File name: | 4eac458987dfc61d562ba2b6f346c7e7 |
Full analysis: | https://app.any.run/tasks/118e9ffa-45f9-4fd3-a2a3-5bfb34f21dd5 |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 18:54:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 4EAC458987DFC61D562BA2B6F346C7E7 |
SHA1: | 4B12563148657FCFDD3E7DA2A0304790460CD7CE |
SHA256: | 7E6C2C3EC1D392BCDF957C37E370E8D09540DB08ABBE578D3687938FCA9B721E |
SSDEEP: | 1536:9jXWg4Bk5foL3zskvXeZT3FL5kztGiaLrVuzMSxWLyaugLCXWC+P6HGO:xXz48gPe5FdieJSyuWAWC+P6n |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Creator: | Tomas |
---|
ModifyDate: | 2019:02:28 12:43:00Z |
---|---|
CreateDate: | 2019:02:28 10:30:00Z |
RevisionNumber: | 5 |
LastModifiedBy: | Tomas |
AppVersion: | 12 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 1 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 1 |
Words: | - |
Pages: | 1 |
TotalEditTime: | 41 minutes |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1637 |
ZipCompressedSize: | 455 |
ZipCRC: | 0x2efed514 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3508 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\4eac458987dfc61d562ba2b6f346c7e7.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3040 | "C:\Windows\System32\cmd.exe" cmd /r cmd /c copy /Y /V c:\windows\system32\bitsadmin.exe %temp%\J0gS0M`.exe && %temp%\script11.bat && %temp%\script2.bat && %temp%\script3.bat | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2147954430 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3188 | "C:\Windows\System32\cmd.exe" cmd /r cmd /c timeout /t 13 /nobreak && %temp%\J0gS0M` /SetNoProgressTimeout "RVbOIc" 120 && %temp%\J0gS0M` /SetMinRetryDelay "RVbOIc" 3 | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2240 | cmd /c copy /Y /V c:\windows\system32\bitsadmin.exe C:\Users\admin\AppData\Local\Temp\J0gS0M`.exe | C:\Windows\system32\cmd.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2416 | cmd /c timeout /t 13 /nobreak | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1832 | timeout /t 13 /nobreak | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2952 | cmd /r cmd /c ping -n 2 64.44.51.89 | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3608 | cmd /c ping -n 2 64.44.51.89 | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3964 | ping -n 2 64.44.51.89 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2636 | cmd /r cmd /c timeout /t 4 /nobreak | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDD61.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A09E889.jpeg | — | |
MD5:— | SHA256:— | |||
3508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF71FC673C52058158.TMP | — | |
MD5:— | SHA256:— | |||
3508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF010BEEDE59AA06C0.TMP | — | |
MD5:— | SHA256:— | |||
3508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{06F1F9AD-0A09-4E71-9C30-EB84F1096A63}.tmp | — | |
MD5:— | SHA256:— | |||
3508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8625B2AC-93DF-4D7D-8765-031DCAC0C3BB}.tmp | — | |
MD5:— | SHA256:— | |||
3508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF43BF3326E44A4E71.TMP | — | |
MD5:— | SHA256:— | |||
3508 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B6ED0AD8-2E31-47CB-A6EB-FD73FC06994D}.tmp | — | |
MD5:— | SHA256:— | |||
3508 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2A891164FE91BA6AC05B0BF649A261EA | SHA256:DBE2D12E45090C02E4A69E55CEC720728F1BD7706358E7ED5CE8E9FC4F94AD32 | |||
3508 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\4eac458987dfc61d562ba2b6f346c7e7.docm.LNK | lnk | |
MD5:43B45336A35B0AE86D9C963E7D87BC38 | SHA256:1C27BAA89FD82AE043BE81E773B536FD7F756D825648C980388D822A4A7CC00A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | — | 64.44.51.90:80 | http://64.44.51.90/crabs.png | US | — | — | suspicious |
— | — | HEAD | — | 64.44.51.90:80 | http://64.44.51.90/crabs.png | US | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 64.44.51.90:80 | — | Nexeon Technologies, Inc. | US | suspicious |