URL: | http://icimp.org/instruct8.5x11x2.doc |
Full analysis: | https://app.any.run/tasks/c7148892-a7ca-4862-9de4-06a9511bdf8a |
Verdict: | Malicious activity |
Analysis date: | January 11, 2019, 06:22:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 29EEED084F9AA52E35B7C72DA17F5CD0 |
SHA1: | AEF1662398106EE1A6DB6F254A504CD40D5B9C01 |
SHA256: | AA504F62D843FC4DAC8A65E73CF95593F4F1C41623CE5DE434CFD23900A21311 |
SSDEEP: | 3:N1KXZSKMiJIrn:Cp5nM |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2916 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3184 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2916 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2940 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3952 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2916 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2916 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5EBB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{AFDB0237-9866-4711-B6CC-76500D91725C} | — | |
MD5:— | SHA256:— | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{FB088509-85EE-4C86-B55B-7A9D1D493C2D} | — | |
MD5:— | SHA256:— | |||
3952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_FAF921BD-966E-419E-8C3D-325BB0E506EB.0\~DFD36EF5EF01166381.TMP | — | |
MD5:— | SHA256:— | |||
3952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_FAF921BD-966E-419E-8C3D-325BB0E506EB.0\~DFE385ECF02C0A6FE6.TMP | — | |
MD5:— | SHA256:— | |||
2916 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF589F2C88E6BD87AE.TMP | — | |
MD5:— | SHA256:— | |||
3184 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\instruct8.5x11x2[1].doc | document | |
MD5:C482341F675DD934E74A633A3C74A6D2 | SHA256:83BE01D14B002F579CD84AB32128BF5BE64E94210035D28875A198E3CE0E4A41 | |||
2940 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BFB5103A1673571EAEEC6E3B28090150 | SHA256:BF10BC6CD4EFD21FAB9187CCAE95E76283FD095E2AF3B6D543B1A17C8CB9EBFA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2940 | WINWORD.EXE | HEAD | 200 | 45.79.111.88:80 | http://icimp.org/instruct8.5x11x2.doc | US | — | — | malicious |
2940 | WINWORD.EXE | OPTIONS | 405 | 45.79.111.88:80 | http://icimp.org/ | US | html | 173 b | malicious |
3184 | iexplore.exe | GET | 200 | 45.79.111.88:80 | http://icimp.org/instruct8.5x11x2.doc | US | document | 258 Kb | malicious |
976 | svchost.exe | OPTIONS | 405 | 45.79.111.88:80 | http://icimp.org/ | US | html | 173 b | malicious |
2940 | WINWORD.EXE | OPTIONS | 405 | 45.79.111.88:80 | http://icimp.org/ | US | html | 173 b | malicious |
2940 | WINWORD.EXE | OPTIONS | 405 | 45.79.111.88:80 | http://icimp.org/ | US | html | 173 b | malicious |
2916 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2940 | WINWORD.EXE | HEAD | 200 | 45.79.111.88:80 | http://icimp.org/instruct8.5x11x2.doc | US | html | 173 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3184 | iexplore.exe | 45.79.111.88:80 | icimp.org | Linode, LLC | US | malicious |
2916 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
976 | svchost.exe | 45.79.111.88:80 | icimp.org | Linode, LLC | US | malicious |
2940 | WINWORD.EXE | 45.79.111.88:80 | icimp.org | Linode, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
icimp.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2940 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
2940 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
2940 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |