File name: | docus_39386.doc |
Full analysis: | https://app.any.run/tasks/1846edad-f6eb-4a29-b83a-8393dbf65075 |
Verdict: | Malicious activity |
Threats: | Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks. |
Analysis date: | October 09, 2019, 18:27:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 34D0636684F0577CB9C2C3F701C0E8F8 |
SHA1: | B584590C206CD4F67C5CA054C1B3EC02E6699867 |
SHA256: | 36448DE9A48210F85E5FD61329BBCE4D86173BA705FCA75D0DFECDF2002D1684 |
SSDEEP: | 3072:5vvvvvvvvvvvvvvvvvvvvvv/ZRynrChbtCY8QOjnX3Npkv4wTh6ivbiFuzRmDPrE:5vvvvvvvvvvvvvvvvvvvvvv/KnrChbs8 |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
AppVersion: | 16 |
---|---|
HyperlinksChanged: | No |
HyperlinkBase: | - |
SharedDoc: | No |
CharactersWithSpaces: | 1 |
LinksUpToDate: | No |
Company: | - |
Manager: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 1 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
Category: | - |
ModifyDate: | 2019:10:09 14:41:00Z |
CreateDate: | 2019:10:09 14:41:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | onx |
Keywords: | - |
Description: | generated by python-docx |
---|---|
Creator: | python-docx |
Subject: | - |
Title: | - |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1769 |
ZipCompressedSize: | 440 |
ZipCRC: | 0x0eab7932 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2428 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\docus_39386.doc.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000 | ||||
1260 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1952 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:267521 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2224 | regsvr32.exe -s C:\Users\admin\AppData\Roaming\Microsoft\Word\Startup\55F.wll | C:\Windows\system32\regsvr32.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1172 | -s C:\Users\admin\AppData\Roaming\Microsoft\Word\Startup\55F.wll | C:\Windows\SysWOW64\regsvr32.exe | — | regsvr32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2072 | C:\Windows\System32\svchost.exe | C:\Windows\SysWOW64\svchost.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1956 | cmd /K | C:\Windows\SysWOW64\cmd.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2564 | C:\Windows\System32\svchost.exe | C:\Windows\SysWOW64\svchost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1980 | C:\Users\admin\AppData\Local\Temp\BNF883.tmp | C:\Users\admin\AppData\Local\Temp\BNF883.tmp | svchost.exe | |
User: admin Company: THQ Canada Inc. Integrity Level: MEDIUM Version: 1, 4, 0, 0 | ||||
280 | C:\Users\admin\AppData\Local\Temp\BNFA78.tmp | C:\Users\admin\AppData\Local\Temp\BNFA78.tmp | svchost.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8130.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mso8670.tmp | — | |
MD5:— | SHA256:— | |||
1260 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[2].ico | — | |
MD5:— | SHA256:— | |||
1260 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF9723338A48D58E12.TMP | — | |
MD5:— | SHA256:— | |||
2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF91F09CE257B2ACD2.TMP | — | |
MD5:— | SHA256:— | |||
2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFE5D56EFC56402A75.TMP | — | |
MD5:— | SHA256:— | |||
1260 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4E324E3FAFB9DDBC.TMP | — | |
MD5:— | SHA256:— | |||
2428 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$cus_39386.doc.docm | pgc | |
MD5:7BC77D5371AB55D66BBA809344850BE8 | SHA256:6842FDB58A971279DFFF5DDDF86CF828B7A39E0362396854698446D2139DF741 | |||
1260 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml | xml | |
MD5:7C0E98813A48D3D9D55C1037A6D2FA68 | SHA256:5B8274093F4B5529F6F7B0977167FD202C1D6FC1A7A9D3931A1B04C3EE8B8CAD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2072 | svchost.exe | GET | 200 | 173.201.96.128:80 | http://kylemarketing.com/wp-includes/widgets/1 | US | binary | 45.2 Kb | malicious |
2072 | svchost.exe | POST | — | 95.169.181.133:80 | http://avantusthea.com/mlu/forum.php | DE | — | — | malicious |
2072 | svchost.exe | GET | 200 | 192.254.233.200:80 | http://domainnamesexpert.info/wp-content/plugins/iSEO/a | US | binary | 33.7 Kb | malicious |
1952 | IEXPLORE.EXE | GET | 200 | 47.74.181.177:80 | http://elitefireandsafety.com/download.html | US | html | 45.0 Kb | whitelisted |
1980 | BNF883.tmp | GET | — | 31.44.184.123:80 | http://31.44.184.123/CjnA | RU | — | — | malicious |
2072 | svchost.exe | GET | 200 | 173.201.96.128:80 | http://kylemarketing.com/wp-includes/widgets/2 | US | binary | 46.2 Kb | malicious |
1980 | BNF883.tmp | GET | 200 | 31.44.184.123:80 | http://31.44.184.123/pixel.gif | RU | — | — | malicious |
1980 | BNF883.tmp | GET | 200 | 31.44.184.123:80 | http://31.44.184.123/pixel.gif | RU | — | — | malicious |
1980 | BNF883.tmp | GET | 200 | 31.44.184.123:80 | http://31.44.184.123/pixel.gif | RU | — | — | malicious |
1980 | BNF883.tmp | GET | 200 | 31.44.184.123:80 | http://31.44.184.123/pixel.gif | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1260 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2072 | svchost.exe | 95.169.181.133:80 | avantusthea.com | Keyweb AG | DE | malicious |
2564 | svchost.exe | 95.169.181.133:80 | avantusthea.com | Keyweb AG | DE | malicious |
1952 | IEXPLORE.EXE | 47.74.181.177:80 | elitefireandsafety.com | Alibaba (China) Technology Co., Ltd. | US | malicious |
2072 | svchost.exe | 23.23.229.94:80 | api.ipify.org | Amazon.com, Inc. | US | malicious |
2072 | svchost.exe | 192.254.233.200:80 | domainnamesexpert.info | Unified Layer | US | malicious |
1260 | iexplore.exe | 47.74.181.177:80 | elitefireandsafety.com | Alibaba (China) Technology Co., Ltd. | US | malicious |
2072 | svchost.exe | 173.201.96.128:80 | kylemarketing.com | GoDaddy.com, LLC | US | malicious |
280 | BNFA78.tmp | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
1980 | BNF883.tmp | 31.44.184.123:80 | — | Petersburg Internet Network ltd. | RU | malicious |
Domain | IP | Reputation |
---|---|---|
elitefireandsafety.com |
| whitelisted |
www.bing.com |
| whitelisted |
api.bing.com |
| whitelisted |
api.ipify.org |
| shared |
avantusthea.com |
| malicious |
kylemarketing.com |
| malicious |
domainnamesexpert.info |
| malicious |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
has.votaritar.at |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1952 | IEXPLORE.EXE | A Network Trojan was detected | MALWARE [PTsecurity] Hex Encoded PE EXE or DLL Windows file download |
2072 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |
2072 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
2072 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus) |
2072 | svchost.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
2072 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus) |
2072 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus) |
1980 | BNF883.tmp | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Cobalt |
1980 | BNF883.tmp | A Network Trojan was detected | MALWARE [PTsecurity] Cobalt Strike Beacon Observed |
2072 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus) |
Process | Message |
---|---|
BNF883.tmp | yfpT4m |