File name: | Liste11.docx |
Full analysis: | https://app.any.run/tasks/ad64152b-c0c9-4e12-8709-20f00c0257dd |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 12:18:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 30EDFE50B1A01B766EFFD72EF1B55F14 |
SHA1: | E0668FB21C78D023C76D2DDA7445FCD8ABD81EE4 |
SHA256: | A9D354DE91721947D6D3DC15A26C92CC70542606210651F23E34CFC948EFAA80 |
SSDEEP: | 3072:EVD/6yA/3F23myBF2S+BL/WPSLBq70lAkaa97:UA/WP/RWUSAolpac7 |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x1a34d400 |
ZipCompressedSize: | 398 |
ZipUncompressedSize: | 1510 |
ZipFileName: | [Content_Types].xml |
Template: | Normal.dotm |
---|---|
TotalEditTime: | 1 minute |
Pages: | 1 |
Words: | 3 |
Characters: | 22 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
Company: | TESTER |
LinksUpToDate: | No |
CharactersWithSpaces: | 24 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 12 |
Keywords: | - |
LastModifiedBy: | TESTER |
RevisionNumber: | 2 |
CreateDate: | 2019:01:22 10:21:00Z |
ModifyDate: | 2019:01:22 10:22:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | TESTER |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Liste11.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2776 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\List4.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | WINWORD.EXE |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2532 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Oracle_Simulator_7105_82608 /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe\" -jar \"C:\Users\admin\AppData\Roaming\Quantity\Techniques.ErZ\"" /f | C:\Windows\system32\reg.exe | javaw.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2688 | attrib +s +h +r "C:\Users\admin\AppData\Roaming\Quantity\*.*" | C:\Windows\system32\attrib.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2800 | attrib +s +h +r "C:\Users\admin\AppData\Roaming\Quantity" | C:\Windows\system32\attrib.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2896 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\Quantity\Techniques.ErZ" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
1904 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Oracle_Simulator_7105_82608 /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe\" -jar \"C:\Users\admin\AppData\Roaming\Quantity\Techniques.ErZ\"" /f | C:\Windows\system32\reg.exe | javaw.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B4D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27C47729.png | — | |
MD5:— | SHA256:— | |||
2896 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:F198E4C5DAE3349FE32CCCC5B1D60E38 | SHA256:CAE7B7A727816D566BE1544FD8C6BAA3D754E89D1F1BC10A7EAFE3A6DEA64A5C | |||
2776 | javaw.exe | C:\Users\admin\AppData\Roaming\Quantity\Techniques.ErZ | compressed | |
MD5:F5289C63FF8F6D6F65FAC7B0FC5F0B6F | SHA256:5D241FEEBC124D05CD7E3B4D1B3D2D1F01930828542BB3A0768EE0DE24BE8E05 | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\List4.jar | compressed | |
MD5:F5289C63FF8F6D6F65FAC7B0FC5F0B6F | SHA256:5D241FEEBC124D05CD7E3B4D1B3D2D1F01930828542BB3A0768EE0DE24BE8E05 | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\162571C8.emf | emf | |
MD5:A4BFF2537692FA2D3BA45AF0B6CE8D9E | SHA256:45654C6F1C57CE9076D73E6E94287AFF079537196EDEA1279C6E50CD05EF7CE4 | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$iste11.docx | pgc | |
MD5:6A5B589FC2FA32AF9182A795F43F38AA | SHA256:B4AEF9B3BC237C05B4D4A9D35F04F4E2DCB8A583A515BB65E9CF05CBF9A7AF26 | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B8F86FF28835EFB3D330069228B92D90 | SHA256:1CB8760651B82A65480CC246F78DA1DF926B21DDBE3CBD2765C62A48CB2E5E2F | |||
2776 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:2CD82BC05F7FB474D03CE20912BC7C1D | SHA256:ABA5C7772503444C2E12366749B444E811AF6D12C6AEAA62BC6C9B900383C06D | |||
2776 | javaw.exe | C:\Users\admin\AppData\Roaming\Quantity\Desktop.ini | ini | |
MD5:E783BDD20A976EAEAAE1FF4624487420 | SHA256:2F65FA9C7ED712F493782ABF91467F869419A2F8B5ADF23B44019C08190FA3F3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2896 | javaw.exe | 94.23.78.199:1505 | burcutekstil.online | OVH SAS | PT | malicious |
Domain | IP | Reputation |
---|---|---|
burcutekstil.online |
| malicious |
dns.msftncsi.com |
| shared |