File name: | 2561c7b2e10623156767700719da73abba19ac92.doc |
Full analysis: | https://app.any.run/tasks/05fa3926-ea21-4f58-b2d5-312df9f30661 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 21:37:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 9 11:51:00 2019, Last Saved Time/Date: Fri Sep 25 15:02:00 2020, Number of Pages: 1, Number of Words: 200, Number of Characters: 1142, Security: 0 |
MD5: | D4396A2BAE94A3D5A62109A158C72C99 |
SHA1: | 2561C7B2E10623156767700719DA73ABBA19AC92 |
SHA256: | 79A6583FBA3F84876395111C31FFF080A7DAA31DB7B8CFCEB6F44232AFBB0D25 |
SSDEEP: | 24576:0VwtXuNv4huGaZD9TkP6BRN8XFpFOv3M32PL:0VSXRWxSqb8XFE3M32P |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Lupl_user_email: | - |
Sign-offStatus: | - |
Hyperlinks: | |
CodePage: | Windows Latin 1 (Western European) |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1340 |
Paragraphs: | 2 |
Lines: | 9 |
Security: | None |
Characters: | 1142 |
Words: | 200 |
Pages: | 1 |
ModifyDate: | 2020:09:25 14:02:00 |
CreateDate: | 2019:12:09 11:51:00 |
LastPrinted: | - |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3660 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\2561c7b2e10623156767700719da73abba19ac92.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
2232 | "C:\Users\admin\AppData\Local\Temp\NetworkWizardLoader.exe" | C:\Users\admin\AppData\Local\Temp\NetworkWizardLoader.exe | WINWORD.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3256 | "C:\Users\admin\AppData\Local\temp\Cloudpath\Cloudpath.exe" -temp -name "University of Glasgow" -url "https://wifisetup.gla.ac.uk/" | C:\Users\admin\AppData\Local\temp\Cloudpath\Cloudpath.exe | NetworkWizardLoader.exe | ||||||||||||
User: admin Company: Ruckus Networks Integrity Level: MEDIUM Version: 1000.0.0.0 Modules
| |||||||||||||||
2524 | "C:\Users\admin\AppData\Local\temp\Cloudpath\WinHelper.exe" | C:\Users\admin\AppData\Local\temp\Cloudpath\WinHelper.exe | Cloudpath.exe | ||||||||||||
User: admin Company: Ruckus Networks Integrity Level: HIGH Version: 1000.0.0.0 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC9FF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2561c7b2e10623156767700719da73abba19ac92.doc.LNK | lnk | |
MD5:EEC54300AE5C6A8ADD5579ECEB749686 | SHA256:95D077DDDC19FE4FF4DC8D998F27D7DD08B8873B11D2A26D05D85AAF4D04AE10 | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:943799681AB783C0069DF58210FD98CA | SHA256:9879A43C41C51874B8C2F56A906E142ECF49656FD2D4043AF5B6DCF85CCC43BD | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82019B97.emf | emf | |
MD5:2BFC2FE0EEC1DA08A68FB5B13BD25A98 | SHA256:F6382ADA45E3FC41D7308163FE6F7AECE853B6E072890D88691B5A8C79EACA12 | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E5E437032B2CF84550CECEA00B9F549D | binary | |
MD5:DC930E10EACACB1C441C54D826A46AD5 | SHA256:3C61B6D718C93D9A97B1FCB07A25B6C3620194100CBBB304EE80FF9132B3F334 | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:BB377DAABFFDE4949BC40F50AB510358 | SHA256:3681D4F8E3BAF59D7DB24D2A7E358A562807450186B28597DC82ED5917AAFBA7 | |||
3660 | WINWORD.EXE | C:\Users\admin\Desktop\~$61c7b2e10623156767700719da73abba19ac92.doc | pgc | |
MD5:80355D2D5A9146B75F6BE94D505F5713 | SHA256:5F2CA04C1ACD14268AA7E7B3994E510D33E21E1C2B3EB54B70788D784BEF94CC | |||
3660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\NetworkWizardLoader.exe | executable | |
MD5:DC86B2B06C25EF931B8AE02A158321E9 | SHA256:FA87707D7E14588E77E43A30E271BD9E5F9844095B243062DB12D6556DC724E5 | |||
3256 | Cloudpath.exe | C:\Users\admin\AppData\Local\Temp\network_config.xml | text | |
MD5:0DD64E19A87C72D6B6D9C32B19E9BDD7 | SHA256:B1ABCDE1D5D11B060E9F58072DFCF0E07FA462232BAA321AC3C8D3344B704079 | |||
3256 | Cloudpath.exe | C:\Users\admin\AppData\Local\Temp\testfile.txt | text | |
MD5:28327A617227E34787368FB09D4E9BFD | SHA256:E46D58088886664D779858D8B3967F63811787A61E5400BF8085890FDE6F9FE6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3660 | WINWORD.EXE | GET | 200 | 93.184.220.29:80 | http://tl.symcb.com/tl.crt | US | der | 1.15 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2232 | NetworkWizardLoader.exe | 130.209.8.121:443 | wifisetup.gla.ac.uk | Jisc Services Limited | GB | unknown |
3660 | WINWORD.EXE | 93.184.220.29:80 | tl.symcb.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3256 | Cloudpath.exe | 130.209.8.121:443 | wifisetup.gla.ac.uk | Jisc Services Limited | GB | unknown |
Domain | IP | Reputation |
---|---|---|
tl.symcb.com |
| whitelisted |
wifisetup.gla.ac.uk |
| unknown |