File name: | Statement Concerning Crisis in Ukraine .docx |
Full analysis: | https://app.any.run/tasks/faf7bc15-9f65-41f2-9132-04a4651e4c41 |
Verdict: | Malicious activity |
Analysis date: | April 15, 2025, 19:11:08 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 1EF91736A85E4EA333607E058E215891 |
SHA1: | 3F256A2C0C82607FDEF7267B993B9D7F80C73953 |
SHA256: | 82F6A7115B1825F83AD3F24EFAC3E9A9EDD90A9222837457213442A683DB7A10 |
SSDEEP: | 6144:wefdXLRcy3EaWqnt3aSLG839zgpAAZR+NhMoThHp:JRjR/ntzC839zOAAeNhMo1J |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2022:02:25 11:49:48 |
ZipCRC: | 0xb71a911e |
ZipCompressedSize: | 233 |
ZipUncompressedSize: | 590 |
ZipFileName: | _rels/.rels |
Template: | Normal |
---|---|
TotalEditTime: | 11 minutes |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 1 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15 |
Keywords: | - |
LastModifiedBy: | Windows User |
RevisionNumber: | 3 |
CreateDate: | 2022:02:25 10:25:00Z |
ModifyDate: | 2022:02:25 10:47:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | Windows User |
Description: | - |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
960 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
1676 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\Statement Concerning Crisis in Ukraine .docx" /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 16.0.16026.20146 Modules
| |||||||||||||||
2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6728 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7380 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "88CD0CC4-1EAA-4A2B-B904-FF70D5F084E1" "2A4F3C08-C0C9-4D6D-BCED-A8A95EDF97F4" "1676" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Version: 0.12.2.0 Modules
|
(PID) Process: | (1676) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common |
Operation: | write | Name: | SessionId |
Value: BA263E1D469A5E4996DDB89DF6122BEB | |||
(PID) Process: | (1676) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\2200 |
Operation: | delete value | Name: | 0 |
Value: ซ鴐㝅娴Ꝇ꿹�䙔�닜樁င$驄摽鶲
ީ湕湫睯쥮Ȇ∢්ł¢ᣂ숁씀褎예됏죃캲ǭ砃㐶ᇅᆘዒ看椀渀眀漀爀搀⸀攀砀攀씀‖ៅ肀줄࠘㈲㈱䐭捥 | |||
(PID) Process: | (1676) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\2200 |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (1676) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1676 |
Operation: | write | Name: | 0 |
Value: 0B0E104BED102269DB924B9E403D50D5E3D61A230046D6E798C5A2C7EBED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C50E8908C91003783634C5118C0DD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300 | |||
(PID) Process: | (1676) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 6|+ |
Value: 367C2B008C06000004000000000000004471DF283AAEDB018C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (1676) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | 6|+ |
Value: 簶+ڌ | |||
(PID) Process: | (1676) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming |
Operation: | write | Name: | RoamingConfigurableSettings |
Value: DC00000000000000803A0900E907040002000F0013000B000F006B02000000000000000000000000201C0000201C00008051010080510100805101008051010080F4030080F4030080F403002C01000084030000805101000000000084030000805101000A0000001E0000001E000000000000000000000080510100010000000100000000000000000000000000000000000000008D2700008D2700008D2700010000000A000000805101000000300000003000000030000000000084030000805101001E0000008403000080510100050000000500000005000000 | |||
(PID) Process: | (1676) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1676 |
Operation: | write | Name: | 0 |
Value: 0B0E104BED102269DB924B9E403D50D5E3D61A230046D6E798C5A2C7EBED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DA201C2190000C50E8908C91003783634C5118C0DD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300 | |||
(PID) Process: | (1676) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 2|+ |
Value: 327C2B008C06000002000000000000008D42F7283AAEDB01A000000001000000740000002000000063003A005C00700072006F006700720061006D002000660069006C00650073005C006D006900630072006F0073006F006600740020006F00660066006900630065005C0072006F006F0074005C006F0066006600690063006500310036005C00670065006E006B006F002E0064006C006C000000670065006E006B006F002E0063006F006E006E00650063007400310032000000 | |||
(PID) Process: | (1676) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Word\AddinsData\Genko.Connect12 |
Operation: | write | Name: | LoadCount |
Value: 5 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1676 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | binary | |
MD5:607754B25697B306E8714EE2D71CF807 | SHA256:B9D2F84CF7DF0159446714C29DF56CD9F2C0686B5EF7A012519B8D59AE80EE37 | |||
1676 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9749B986-E375-40AC-9CEA-0A34F67D1B7D | xml | |
MD5:9E3566618E66E08E129DE310A895A5FE | SHA256:906408AFA6953BB57E32033D65AA9765A7B2E271BA66102D40136BF237C9F9AC | |||
1676 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\566D1B3E.emf | text | |
MD5:912FF26AC760112B12167F902F17ECFD | SHA256:1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3 | |||
1676 | WINWORD.EXE | C:\Users\admin\Desktop\~$atement Concerning Crisis in Ukraine .docx | binary | |
MD5:4A1FFD3C353921C655084AC2E7C5024C | SHA256:E58C35A6A9440633701E7F78AC0A5D42C2C659850E574CDCB3F92AC11043809D | |||
1676 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin | text | |
MD5:CC90D669144261B198DEAD45AA266572 | SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899 | |||
1676 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres | binary | |
MD5:9291253AFE43258664E8A2848D8D0EA5 | SHA256:4463523CA4EA2FEC5598ED16FA085501E266C805E0A2EF4E434CFB62EA17B17A | |||
1676 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CB7AA9FC.emf | text | |
MD5:912FF26AC760112B12167F902F17ECFD | SHA256:1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3 | |||
1676 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Statement Concerning Crisis in Ukraine .docx.LNK | binary | |
MD5:CBEF0EDC25EC1A03DEE6821130AB871A | SHA256:92377C2DFC02A1912910D921655556F7952ED1C258EC1A84DDB5EDCE824CF026 | |||
1676 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CE9109CD.emf | text | |
MD5:912FF26AC760112B12167F902F17ECFD | SHA256:1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3 | |||
1676 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:202AD59EC0E541C1A0AE9A0CFE781929 | SHA256:EF8E8B9AC7E046BCC8B412BC7271C126E64DDBFAEF89896F6B3C51FA99C01276 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.48.23.166:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.48.23.166:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
1676 | WINWORD.EXE | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 23.48.23.166:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1676 | WINWORD.EXE | 52.109.28.46:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
1676 | WINWORD.EXE | 2.19.11.103:443 | omex.cdn.office.net | Elisa Oyj | NL | whitelisted |
1676 | WINWORD.EXE | 52.123.129.14:443 | ecs.office.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6544 | svchost.exe | 40.126.31.2:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
ecs.office.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
mofa.ksew.org |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Targeted Malicious Activity was Detected | ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ksew .org) |
— | — | Targeted Malicious Activity was Detected | ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ksew .org) |