File name: | 5cb24cffc5654ca2186379b2ffaf31a7cfa63dd944dd56bf533e3a205e47c5b7.doc |
Full analysis: | https://app.any.run/tasks/c6365f7f-56c5-4fb8-8b01-baeb5a86dc2d |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 07:19:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal, Last Saved By: Windows User, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 24 21:25:00 2019, Last Saved Time/Date: Wed Apr 24 14:29:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 18B0FFF29C3E1F48225EC6FC16283F12 |
SHA1: | FD7518CE4061A90C273D80DAF14A406C17A00071 |
SHA256: | 5CB24CFFC5654CA2186379B2FFAF31A7CFA63DD944DD56BF533E3A205E47C5B7 |
SSDEEP: | 3072:HHoUNnZFeHru5Y6+C4lvrKKUfC7q7Q7X9+BOWmh:Hpn7YTdCmofC7q7Q7XFh |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal |
LastModifiedBy: | Windows User |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:04:24 20:25:00 |
ModifyDate: | 2019:04:24 13:29:00 |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Bytes: | 11000 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2188 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\5cb24cffc5654ca2186379b2ffaf31a7cfa63dd944dd56bf533e3a205e47c5b7.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1704 | "C:\Users\admin\AppData\Local\Temp\ddawq2xdaw.exe" | C:\Users\admin\AppData\Local\Temp\ddawq2xdaw.exe | WINWORD.EXE | |
User: admin Company: ujehetoyatefolofehasar Integrity Level: MEDIUM Description: oxkakska Exit code: 0 Version: 5.25.20.0 | ||||
2288 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\ddawq2xdaw.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | ddawq2xdaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3092 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\ddawq2xdaw.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | ddawq2xdaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3812 | "C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\AppData\Local\Temp\ddawq2xdaw.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xpdpaks.exe" | C:\Windows\System32\cmd.exe | ddawq2xdaw.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1380 | "C:\Windows\System32\cmd.exe" /c, "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xpdpaks.exe" | C:\Windows\System32\cmd.exe | — | ddawq2xdaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2732 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xpdpaks.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xpdpaks.exe | — | cmd.exe |
User: admin Company: ujehetoyatefolofehasar Integrity Level: MEDIUM Description: oxkakska Version: 5.25.20.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5DAC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\app[1].exe | executable | |
MD5:89BF14AFC13D29D284F26ED8996EA804 | SHA256:F345A415E5F15C923E8D8C9D2DD20B2165B72F90725AD59DB06144354EBE2211 | |||
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\ddawq2xdaw.exe | executable | |
MD5:89BF14AFC13D29D284F26ED8996EA804 | SHA256:F345A415E5F15C923E8D8C9D2DD20B2165B72F90725AD59DB06144354EBE2211 | |||
2188 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D8E88B0BCDB9D97C5E7FFEC8B2E22FA7 | SHA256:60A3891D0F0DA98FEC7B1BCBF84BB79449E5E69F2321A457B6E317ED617BDF56 | |||
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$b24cffc5654ca2186379b2ffaf31a7cfa63dd944dd56bf533e3a205e47c5b7.doc | pgc | |
MD5:042321D5076AE400134C47C04CC8AE35 | SHA256:AF4F0DC1B65015F80EB834CD7E17D3D1EBB4528B90E6EA42F6EC8B3AF802D94D | |||
3812 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xpdpaks.exe | executable | |
MD5:89BF14AFC13D29D284F26ED8996EA804 | SHA256:F345A415E5F15C923E8D8C9D2DD20B2165B72F90725AD59DB06144354EBE2211 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2188 | WINWORD.EXE | 31.220.17.62:443 | megabytemantom.com | Hostinger International Limited | US | malicious |
Domain | IP | Reputation |
---|---|---|
megabytemantom.com |
| malicious |
Process | Message |
---|---|
ddawq2xdaw.exe |
*** Status originated: -1072365543
*** Source File: d:\iso_whid\x86fre\base\isolation\id_parser.cpp, line 590
|
ddawq2xdaw.exe |
*** Status propagated: -1072365543
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 147
|