File name: | Request_12_04.doc |
Full analysis: | https://app.any.run/tasks/79e2ca3a-63f5-482e-93c3-18e691ff8503 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2019, 16:21:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | B3F3BFFD8EA42F9D1ECB7AD6851B4CD0 |
SHA1: | FE564577D5C8BB748E8F70A3B232E6976C6C6EE7 |
SHA256: | C3853565FF629438373C87717C0A160F852ABED5DCD8B17E7D503AA15FC17B70 |
SSDEEP: | 1536:/VdE1Bnp4UReoqQd5YFWAfV9AN7svtzTk7Bt+DeHbqX:/Vinp4U59YAAbs7svJQ7Bt8eM |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Description: | - |
---|---|
Creator: | asueo |
Subject: | - |
Title: | - |
Category: | - |
---|---|
ModifyDate: | 2019:12:04 09:28:00Z |
CreateDate: | 2019:12:04 09:28:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | admin |
Keywords: | - |
AppVersion: | 16 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | - |
LinksUpToDate: | No |
Company: | home |
Manager: | - |
TitlesOfParts: | |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | - |
Lines: | 2 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | - |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1635 |
ZipCompressedSize: | 426 |
ZipCRC: | 0xc8e48bf2 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1752 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Request_12_04.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3408 | wmic process list /format:"c:\windows\temp\anhIY.xsl" | C:\Windows\System32\Wbem\wmic.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147614729 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2480 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1888 | C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2820 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Windows\Temp\anhIY.xsl" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Version: 7.51 | ||||
3744 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA8CD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1752 | WINWORD.EXE | C:\windows\temp\anhIY.xsl | xml | |
MD5:5FEC00CCF424D8CBBB5B193F9EB6AF35 | SHA256:68E2F49CE6C922D422A24C728F0D3EF8768CE70050FFA8FE5D3418F2FB4561A9 | |||
1752 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3E45E9E34C71A48C10FD945E9620BAF | SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F | |||
1752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$quest_12_04.doc | pgc | |
MD5:524A7989A09477B4FF56B27F472151A1 | SHA256:142564C8243AB86866DEFCD9402A2C44BA0DA052D15E413921FA229E8833B775 | |||
1752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:CFF63ED6F2F3ADCFA1EEFFA3607CC643 | SHA256:549603E658158BD345ED06C9F013885991FCBD8A2F25DD494390B6824C219E97 | |||
2820 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml | text | |
MD5:AD21A64014891793DD9B21D835278F36 | SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F | |||
2820 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\langs.xml | xml | |
MD5:E792264BEC29005B9044A435FBA185AB | SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624 | |||
2820 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini | text | |
MD5:F70F579156C93B097E656CABA577A5C9 | SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4 | |||
2820 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml | xml | |
MD5:44982E1D48434C0AB3E8277E322DD1E4 | SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 72.21.91.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3744 | gup.exe | 104.31.88.28:443 | notepad-plus-plus.org | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
stoilamser.com |
| malicious |
notepad-plus-plus.org |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|