File name: | e20fd64714e941e8c784e6d7f8868596149270c6 |
Full analysis: | https://app.any.run/tasks/eb47c0ff-9112-43b8-99f0-8c1e2c00503b |
Verdict: | Malicious activity |
Threats: | Dridex is a very evasive and technically complex banking trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous. |
Analysis date: | October 20, 2020, 03:07:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jul 9 07:12:00 2015, Last Saved Time/Date: Thu Jul 9 07:12:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | 24B70E0791116A2E799AFE865A347A6E |
SHA1: | E20FD64714E941E8C784E6D7F8868596149270C6 |
SHA256: | A368A897F2619A19CDD268C579ABD0A95B87A61A49539C54BD6B266AC945CF50 |
SSDEEP: | 768:hyYWCZ5UdvFlGMHJDqMfFcVl9voEIM0zlCY8HxCpC/5F:hyYfZ5slGMHJDqMqVl9voEIM0l4C0P |
.doc | | | Microsoft Word document (49.6) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (37.9) |
Title: | - |
---|---|
Subject: | - |
Author: | 1 |
Keywords: | - |
Comments: | - |
Template: | Normal |
LastModifiedBy: | 1 |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2015:07:09 06:12:00 |
ModifyDate: | 2015:07:09 06:12:00 |
Pages: | 1 |
Words: | - |
Characters: | - |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | - |
AppVersion: | 11.9999 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 31 |
CompObjUserType: | ???????? Microsoft Office Word |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1968 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\e20fd64714e941e8c784e6d7f8868596149270c6.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3212 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4182.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3212 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs4D69.tmp | — | |
MD5:— | SHA256:— | |||
3212 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs4D6A.tmp | — | |
MD5:— | SHA256:— | |||
1968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$0fd64714e941e8c784e6d7f8868596149270c6.doc | pgc | |
MD5:59F2AC895B6917DAC2285A007165CE34 | SHA256:2CD1D7E32A7091E4F241C71321EF6896DF2F45E43C7B339323C59F2905D11CF3 | |||
1968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\rebuil3.exe | html | |
MD5:6E723BF5180E0DE815C3351BF76BCB83 | SHA256:47D445CCF2224DFE57E1BA7F8E8C7CAB8A05417F31FB673EDF9EBCAD9127B0A9 | |||
1968 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B6DB66BE61668C9F5C516A55E4D6936A | SHA256:BDD4A8687133A64CB7B6AD000D68427AD47518750BA8116B858E2AD6977CD1DC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1968 | WINWORD.EXE | GET | 404 | 81.88.48.113:80 | http://jjsmith.it/43/82.exe | IT | html | 4.74 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1968 | WINWORD.EXE | 81.88.48.113:80 | jjsmith.it | Register.it SpA | IT | malicious |
Domain | IP | Reputation |
---|---|---|
jjsmith.it |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1968 | WINWORD.EXE | A Network Trojan was detected | ET TROJAN JS/Nemucod requesting EXE payload 2016-02-01 |
1968 | WINWORD.EXE | A Network Trojan was detected | ET TROJAN Possible Dridex Download URI Struct with no referer |
1968 | WINWORD.EXE | A Network Trojan was detected | ET TROJAN Possible Malicious Macro DL EXE Feb 2016 |