File name: | technical prooft.docx |
Full analysis: | https://app.any.run/tasks/794ccb1f-1400-464b-91db-10eadd83e29d |
Verdict: | Malicious activity |
Analysis date: | December 05, 2022, 18:53:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 38E96590FDD9BA00EB4B4FB1575E05D4 |
SHA1: | 0B3E77357004B05502DD5497C251F6085947A110 |
SHA256: | 7167DF2D3896ADB65EC4E49E8F3868011254ADBBAAB81DDF59ADA59413EB5AC0 |
SSDEEP: | 1536:YKGcgSbucgSbOcgSb1HYz6rRrKs4cv132DVQ0q:YhcxScxqcxpHYz6rRrWcv13Yrq |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2884 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\technical prooft.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
3384 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\MS Word Document Open.vbs" | C:\Windows\System32\WScript.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2560 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\MS Word Document Open (2).vbs" | C:\Windows\System32\WScript.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 Modules
| |||||||||||||||
1752 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\MS Word Document Open (3).vbs" | C:\Windows\System32\WScript.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF727.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB3385EA.emf | emf | |
MD5:A76496F7BC33D93669A00465ABAB57E3 | SHA256:803F3F9D4235391B9E5AA071587407A90B2DDE40C3142AF57824FB4593D1410C | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$chnical prooft.docx | pgc | |
MD5:4611E876AF66B18FEC55D128ECAB1B40 | SHA256:D4FFC9C0E15AA847BC45B9DF11C10BF53BD5E233F76D567CC8D2E69337E63FED | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA6CE588.emf | emf | |
MD5:BAB02FCD546707A00B5930F1CC8C39BA | SHA256:C261185859453A13A9C3AA1DE6AD5AF71C2A3B801211473A0B6E4B2737E5A6D7 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BD0F7CA04713B9C5CA4127B2FD8E7037 | SHA256:719457D4BD0617FF6E230B9B49AF6D68E63A69C02352E849B0D51F30F3DF8CD0 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\MS Word Document Open.vbs | text | |
MD5:CB8C8356D0A96E63529B332C50B0EC43 | SHA256:2569127F96913D9A76F44AB0076BC6DA9CC88F261D9C8B610F10D7104E263218 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E239CCD6.emf | emf | |
MD5:4DF7D032A7B97140365D8FF3687949FF | SHA256:D93721B2F489C2357E94BD5977105D5120DFCFE1C7732AF53AA95E2E46122797 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\MS Word Document Open (2).vbs | text | |
MD5:CB8C8356D0A96E63529B332C50B0EC43 | SHA256:2569127F96913D9A76F44AB0076BC6DA9CC88F261D9C8B610F10D7104E263218 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\MS Word Document Open.vbs:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2560 | WScript.exe | GET | — | 185.195.25.79:80 | http://185.195.25.79/5324.csv | RU | — | — | unknown |
3384 | WScript.exe | GET | — | 185.195.25.79:80 | http://185.195.25.79/5324.csv | RU | — | — | unknown |
1752 | WScript.exe | GET | — | 185.195.25.79:80 | http://185.195.25.79/5324.csv | RU | — | — | unknown |
3384 | WScript.exe | GET | 302 | 213.186.33.5:80 | http://coloctionneur.fr/license.csv | FR | html | 138 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2560 | WScript.exe | 185.195.25.79:80 | — | Network Management Ltd | RU | unknown |
— | — | 185.195.25.79:80 | — | Network Management Ltd | RU | unknown |
3384 | WScript.exe | 185.195.25.79:80 | — | Network Management Ltd | RU | unknown |
3384 | WScript.exe | 213.186.33.5:80 | coloctionneur.fr | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
coloctionneur.fr |
| malicious |
www.coloctionneur.fr |
| malicious |