File name: | 3836110e0db89062a3b5a1200606e8d3d20485aa9f95ea46fda3c29433ae159a.doc |
Full analysis: | https://app.any.run/tasks/a1e220a4-8c6c-4b15-881d-afa1ebc319e1 |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | September 19, 2019, 01:41:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 12C0F92CA2BE142A1364705F6AA5CC78 |
SHA1: | CEA51953E3DA71C3CB2922036139BAFA1A3A2498 |
SHA256: | 3836110E0DB89062A3B5A1200606E8D3D20485AA9F95EA46FDA3C29433AE159A |
SSDEEP: | 1536:toeSqQBxLRZMOZ5H4mV9P0yQKFTVk25uO5c:SeS1Bx3Mev9P5Qw95K |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | whiteDevil |
---|
ModifyDate: | 2019:09:18 11:06:00Z |
---|---|
CreateDate: | 2019:09:18 11:05:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | whiteDevil |
AppVersion: | 12 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | - |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | - |
Words: | - |
Pages: | 1 |
TotalEditTime: | 1 minute |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 2448 |
ZipCompressedSize: | 452 |
ZipCRC: | 0xa6b173a8 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3484 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3836110e0db89062a3b5a1200606e8d3d20485aa9f95ea46fda3c29433ae159a.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3236 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3048 | "C:\Users\admin\AppData\Roaming\vbc.exe" | C:\Users\admin\AppData\Roaming\vbc.exe | — | EQNEDT32.EXE |
User: admin Company: malchijah8biraud6 Integrity Level: MEDIUM Exit code: 0 Version: 7.09.0003 | ||||
2120 | "C:\Users\admin\AppData\Roaming\vbc.exe" | C:\Users\admin\AppData\Roaming\vbc.exe | vbc.exe | |
User: admin Company: malchijah8biraud6 Integrity Level: MEDIUM Version: 7.09.0003 | ||||
1688 | REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f | C:\Windows\system32\REG.exe | — | vbc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9ADD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{8D807323-AF2E-4813-8BA2-31CAEAD8115B} | — | |
MD5:— | SHA256:— | |||
3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{22C6C4E5-06D4-4B30-9692-5883A7BD1E2C} | — | |
MD5:— | SHA256:— | |||
3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E45F1D99.doc | — | |
MD5:— | SHA256:— | |||
3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29FEEC0F.doc | — | |
MD5:— | SHA256:— | |||
3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98877F13.emf | emf | |
MD5:9D464E2DA3AB06B556E18301CA439E97 | SHA256:39A523A82AA08B70EE70FCA1AB22101FBA3FE917E427797B580223D3F73E5897 | |||
3484 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C9535ABA1891B1364509491F8AAF1240 | SHA256:7B50603F2E47D74137FCF19D260D963F56304288394BF44FB6DFFCA9EE49B3D7 | |||
3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$36110e0db89062a3b5a1200606e8d3d20485aa9f95ea46fda3c29433ae159a.doc | pgc | |
MD5:7E907988CFAB7169C0DF8FC7CA25FCD0 | SHA256:0CC9652CE89A1B99D904442997FF0575CFE857BEDFCC38D26FB1BA9C3B05E166 | |||
3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:87B35A9C6EED2C9B1BDDBA46417E5423 | SHA256:C4A4254F183CD7DB5B77B7D22C7130B0FAA0F0B96DD90E2803B6CDFC6DA347B8 | |||
3484 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{895C5AD2-F5C9-436F-B684-06663004165B}.FSD | binary | |
MD5:8E6ECB1CA28A2C8B6C688C250D6E6921 | SHA256:0C89EDA6DBAD702384BD6391664AFD57B729F63225380A27DA6D72A0727A69D3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3484 | WINWORD.EXE | OPTIONS | 200 | 23.249.165.218:80 | http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/0................................................................0/ | US | — | — | malicious |
3484 | WINWORD.EXE | HEAD | 200 | 23.249.165.218:80 | http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/0................................................................0/......................................................doc | US | — | — | malicious |
3484 | WINWORD.EXE | HEAD | 200 | 23.249.165.218:80 | http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/0................................................................0/......................................................doc | US | — | — | malicious |
3484 | WINWORD.EXE | GET | 304 | 23.249.165.218:80 | http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/0................................................................0/......................................................doc | US | — | — | malicious |
984 | svchost.exe | PROPFIND | 405 | 23.249.165.218:80 | http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/0................................................................0/ | US | xml | 1.01 Kb | malicious |
3484 | WINWORD.EXE | HEAD | 200 | 23.249.165.218:80 | http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/0................................................................0/......................................................doc | US | text | 3.90 Kb | malicious |
984 | svchost.exe | PROPFIND | 405 | 23.249.165.218:80 | http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/0................................................................0/ | US | xml | 1.01 Kb | malicious |
984 | svchost.exe | OPTIONS | 200 | 23.249.165.218:80 | http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/0................................................................0/ | US | html | 506 b | malicious |
984 | svchost.exe | OPTIONS | 301 | 23.249.165.218:80 | http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/0................................................................0 | US | html | 506 b | malicious |
3484 | WINWORD.EXE | HEAD | 200 | 23.249.165.218:80 | http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/0................................................................0/......................................................doc | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3484 | WINWORD.EXE | 23.249.165.218:80 | workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com | ColoCrossing | US | malicious |
984 | svchost.exe | 23.249.165.218:80 | workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com | ColoCrossing | US | malicious |
2120 | vbc.exe | 52.55.255.113:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
3236 | EQNEDT32.EXE | 88.150.175.104:80 | — | iomart Cloud Services Limited. | GB | suspicious |
2120 | vbc.exe | 192.185.41.47:587 | mail.dormakeba.com | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com |
| malicious |
dns.msftncsi.com |
| shared |
checkip.amazonaws.com |
| shared |
mail.dormakeba.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3236 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3236 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3236 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3236 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3236 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
2120 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
2120 | vbc.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |