URL: | http://www.bewcdfz.com/gl_cms/kindeditor/attached/file/20181029/20181029192647774777.docx |
Full analysis: | https://app.any.run/tasks/850f64c2-9977-4e5f-a229-6c239cfb863b |
Verdict: | Malicious activity |
Analysis date: | January 18, 2019, 03:41:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 9F5F8D39F90F8779304507459DB796C6 |
SHA1: | E8A2222B097A07C16D3828F8E133C63BECA565AE |
SHA256: | 990D8776D0332A0D2B6BC0C671803CA5D21ADD3C24674801C76AE73A5A7425A4 |
SSDEEP: | 3:N1KJS4g1BDtCJvhXKE3/MONdU+tywf:Cc4g1PCJvhXKYMOTLf |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2816 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3092 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2816 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3128 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3464 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2816 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2816 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR168.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{A0FB910F-BF7F-4558-86CF-F7F684957DBD} | — | |
MD5:— | SHA256:— | |||
3128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{242BA8A0-B704-46FA-B7F9-8CBB26C54414} | — | |
MD5:— | SHA256:— | |||
2816 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4896CDEEC19A6936.TMP | — | |
MD5:— | SHA256:— | |||
3128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:5344A5C5E7DEDB10033D7BFCC277386F | SHA256:3755639E89116C93C6906F0A322D677CA131FD2E982EBB69BE969A424C373B17 | |||
3128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:D17956033D22758B2107DBE9A377130B | SHA256:B2E7886ACBE670C6E9F116C6FCC4D44B03FE46C99171E8601844C8C8D57030F8 | |||
3092 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\20181029192647774777[1].docx | compressed | |
MD5:FCC1B0EB4CA66A01472B1A9329BAA232 | SHA256:C618680AE2EE35B08D9BE4AE60F7F50730821A562F7EE1973CCDF453EB31F632 | |||
3128 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{28502A4C-109F-4ABE-9D76-5B19075B79EE}.FSD | binary | |
MD5:2C4E154FCE0796EC60D138F85E768538 | SHA256:C80FB062E77A4EEAF05CDE1FE37135BF677C05DFB9C6C462A820C1EC9D54C058 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3128 | WINWORD.EXE | HEAD | 200 | 58.82.232.56:80 | http://www.bewcdfz.com/gl_cms/kindeditor/attached/file/20181029/20181029192647774777.docx | HK | — | — | malicious |
3092 | iexplore.exe | GET | 200 | 58.82.232.56:80 | http://www.bewcdfz.com/gl_cms/kindeditor/attached/file/20181029/20181029192647774777.docx | HK | compressed | 13.8 Kb | malicious |
3128 | WINWORD.EXE | OPTIONS | 200 | 58.82.232.56:80 | http://www.bewcdfz.com/gl_cms/kindeditor/attached/file/20181029/ | HK | html | 2.45 Kb | malicious |
976 | svchost.exe | PROPFIND | 200 | 58.82.232.56:80 | http://www.bewcdfz.com/gl_cms/kindeditor/attached | HK | html | 2.45 Kb | malicious |
976 | svchost.exe | PROPFIND | 200 | 58.82.232.56:80 | http://www.bewcdfz.com/gl_cms/kindeditor/attached/file | HK | html | 2.45 Kb | malicious |
976 | svchost.exe | OPTIONS | 200 | 58.82.232.56:80 | http://www.bewcdfz.com/gl_cms/kindeditor/attached/file/20181029 | HK | html | 2.45 Kb | malicious |
976 | svchost.exe | PROPFIND | 200 | 58.82.232.56:80 | http://www.bewcdfz.com/gl_cms/kindeditor/attached/file | HK | html | 2.45 Kb | malicious |
976 | svchost.exe | PROPFIND | 200 | 58.82.232.56:80 | http://www.bewcdfz.com/gl_cms/kindeditor/attached/file/20181029 | HK | html | 2.45 Kb | malicious |
976 | svchost.exe | PROPFIND | 200 | 58.82.232.56:80 | http://www.bewcdfz.com/gl_cms/kindeditor/attached/file | HK | html | 2.45 Kb | malicious |
976 | svchost.exe | PROPFIND | 200 | 58.82.232.56:80 | http://www.bewcdfz.com/gl_cms/kindeditor/attached/file/20181029 | HK | html | 2.45 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3092 | iexplore.exe | 58.82.232.56:80 | www.bewcdfz.com | CommuniLink Internet Limited. | HK | malicious |
976 | svchost.exe | 58.82.232.56:80 | www.bewcdfz.com | CommuniLink Internet Limited. | HK | malicious |
2816 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3128 | WINWORD.EXE | 58.82.232.56:80 | www.bewcdfz.com | CommuniLink Internet Limited. | HK | malicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
www.bewcdfz.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3128 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |