File name: | Sunny resume.doc |
Full analysis: | https://app.any.run/tasks/282b9605-f334-4182-bed9-74b7be5b22d9 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 13:13:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Locale ID: 1033, Author: toebe, Subject: dbeoiusk |
MD5: | 5FAAAD700199ADB6F13E83513ADEFD3C |
SHA1: | A6974D5ACD119EA04DB398B0F5B561433463E90D |
SHA256: | 6EDF9CC7DE21AD4AD20C366967B849A8F6DCE6AAD95DC774BA9D4930824F2A29 |
SSDEEP: | 768:059Wn+KwdLHzK2jgqQ3wk1vY9ZXAaLvSe96ZLi1YDnEPSdA8jL3lLjTRMG0Gaaz+:7wdKWQjvY31vSJ57H3lb5rnomvl |
CodePage: | Windows Latin 1 (Western European) |
---|---|
LocaleIndicator: | 1033 |
Author: | toebe |
Subject: | dbeoiusk |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
456 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Sunny resume.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2368 | "C:\Users\admin\AppData\Local\Temp\inboxmvprocessingpersianbearinglegitimate.exe" | C:\Users\admin\AppData\Local\Temp\inboxmvprocessingpersianbearinglegitimate.exe | WINWORD.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2032 | "C:\Windows\system32\nslookup.exe" | C:\Windows\system32\nslookup.exe | — | inboxmvprocessingpersianbearinglegitimate.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3512 | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe | nslookup.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE12.tmp.cvr | — | |
MD5:— | SHA256:— | |||
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF0A95110DE1603ECC.TMP | — | |
MD5:— | SHA256:— | |||
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF34C350CEBE5186AE.TMP | — | |
MD5:— | SHA256:— | |||
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFA7905749AD57B83B.TMP | — | |
MD5:— | SHA256:— | |||
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF378179F084BA32EB.TMP | — | |
MD5:— | SHA256:— | |||
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mso3215.tmp | — | |
MD5:— | SHA256:— | |||
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFD79F474ECAC52D76.TMP | — | |
MD5:— | SHA256:— | |||
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFEE89C5E626379312.TMP | — | |
MD5:— | SHA256:— | |||
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39746E31.png | — | |
MD5:— | SHA256:— | |||
2368 | inboxmvprocessingpersianbearinglegitimate.exe | C:\Users\admin\AppData\Local\Temp\nsn480E.tmp | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
456 | WINWORD.EXE | 209.141.46.175:80 | — | FranTech Solutions | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
456 | WINWORD.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
456 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
456 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
456 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
456 | WINWORD.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |