File name: | инструкция_ркн.doc |
Full analysis: | https://app.any.run/tasks/b6e6eff3-385f-49a3-ade6-a1fb14b85a1e |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 16:20:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: x, Template: Normal.dotm, Last Saved By: atel, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Mar 18 03:43:00 2022, Last Saved Time/Date: Fri Mar 18 15:20:00 2022, Number of Pages: 1, Number of Words: 99, Number of Characters: 570, Security: 0 |
MD5: | 341610A5A0CC430F99F9F9BD694B04A9 |
SHA1: | 9B520D709CEE6C57FBABA38F38A667B0B0691E86 |
SHA256: | C7DD490ADB297B7F529950778B5A426E8068EA2DF58BE5D8FD49FE55B5331E28 |
SSDEEP: | 24576:0Ltxfb5+PfLYk1eMavV4luzEMjor4Ln+oDSMrWRHeNDoH+sN7rUziacva0FmLZe+:0LtRbA7Yk1laewzjfCoDSM6xeNsH+Vc8 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Lines: | 4 |
---|---|
Paragraphs: | 1 |
Pages: | 1 |
Characters: | 570 |
Words: | 99 |
TotalEditTime: | - |
RevisionNumber: | 2 |
LastPrinted: | 0000:00:00 00:00:00 |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 668 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
ModifyDate: | 2022:03:18 15:20:00 |
CreateDate: | 2022:03:18 03:43:00 |
Software: | Microsoft Office Word |
LastModifiedBy: | atel |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | x |
Subject: | - |
Title: | - |
Word97: | No |
System: | Windows |
DocFlags: | Has picture, 1Table, ExtChar |
LanguageCode: | Russian |
Identification: | Word 8.0 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2368 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\инструкция_ркн.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
2992 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NoLogo -WindowStyle Hidden -NonInteractive -f c:\users\admin\appdata\roaming\microsoft\templates\HkvWahS6osjcp1g.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
|
(PID) Process: | (2368) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2368) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: On | |||
(PID) Process: | (2368) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: On | |||
(PID) Process: | (2368) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: On | |||
(PID) Process: | (2368) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: On | |||
(PID) Process: | (2368) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: On | |||
(PID) Process: | (2368) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: On | |||
(PID) Process: | (2368) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: On | |||
(PID) Process: | (2368) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: On | |||
(PID) Process: | (2368) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1055 |
Value: On |
PID | Process | Filename | Type | |
---|---|---|---|---|
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF0E8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$струкция_ркн.doc | pgc | |
MD5:338C4F18A85211ED435C240E7A9F0A5A | SHA256:04C50A033BBA15453C33BFCB98AD61033B492344F8AC229FEACFC6E301201020 | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\9sIAWssbW73TcYG.W4x9LosInhvOjtI | text | |
MD5:4D499B6D7B4106C52E650607CD9E25E7 | SHA256:9D4640BDE3DAF44CC4258EB5F294CA478306AA5268C7D314FC5019CF783041F0 | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\HkvWahS6osjcp1g.ps1 | text | |
MD5:4D499B6D7B4106C52E650607CD9E25E7 | SHA256:9D4640BDE3DAF44CC4258EB5F294CA478306AA5268C7D314FC5019CF783041F0 | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCA8ECCC.emf | emf | |
MD5:0FB0C90DCF08AC747BEC44252E5004D9 | SHA256:A85A18205F2B05042921FC19BFC6D4A04A7A1E7A56F74EFBD5A4D13B36F54E69 | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\инструкция_ркн.doc | document | |
MD5:627B5B0972CBB7A97A9A1E7EA0674A8C | SHA256:9A5C90CCF1CE03E7C8A95AD51350FDF819F0816DB78B76586FC6D8B5D22CF297 | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~WRL0001.tmp | document | |
MD5:341610A5A0CC430F99F9F9BD694B04A9 | SHA256:C7DD490ADB297B7F529950778B5A426E8068EA2DF58BE5D8FD49FE55B5331E28 | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF7F42F9E06F56BF96.TMP | gmc | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D6B9E37780A881ABC68E64DB5E2F6E8F | SHA256:B96DAF2C8DC81081707312C0B41675CCF52A9A383969777B6991E1E51A5C4885 | |||
2368 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\9sIAWssbW73TcYG.W4x9LosInhvOjtI:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2992 | powershell.exe | 99.83.154.118:443 | swordoke.com | AMAZON-02 | US | malicious |
Domain | IP | Reputation |
---|---|---|
swordoke.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Backdoor Related Domain in DNS Lookup (swordoke .com) |