File name: | 7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c |
Full analysis: | https://app.any.run/tasks/2f692880-c8a6-4955-9ff6-4741428f23bf |
Verdict: | Malicious activity |
Analysis date: | November 08, 2019, 14:22:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 02DD4A91651B0DDADE7F32D040A27ED0 |
SHA1: | C58351BD3B38EE593DD9A03BFFAD18B2F0D94705 |
SHA256: | 7D2CC57E27E849FB0617A3A73D68D302C6EFC6D849C05FCB0776B82A74D4DE9C |
SSDEEP: | 192:fMY3bfPwBgAyLCM0rzaGefWIgHa1uDv4YLLdm1C7lqKrT/rTRrTNGf:/LfkuirgfWINQv4YfdmQ57rT/rTRrTcf |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Description: | - |
---|---|
Creator: | Windows User |
Subject: | - |
Title: | - |
ModifyDate: | 2019:08:29 10:59:00Z |
---|---|
CreateDate: | 2019:07:17 10:07:00Z |
RevisionNumber: | 7 |
LastModifiedBy: | Windows User |
Keywords: | - |
AppVersion: | 12 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 31 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 28 |
Words: | 4 |
Pages: | 1 |
TotalEditTime: | 11 minutes |
Template: | BA481970.tmp |
ZipFileName: | word/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2019:08:29 12:00:16 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2568 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\7d2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000 | ||||
2740 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4F75.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{D4D9940D-3C3C-4098-8F37-0C336C61EFB6} | — | |
MD5:— | SHA256:— | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{173B1E30-46FE-4E0C-ADC9-4081F9DFE23B}.tmp | — | |
MD5:— | SHA256:— | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:2DB66D5BA1607038A4F7E63B2EA35F1D | SHA256:C3135C12755140D5EE6FC59247FAAFE743E145C3E4D69AC02960AE9B2B3186E9 | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:0F09BB032DAE1443D2B4CF31FB8FA698 | SHA256:E5A96B74BECB6BD89F0E006EE6341EDB54255118ABE6E27715CD0059690E635C | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{135D7336-E01D-49D4-8B8E-05C9E26A2A26} | binary | |
MD5:D178B6D860494B1192DC7768F051E139 | SHA256:D30E1B03AEF4CF815389CAAE4301012992631DF48DB50D11A2C0168DCB3B18D2 | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{AEFBC2D1-B597-41C1-A7C8-B1140E4358B3}.FSD | binary | |
MD5:EAAFD053966757DC2C60EAAC9B3420CC | SHA256:9281D954CF14E1164BD726706B6790C070748F7FA8C5EBC2A7F0A18645FBC157 | |||
2568 | WINWORD.EXE | C:\Users\admin\Desktop\~$2cc57e27e849fb0617a3a73d68d302c6efc6d849c05fcb0776b82a74d4de9c.docx | pgc | |
MD5:EC88F4D49578741ECD82349CC9D90C7F | SHA256:33A16B95E14E580BCD2E9C09B4522DACF6C6D9DACA3832C272D57362E60B0A75 | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{541EFFAF-1635-450E-BB8A-96061EEFB99C}.FSD | binary | |
MD5:B528699555AFAFE5A104CA358A2ED764 | SHA256:8E03AFCA02F1EA88FC90A7E9649710B35FD7CA02CF91A7CBB0A3007C49A92BF2 | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF | binary | |
MD5:D572496DB63A1A41CF4DD119F03E0A80 | SHA256:E4BC48A6CEAF193C628824368ACDD39C9C3DE4CAF88A0B71DA33966C80CD158F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2568 | WINWORD.EXE | HEAD | 200 | 203.124.44.32:80 | http://comglobal.com.pk/wp-content/g | PK | — | — | suspicious |
876 | svchost.exe | OPTIONS | 301 | 203.124.44.32:80 | http://comglobal.com.pk/wp-content | PK | — | — | suspicious |
876 | svchost.exe | OPTIONS | — | 203.124.44.32:80 | http://www.comglobal.com.pk/wp-content | PK | — | — | suspicious |
2568 | WINWORD.EXE | OPTIONS | 200 | 203.124.44.32:80 | http://comglobal.com.pk/wp-content/ | PK | — | — | suspicious |
2568 | WINWORD.EXE | HEAD | 200 | 203.124.44.32:80 | http://comglobal.com.pk/wp-content/g | PK | text | 9.13 Kb | suspicious |
2568 | WINWORD.EXE | GET | 200 | 203.124.44.32:80 | http://comglobal.com.pk/wp-content/g | PK | text | 9.13 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
876 | svchost.exe | 203.124.44.32:80 | comglobal.com.pk | Commission on Science and Technology for | PK | suspicious |
2568 | WINWORD.EXE | 203.124.44.32:80 | comglobal.com.pk | Commission on Science and Technology for | PK | suspicious |
Domain | IP | Reputation |
---|---|---|
comglobal.com.pk |
| suspicious |
www.comglobal.com.pk |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2568 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in Hex No Seps |
2568 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Possible RTF File With Obfuscated Version Header |