File name: | Davos 2019 Einladung_86014847_10.12.2018.docx |
Full analysis: | https://app.any.run/tasks/c17440b4-aff7-4eac-873a-fb8f9a6707aa |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 11:23:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 0291D710703D712022582BF0BD74637E |
SHA1: | D8E96BB7DEA8BD4722F9A077D0B24E2FC104E5ED |
SHA256: | 4C16B4AF0703379D42B6F89E49C174B5850AAF91B7DB19FC12935B6C72035DFF |
SSDEEP: | 1536:jwv4Vw7CUBs78Uj19tCapEeGezdQyLMuCjZaLQB3IGPhvuwugsn:jwvoQCU2jrQQEe9ZQYmZmQBYGpuwugsn |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:12:10 13:11:16 |
ZipCRC: | 0xb8b18cf8 |
ZipCompressedSize: | 1444 |
ZipUncompressedSize: | 6303 |
ZipFileName: | word/document.xml |
Title: | Davos 2019 Einladung N86014847 |
---|---|
Subject: | Davos 2019 Einladung N86014847 |
Creator: | Milos Heinz-Dietz |
Description: | Fugit beatae possimus voluptates impedit. |
Keywords: | mollitia, tenetur, commodi |
---|---|
LastModifiedBy: | Milos Heinz-Dietz |
RevisionNumber: | 661554 |
CreateDate: | 2018:12:03 20:04:07Z |
ModifyDate: | 2018:12:03 20:04:07Z |
Category: | asperiores |
Template: | Normal |
Pages: | 78 |
Words: | 36909 |
Characters: | 73818 |
CharactersWithSpaces: | 73818 |
Application: | Microsoft Office Word |
Lines: | 5874 |
Paragraphs: | 170 |
Manager: | Armin Täsche |
Company: | Trubin AG & Co. OHG |
AppVersion: | 12 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2724 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Davos 2019 Einladung_86014847_10.12.2018.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2488 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Microsoft Word Image viewer.cmd" " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3256 | C:\Windows\system32\cmd.exe /c powershell -WindowStyle hidden -c "(-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum 5 -maximum 15) | % {[char]$_}))" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3472 | powershell -WindowStyle hidden -c "(-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum 5 -maximum 15) | % {[char]$_}))" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2584 | powershell -WindowStyle hidden -Command "[IO.File]::WriteAllBytes($env:iNyrUYwSFR, [System.Convert]::FromBase64String([IO.File]::ReadAllText($env:iNyrUYwSFR)));" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3628 | wscript C:\Users\admin\AppData\Local\Temp\OQxvqCZ.js | C:\Windows\system32\wscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2724 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8718.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2724 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mso8A55.tmp | — | |
MD5:— | SHA256:— | |||
2724 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F83B82B0.jpeg | — | |
MD5:— | SHA256:— | |||
3472 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\39D4904OEO4P35ETGQ2M.temp | — | |
MD5:— | SHA256:— | |||
2584 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9L60FRLA0DMO19IAL1T9.temp | — | |
MD5:— | SHA256:— | |||
2724 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$vos 2019 Einladung_86014847_10.12.2018.docx | pgc | |
MD5:980E6BBF93AF6FA505064D7E6F202C46 | SHA256:32AAB3504A3EE76BEEFDB6FA885CD764AE1B3437F16752870AEF89D041F3CD72 | |||
3472 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2724 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Microsoft Word Image viewer.cmd | text | |
MD5:EE18B4A81FDD14C1CAD74FB9EAFE67B6 | SHA256:85B2789CD03EA57163A1DAA67C2D6B48EE078D3568AD13C92A824EEF04F63836 | |||
2724 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:41379A924454D4DBF21EC8153C20C10F | SHA256:0C15CF2B44D7D8698623838B4214E135CD0F5B33F8FE0D860DBE04AB98A65B80 | |||
2488 | cmd.exe | C:\Users\admin\AppData\Local\Temp\OQxvqCZ.js | text | |
MD5:870377FBEB8E245A033F4C24EE80A183 | SHA256:1FFF772785666F57AA6AA5ECE68F9980906BD391568F482D18F556DAE6E0BD3E |