File name: | R000_24531.vbe |
Full analysis: | https://app.any.run/tasks/b2eb0152-45d3-42c9-b6d8-2cb8445453f3 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 15:30:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | 762B7643CC3E1B676D9DDBF7AADC10D3 |
SHA1: | 6C1CC7AFBC6DCF01FC4A896D4E609F8481B96990 |
SHA256: | 39EA694ED35A2A1CC6E9CDF37006827A9EAF60199ABF8FE8EE0CFAA19FA9E1F8 |
SSDEEP: | 48:WyMUmw7jawbkAMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMTMToHoHW:WTY7ObZjvVa4AS7KKeHt8Xre |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3948 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\R000_24531.vbe" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
1520 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\stepmoving.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
940 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7BAB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{18D980B0-D195-4D45-BFDB-5A393359AFD9}.tmp | — | |
MD5:— | SHA256:— | |||
1520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EFEFE9E5-428B-4056-BE86-56BF44E89CA4}.tmp | — | |
MD5:— | SHA256:— | |||
1520 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:01517419910BD256AB3C31C6F7FF9296 | SHA256:BD978BF5CECF2AEE6ED2555CF916AEF55E03CBAED122D42692CA10D9D1C5B002 | |||
1520 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\stepmoving.rtf.LNK | lnk | |
MD5:DB36391065E12F63427995B384F853D1 | SHA256:0B92EBE39A5B49D2A1A444B6ADAF1E63406F966E606A536D4D568AB485C78F41 | |||
1520 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:CB5B106B51FF82107C3A059442617598 | SHA256:6C753DB35AFFF1D1C50CA93ADA65EC8AC3B29735E9CDDCA69257A93AD28877C4 | |||
1520 | WINWORD.EXE | C:\Users\admin\Desktop\~$epmoving.rtf | pgc | |
MD5:0B147BB4CEB983EA42D749BCB1018A58 | SHA256:036E6907973A12B8F7B98BE35AA52BD800FB4B7E153F96F2A432F79EAF601554 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3948 | WScript.exe | 185.101.93.178:443 | lulipcxulci.info | Mike Kaldig | DE | unknown |
Domain | IP | Reputation |
---|---|---|
lulipcxulci.info |
| unknown |