File name: | bill4759.doc |
Full analysis: | https://app.any.run/tasks/72ddf59e-9256-4a8f-900d-c226a20f123e |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 12:38:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Bob Brown, Template: Normal.dotm, Last Saved By: Bob Brown, Revision Number: 8, Name of Creating Application: Microsoft Office Word, Total Editing Time: 05:00, Create Time/Date: Thu May 16 10:32:00 2019, Last Saved Time/Date: Thu May 16 10:58:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | C459B5D54552D99A4658C680DBF61DCC |
SHA1: | CC29DB93DC649F7AF9E9D2E4BB6F35382278B943 |
SHA256: | 62AE80DC45B409A7A609EEAB1228C661B9303FCB1D8B8090907C9241B1FE1F57 |
SSDEEP: | 3072:IQSzo2azvHOWAFum2UIUiN1r+F1+nls1v/kvy:IBzo2AvPA92UIUeznls1v9 |
.doc | | | Microsoft Word document (80) |
---|
Title: | - |
---|---|
Subject: | - |
Author: | Bob Brown |
Keywords: | - |
Template: | Normal.dotm |
LastModifiedBy: | Bob Brown |
RevisionNumber: | 8 |
Software: | Microsoft Office Word |
TotalEditTime: | 5.0 minutes |
CreateDate: | 2019:05:16 09:32:00 |
ModifyDate: | 2019:05:16 09:58:00 |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Security: | None |
CodePage: | Unicode (UTF-8) |
Company: | Microsoft |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 14 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | - |
CompObjUserType: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3336 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bill4759.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2684 | C:\Users\Public\wprgxyeqd79.exe | C:\Users\Public\wprgxyeqd79.exe | WINWORD.EXE | |
User: admin Company: Miranda IM Integrity Level: MEDIUM Description: Tile Textheight Clipbook Mostly Wading Exit code: 0 Version: 8.7.56.236 | ||||
2724 | C:\Users\Public\rher.exe | C:\Users\Public\rher.exe | WINWORD.EXE | |
User: admin Company: x264 project Integrity Level: MEDIUM Description: Nkcreatestaticmapping Aboriginal Year Exit code: 3221225477 Version: 5.7.3.790 | ||||
4056 | C:\Windows\System32\svchost.exe -k WerSvcGroup | C:\Windows\System32\svchost.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2644 | C:\Windows\system32\WerFault.exe -u -p 2724 -s 712 | C:\Windows\system32\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRED6A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:17222E7BED955763CB75EBDA153E0074 | SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882 | |||
2644 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\rher.exe.2724.dmp | dmp | |
MD5:301ECFC1A5AADC3A50A8E40165EF9252 | SHA256:9DB79DECB3B004333A04D0D0EE15D6D55AE9666C9119B2880AF26B94EA0CD97B | |||
3336 | WINWORD.EXE | C:\Users\Public\wprgxyeqd79.exe | executable | |
MD5:6DF420B5D8BDDB0F5FFE3EDCC9A4464B | SHA256:1EE1BA514212F11A69D002005DFC623B1871CC808F18DDFA2191102BBB9F623B | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ananas[1].exe | executable | |
MD5:7E77BB853D227E06B635E6EB3E0B31F0 | SHA256:385F0A0CCAEC6272C8270F0D5228F2641CCA916E84825EBB35DBEBB036FA2165 | |||
2684 | wprgxyeqd79.exe | C:\Users\admin\AppData\Local\Temp\1D86.tmp | executable | |
MD5:ED60C95C805DBAEE92C90C3AB930085A | SHA256:D35574D2CC42B4EDBF217A86639864422FBE02443250A36EB2CD11B22F165C39 | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\pasmmm[1].exe | executable | |
MD5:6DF420B5D8BDDB0F5FFE3EDCC9A4464B | SHA256:1EE1BA514212F11A69D002005DFC623B1871CC808F18DDFA2191102BBB9F623B | |||
3336 | WINWORD.EXE | C:\Users\Public\rher.exe | executable | |
MD5:7E77BB853D227E06B635E6EB3E0B31F0 | SHA256:385F0A0CCAEC6272C8270F0D5228F2641CCA916E84825EBB35DBEBB036FA2165 | |||
2644 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_rher.exe_379ab0e06c94173b5e3bfd67e28d4ef6f46c3531_0a40bdff\Report.wer | binary | |
MD5:648B30A783D098ABCBFE4CC44835FCB5 | SHA256:AAF56B4A6535E703F9E8545DD0E0F1CB08FC92CEC4259F7EC9513D15D4B14E16 | |||
3336 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ll4759.doc | pgc | |
MD5:A705DCE972DFA99998900DF4F48FD84B | SHA256:1F0A3926EB6A5EADB3EF4FF815152E4A651F65ED906B66FA220FC995814AAB31 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2724 | rher.exe | GET | — | 104.218.63.76:80 | http://104.218.63.76/tor/server/fp/484f666c491bcde22b45e0e19d1cea5acc5a9611 | CA | — | — | suspicious |
2724 | rher.exe | GET | — | 162.247.74.216:80 | http://162.247.74.216/tor/server/fp/7f849e3b86dd0df2c4d0e31108228ec7c714191b | US | — | — | suspicious |
2724 | rher.exe | GET | — | 199.249.230.108:80 | http://199.249.230.108/tor/server/fp/592031cfdba17dd46e1e365e6c60ad1f81655033 | US | — | — | malicious |
2724 | rher.exe | GET | — | 66.111.2.131:9030 | http://66.111.2.131:9030/tor/status-vote/current/consensus | US | — | — | suspicious |
2724 | rher.exe | GET | — | 185.96.180.164:80 | http://185.96.180.164/tor/server/fp/4109314e35c8e4084ae2bc1711562d380077b1f0 | DK | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2724 | rher.exe | 54.243.147.226:443 | api.ipify.org | Amazon.com, Inc. | US | malicious |
2724 | rher.exe | 66.111.2.131:9030 | — | The New York Internet Company | US | suspicious |
2724 | rher.exe | 37.123.132.154:443 | — | Bahnhof Internet AB | NO | suspicious |
3336 | WINWORD.EXE | 47.245.58.124:443 | kentona.su | — | US | suspicious |
2724 | rher.exe | 129.6.15.28:13 | time-a.nist.gov | National Bureau of Standards | US | unknown |
2724 | rher.exe | 199.249.230.108:80 | — | Quintex Alliance Consulting | US | malicious |
2724 | rher.exe | 162.247.74.216:80 | — | The Calyx Institute | US | suspicious |
2724 | rher.exe | 185.96.180.164:80 | — | BornFiber Service Provider ApS | DK | suspicious |
2724 | rher.exe | 104.218.63.76:80 | — | Tech Futures Interactive Inc. | CA | suspicious |
Domain | IP | Reputation |
---|---|---|
kentona.su |
| malicious |
api.ipify.org |
| shared |
time-a.nist.gov |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
2724 | rher.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 550 |
2724 | rher.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2724 | rher.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2724 | rher.exe | Misc Attack | ET TOR Known Tor Exit Node Traffic group 12 |
2724 | rher.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 13 |
2724 | rher.exe | Potential Corporate Privacy Violation | ET P2P Tor Get Server Request |
2724 | rher.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 452 |
2724 | rher.exe | Misc Attack | ET TOR Known Tor Exit Node Traffic group 2 |
2724 | rher.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 2 |