File name: | инструкция_ркн.doc |
Full analysis: | https://app.any.run/tasks/9280b2bb-d295-41a2-8d4f-ba22c389bf17 |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 16:22:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: x, Template: Normal.dotm, Last Saved By: atel, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Mar 18 03:43:00 2022, Last Saved Time/Date: Fri Mar 18 15:20:00 2022, Number of Pages: 1, Number of Words: 99, Number of Characters: 570, Security: 0 |
MD5: | 341610A5A0CC430F99F9F9BD694B04A9 |
SHA1: | 9B520D709CEE6C57FBABA38F38A667B0B0691E86 |
SHA256: | C7DD490ADB297B7F529950778B5A426E8068EA2DF58BE5D8FD49FE55B5331E28 |
SSDEEP: | 24576:0Ltxfb5+PfLYk1eMavV4luzEMjor4Ln+oDSMrWRHeNDoH+sN7rUziacva0FmLZe+:0LtRbA7Yk1laewzjfCoDSM6xeNsH+Vc8 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Identification: | Word 8.0 |
---|---|
LanguageCode: | Russian |
DocFlags: | Has picture, 1Table, ExtChar |
System: | Windows |
Word97: | No |
Title: | - |
Subject: | - |
Author: | x |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | atel |
Software: | Microsoft Office Word |
CreateDate: | 2022:03:18 03:43:00 |
ModifyDate: | 2022:03:18 15:20:00 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | - |
CharCountWithSpaces: | 668 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
LastPrinted: | 0000:00:00 00:00:00 |
RevisionNumber: | 2 |
TotalEditTime: | - |
Words: | 99 |
Characters: | 570 |
Pages: | 1 |
Paragraphs: | 1 |
Lines: | 4 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2588 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\инструкция_ркн.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
3400 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NoLogo -WindowStyle Hidden -NonInteractive -f c:\users\admin\appdata\roaming\microsoft\templates\HkvWahS6osjcp1g.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
|
(PID) Process: | (2588) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2588) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: On | |||
(PID) Process: | (2588) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: On | |||
(PID) Process: | (2588) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: On | |||
(PID) Process: | (2588) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: On | |||
(PID) Process: | (2588) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: On | |||
(PID) Process: | (2588) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: On | |||
(PID) Process: | (2588) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: On | |||
(PID) Process: | (2588) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: On | |||
(PID) Process: | (2588) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1055 |
Value: On |
PID | Process | Filename | Type | |
---|---|---|---|---|
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF83B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1D89D97.emf | emf | |
MD5:0FB0C90DCF08AC747BEC44252E5004D9 | SHA256:A85A18205F2B05042921FC19BFC6D4A04A7A1E7A56F74EFBD5A4D13B36F54E69 | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$струкция_ркн.doc | pgc | |
MD5:0F768B7958CE69E1EAD8B8FB312E097E | SHA256:ECD399450383DAEF2B35D6F77447BD3BBE981CE11CD1B16C226C012D7F817574 | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\9sIAWssbW73TcYG.W4x9LosInhvOjtI | text | |
MD5:4D499B6D7B4106C52E650607CD9E25E7 | SHA256:9D4640BDE3DAF44CC4258EB5F294CA478306AA5268C7D314FC5019CF783041F0 | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\HkvWahS6osjcp1g.ps1 | text | |
MD5:4D499B6D7B4106C52E650607CD9E25E7 | SHA256:9D4640BDE3DAF44CC4258EB5F294CA478306AA5268C7D314FC5019CF783041F0 | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\инструкция_ркн.doc | document | |
MD5:829D043907530BDC628010A97A290EAC | SHA256:DEC57189534E569A8AB0F8A7D1E7EB0335ABB459A039EAD90C9414A2D92643A8 | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFA789B68BA867843F.TMP | gmc | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
3400 | powershell.exe | C:\Users\admin\AppData\Local\Temp\mfmwenh1.5lc.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3400 | powershell.exe | C:\Users\admin\AppData\Local\Temp\nmts14s5.bxz.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\9sIAWssbW73TcYG.W4x9LosInhvOjtI:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3400 | powershell.exe | 99.83.154.118:443 | swordoke.com | AMAZON-02 | US | malicious |
Domain | IP | Reputation |
---|---|---|
swordoke.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Backdoor Related Domain in DNS Lookup (swordoke .com) |
3400 | powershell.exe | Domain Observed Used for C2 Detected | ET MALWARE Observed Win32/Backdoor Related Domain (swordoke .com in TLS SNI) |