File name: | 3_PO16212018.doc |
Full analysis: | https://app.any.run/tasks/0da70207-e0ab-48d3-992b-494fe0d61c52 |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 07:57:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | 2522A030B219F3B7C1EFFFFF95A749CF |
SHA1: | F2EC4434D7D7C643D50419B41F21121E07AA6368 |
SHA256: | 73991E85534F7AE04E0109ED945556B16578727DFCF51F41D3742C1F95B62825 |
SSDEEP: | 1536:zPvVgPvOPvOPvlPvOPvlPvlPvlPvlPvlPvlPviPviPvxPvePvZPvNPvd:x2 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2952 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3_PO16212018.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR690B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2952 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txt | text | |
MD5:6012508D448C57BC129314D82278638E | SHA256:2F1025025DED88815114EED8FB07C7DD84610359091901EC28922B792CEA6EF4 | |||
2952 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6474936BCF9E0E40D986D76CB8B97569 | SHA256:A429E08BF13A763B1E1B56C70E9C488FD3A3D63556417F9C15A5F53B8F3D1253 | |||
2952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$PO16212018.doc | pgc | |
MD5:E3EB07C99005719DC8AF675A92E57C29 | SHA256:43BABC862CA33D98F9A201B3FB59951D4D7C5DF98FEBF8EA98B08075F1BA0B42 | |||
2952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\suspendedpage[1].htm | html | |
MD5:0357AA49EA850B11B99D09A2479C321B | SHA256:0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2952 | WINWORD.EXE | GET | 302 | 192.254.251.206:80 | http://questingpanda.com/eport.hta | US | html | 301 b | malicious |
2952 | WINWORD.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2ElFFRH | US | html | 121 b | shared |
2952 | WINWORD.EXE | GET | 301 | 67.199.248.10:80 | http://bit.ly/2ElFFRH | US | html | 121 b | shared |
2952 | WINWORD.EXE | GET | 302 | 192.254.251.206:80 | http://questingpanda.com/eport.hta | US | html | 301 b | malicious |
2952 | WINWORD.EXE | GET | 200 | 192.254.251.206:80 | http://questingpanda.com/cgi-sys/suspendedpage.cgi | US | html | 328 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2952 | WINWORD.EXE | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2952 | WINWORD.EXE | 192.254.251.206:80 | questingpanda.com | Unified Layer | US | malicious |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
questingpanda.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2952 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTA application download |
2952 | WINWORD.EXE | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
2952 | WINWORD.EXE | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
2952 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious redirect to 'suspendedpage.cgi' |
2952 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - bit.ly redirect to .hta object |
2952 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - redirect to .hta object |
2952 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTA application download |
2952 | WINWORD.EXE | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
2952 | WINWORD.EXE | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
2952 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - redirect to .hta object |