File name: | invoice.doc |
Full analysis: | https://app.any.run/tasks/acf9b8aa-880f-46a8-b2a6-592b3003a9af |
Verdict: | Malicious activity |
Analysis date: | December 14, 2018, 09:33:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Locale ID: 1033, Author: cwtoi, Subject: aievstrm |
MD5: | 85A3898F88235B2887D73E7C2DEF5FAE |
SHA1: | 17642E30256E968315C82B357101CA649731C221 |
SHA256: | 826C8DA48360599B6E13DF5212EF855B28E814BA46A23068664DD7A1A425326E |
SSDEEP: | 768:K7ACy1kz5f6e3uqdPJrGf4eIq9XeyuZRft/59:kA1UDu+hGf4eISXsF |
CodePage: | Windows Latin 1 (Western European) |
---|---|
LocaleIndicator: | 1033 |
Author: | cwtoi |
Subject: | aievstrm |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2812 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR987D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFDDEB7AB1908D5087.TMP | — | |
MD5:— | SHA256:— | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFCA0E5098618344D8.TMP | — | |
MD5:— | SHA256:— | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF5FE57FE63F7D1318.TMP | — | |
MD5:— | SHA256:— | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF68EEBB6FA4EC6B49.TMP | — | |
MD5:— | SHA256:— | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\msoAFB0.tmp | — | |
MD5:— | SHA256:— | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFC9FA1E344C02E698.TMP | — | |
MD5:— | SHA256:— | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFCEB1BD31DDF06865.TMP | — | |
MD5:— | SHA256:— | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F6EFD27D.png | — | |
MD5:— | SHA256:— | |||
2812 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6407E5A.png | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2812 | WINWORD.EXE | GET | 404 | 209.141.61.249:80 | http://209.141.61.249/516.exe | US | html | 205 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2812 | WINWORD.EXE | 209.141.61.249:80 | — | FranTech Solutions | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2812 | WINWORD.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2812 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious downloader - 404 Not Found for .exe |