File name: | follina.doc |
Full analysis: | https://app.any.run/tasks/19087068-9f1a-41ae-8ab4-d68bf980e5aa |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 10:50:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 00E566273DE0493C840AD147AC305D1E |
SHA1: | 72BEDD1B41810038C42C244292319EF901D89ED4 |
SHA256: | 8AB78F3C681C9FA10D2F6C5A3537B831255D40697FBB5853E40BA846A6259E59 |
SSDEEP: | 192:YEhMs7Z/c+8poF1d3jvvtl/b8cIGhed9264wpE+VihxrGxjPtLfAUUQO:YqBcfa7pr1l/bMGAd92hwG3yxjPtLfAF |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Description: | - |
---|---|
Creator: | KIS2 |
Subject: | - |
Title: | - |
ModifyDate: | 2022:05:25 13:14:00Z |
---|---|
CreateDate: | 2022:05:25 13:14:00Z |
RevisionNumber: | 3 |
LastModifiedBy: | KIS2 |
Keywords: | - |
AppVersion: | 16 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | - |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | - |
Lines: | - |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | - |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal |
ZipFileName: | _rels/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2022:06:27 06:20:03 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1416 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\follina.doc.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
(PID) Process: | (1416) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | /-7 |
Value: 2F2D370088050000010000000000000000000000 | |||
(PID) Process: | (1416) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (1416) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (1416) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (1416) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (1416) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (1416) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (1416) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (1416) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (1416) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
1416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR95AF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{2B0019D2-AD17-4696-90FC-B1FF8B7076FC} | binary | |
MD5:02AEF2EAC3B5A519C3AC814D95A3B871 | SHA256:9A15E5164062F11E84BD4645DA365AA0D9DF72A2156070FD94BC786092C392B4 | |||
1416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{96D7ECAB-5AF9-4943-9E0E-50B4504C99C2}.FSD | binary | |
MD5:0C247FE275654D9E63E636F51B14F2AA | SHA256:EDD84F6A8E996CDEDB63C1E1663D56B7B2AB9255C36463A9FECAFFC17EB6EB53 | |||
1416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{49318950-15A6-41ED-BD0F-5EB9C873101D}.FSD | binary | |
MD5:9F1DC4010EDB4AF7F863C0E451B68842 | SHA256:4D13E3CCF23D88A545C454A6FB3370ECCD6B52E0318713D8AC2E26BC9CE49DC4 | |||
1416 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B441B146E56E2764ACFA116FEB4866A1 | SHA256:1188F9CD73576F14D8F7FB06ED609FE6FF35E870BE52D5DBF85CE39D42CD1F02 | |||
1416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:D471A0BB5F0B8A9AC834E0172491B7F9 | SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F | |||
1416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{BA17E97F-92DC-4CAD-9C96-FF35057B1CA1} | binary | |
MD5:79EF2C96071EE67126B68D4C1A4A7025 | SHA256:F6220CA39623FD9E20FFC4F1A42D2403B824E99AEAEC36A9E6B15A018F1BFC18 | |||
1416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:02AEF2EAC3B5A519C3AC814D95A3B871 | SHA256:9A15E5164062F11E84BD4645DA365AA0D9DF72A2156070FD94BC786092C392B4 | |||
1416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$llina.doc.docx | pgc | |
MD5:9F36CBF2BD5778B84B096D3CDBAA20A7 | SHA256:BDFD0A6D71BB0A93F146F31D752B508BE543AB6A896C32B5679DC4007A6ECFD6 | |||
1416 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:79EF2C96071EE67126B68D4C1A4A7025 | SHA256:F6220CA39623FD9E20FFC4F1A42D2403B824E99AEAEC36A9E6B15A018F1BFC18 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 192.168.100.72:55446 | — | — | — | malicious |
— | — | 192.168.100.72:54992 | — | — | — | malicious |
— | — | 192.168.100.72:55836 | — | — | — | malicious |