File name: | contract.doc.zip |
Full analysis: | https://app.any.run/tasks/4c450ea5-12ee-48ad-b28d-1f755bdf0b43 |
Verdict: | Malicious activity |
Analysis date: | November 08, 2019, 14:47:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 45866B1F7B671618CD1ADBE02EB4327D |
SHA1: | D9AD19154F9A94E76D77E27634C6C0C9426758F2 |
SHA256: | 969B6102A7F6C971336D6FE1F9492A63DDB6BF21FD59F43A0A7ECB46D70E2883 |
SSDEEP: | 12288:t4WR+MU+6K6/+dzRMkgPi+F9aMZiBIE5AmWaDzrUyEcT:tTU+jbLMkI10TUyR |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | contract.doc |
---|---|
ZipUncompressedSize: | 776192 |
ZipCompressedSize: | 526546 |
ZipCRC: | 0x1b0487f7 |
ZipModifyDate: | 2019:11:08 12:52:27 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2300 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\contract.doc.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2512 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2488 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\contract.doc\contract.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
352 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2028 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\scheduler_a.dll" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
3228 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 | ||||
3440 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR17F2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0000.tmp | — | |
MD5:— | SHA256:— | |||
2488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRD0001.tmp | — | |
MD5:— | SHA256:— | |||
352 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\contract.doc.lnk | lnk | |
MD5:0B811F39E6DEF785561F387F15852256 | SHA256:9989A2F49CAC44843A676946B35DAECD0B57E686F231B28A0EF725E45A46EA54 | |||
2488 | WINWORD.EXE | C:\Users\admin\Downloads\contract.doc\~$ntract.doc | pgc | |
MD5:27E2C35A6C40FC4458127E629015E1AA | SHA256:F957376E702CEDE4811DB6FD7637D1FBDC727CBA810BB4C2478373CDD9F53942 | |||
2488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5F72627B.emf | emf | |
MD5:FB3981532125928BB4E7E59661FB0744 | SHA256:7B2D4BC5CE523C483E756AC65AAD9678CC1FCB6D183EBA4A9977EEE320ADD207 | |||
2300 | WinRAR.exe | C:\Users\admin\Downloads\contract.doc\contract.doc | document | |
MD5:8E0429B1A5174D8DACB732681B4E8480 | SHA256:578C90D677DBCB14B514440A7A328936DF6A2627408C9D651B184E073A5B1920 | |||
352 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:0FA9C57DB71A07405699B3B74E0711C6 | SHA256:0D517D1ACAC3402885ED81CE5E51864306FA947D378DEE9664939027C3A57049 | |||
2488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$demem.docx.zip | pgc | |
MD5:6AB3DFC77ABF4B27E92104B01415A48A | SHA256:209F9CD16D3B8BA13DFC8B029263F6AA2853E9AA3EBBA2B8E370CEBDAA1F3DF2 | |||
2488 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:30742B1A262D655F6D7B031B3B06398E | SHA256:3EB1DD8D97A78A4C787ECFCD4850C8735347E0397D022094FDF5AE30AA551C9E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3228 | gup.exe | 104.31.88.28:443 | notepad-plus-plus.org | Cloudflare Inc | US | shared |
2488 | WINWORD.EXE | 195.123.246.12:443 | microsoft-hub-us.com | — | UA | unknown |
Domain | IP | Reputation |
---|---|---|
microsoft-hub-us.com |
| unknown |
notepad-plus-plus.org |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|