File name: | 9a91835532524533c1f7afb878f1a2dbcd31c0b1f25a49563f71974d26ed29f4.doc |
Full analysis: | https://app.any.run/tasks/ca94ac3e-38f5-448e-b881-3f605179f8f2 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 06:09:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: d84ef, Subject: g8cb9, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 8 04:34:00 2019, Last Saved Time/Date: Wed May 8 04:34:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 4611B335B88A0B5ABC58CF52B6D9A77D |
SHA1: | 6C822E32D5792AF43C33F49D53237B0A57C0A546 |
SHA256: | 9A91835532524533C1F7AFB878F1A2DBCD31C0B1F25A49563F71974D26ED29F4 |
SSDEEP: | 24576:w/aQOlrQv882gcMp+Nc1bN/L/JQOl6Qvk82gcdp+:w7OeeJCbtSO3W |
.doc | | | Microsoft Word document (38.3) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (29.3) |
.doc | | | Microsoft Word document (old ver.) (22.7) |
Title: | d84ef |
---|---|
Subject: | g8cb9 |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:08 03:34:00 |
ModifyDate: | 2019:05:08 03:34:00 |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Bytes: | 11000 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | d84ef |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2980 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\9a91835532524533c1f7afb878f1a2dbcd31c0b1f25a49563f71974d26ed29f4.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2440 | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\bcd9f.png" "bcd9f.exe" &start "" "C:\Users\admin\AppData\Local\Temp\bcd9f.exe" | C:\Windows\System32\cmd.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2896 | "C:\Users\admin\AppData\Local\Temp\bcd9f.exe" | C:\Users\admin\AppData\Local\Temp\bcd9f.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3204 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | bcd9f.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4008 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | bcd9f.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2932 | "C:\Users\admin\AppData\Local\Temp\bcd9f.exe" | C:\Users\admin\AppData\Local\Temp\bcd9f.exe | — | eventvwr.exe |
User: admin Integrity Level: HIGH | ||||
3688 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | bcd9f.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREAFB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\bcd9f.png | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE6E1746.emf | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mso39DD.tmp | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB3128F.jpeg | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRO0000.doc | document | |
MD5:8916A1D8A1F64932A829EFA029CBFC60 | SHA256:8707B7E17194A42244D1560E88642E9F90E08304CE1BA4DE2E71B016AD9BA840 | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7517A019.emf | emf | |
MD5:85EF11A0858FC3AC328644E889085B01 | SHA256:BCA32069D03039583810E756FA98990D5AFD69783BB4290890925B38E7CC30C4 | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$91835532524533c1f7afb878f1a2dbcd31c0b1f25a49563f71974d26ed29f4.doc | pgc | |
MD5:EB0F3049BEAFA232B07AD63E99D1C241 | SHA256:330B7F9D650B05EA8979249DC8D6CD7970522FBC131687F29650AABD2E90C675 | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:816BEA007272E3D591722A84B2EBD2E8 | SHA256:0BD48B965DD591F21A77D8C83E4C24FE5627C543192A698F7B1E1842A0EEDB5A | |||
2440 | cmd.exe | C:\Users\admin\AppData\Local\Temp\bcd9f.exe | executable | |
MD5:046BC9D1BA7D4991AF3959731F84B36C | SHA256:A2999BE4490911DAFC2ED0631BE87DA0E4F5348EC8B1A67494982F65F764D2ED |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2980 | WINWORD.EXE | 185.55.227.147:443 | pourshojaei.com | Fanavari Serverpars Argham Gostar Company Ltd. | IR | malicious |
3688 | RegAsm.exe | 185.55.225.185:26 | mail.autelite.com | Fanavari Serverpars Argham Gostar Company Ltd. | IR | suspicious |
Domain | IP | Reputation |
---|---|---|
pourshojaei.com |
| malicious |
mail.autelite.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3688 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |