9A46845FD7C6F35305A9B052F864B3C0B2A82EBDFB | |||
1924 | rmactivate.exe | C:\Users\admin\AppData\Local\Microsoft\DRM\CERT-Machine.drm | binary | |
MD5:3B69AD3B33D36C9B9893540081B8A110 | SHA256:6B527ADD5EAA19C336015245D7C6AB1858BB1E1217E37BC72C98B900E2BADB72 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
688 | WINWORD.EXE | GET | 302 | 104.109.80.115:80 | http://go.microsoft.com/fwlink/?LinkId=5998&LANGID=1033 | NL | — | — | whitelisted |
1924 | rmactivate.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | unknown | der | 550 b | whitelisted |
1924 | rmactivate.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/WinPCA.crl | unknown | der | 530 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
688 | WINWORD.EXE | 52.232.117.200:443 | b17ef168-cf24-4408-9c71-42d88d26961f.rms.eu.aadrm.com | Microsoft Corporation | NL | unknown |
688 | WINWORD.EXE | 104.109.80.115:80 | go.microsoft.com | Akamai International B.V. | NL | whitelisted |
1924 | rmactivate.exe | 2.16.186.120:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
688 | WINWORD.EXE | 65.55.61.29:443 | certification.drm.microsoft.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
b17ef168-cf24-4408-9c71-42d88d26961f.rms.eu.aadrm.com |
| unknown |
crl.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
certification.drm.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
688 | WINWORD.EXE | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |