File name: | d8f8825195f6b8a93ec606957931edcd2597f826a2979facc5a0c0879bba95c2.doc |
Full analysis: | https://app.any.run/tasks/535525d9-2017-4778-b6be-35ff4bbf00b3 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 09:40:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | Microsoft OOXML |
MD5: | 745FBF3B9B82947BC8601D3BAA16E329 |
SHA1: | 7BBFD8391D2E4CA7B0F1425850FA20FBA3F696FC |
SHA256: | D8F8825195F6B8A93EC606957931EDCD2597F826A2979FACC5A0C0879BBA95C2 |
SSDEEP: | 98304:D7LCl9sJU3lTx9pgEtKy4Dpu34zQHy46BaCQ:Dquwlt9pgsn34zQSZBaj |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0xa1fe8fa1 |
ZipCompressedSize: | 430 |
ZipUncompressedSize: | 1768 |
ZipFileName: | [Content_Types].xml |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3452 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\d8f8825195f6b8a93ec606957931edcd2597f826a2979facc5a0c0879bba95c2.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3056 | C:\ProgramData\Memsys\ms.exe | C:\ProgramData\Memsys\ms.exe | WINWORD.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2204 | /create /tn 90059c37-1320-41a4-b58d-2b75a9850d2f0 /tr "rundll32.exe url.dll,OpenURLA "C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe"" /st 00:00 /sc daily /du 9999:59 /ri 1 /f | C:\Windows\System32\sdclt.exe | — | ms.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Windows Backup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1276 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | ms.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2340 | "C:\Windows\System32\sdclt.exe" | C:\Windows\System32\sdclt.exe | ms.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Windows Backup Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
292 | rundll32.exe url.dll,OpenURLA C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe | C:\Windows\system32\rundll32.exe | — | taskeng.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1780 | "C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe" | C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe | rundll32.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3216 | rundll32.exe url.dll,OpenURLA C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe | C:\Windows\system32\rundll32.exe | — | taskeng.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
316 | "C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe" | C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe | rundll32.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2160 | "C:\Windows\System32\Utilman.exe" | C:\Windows\System32\Utilman.exe | — | 8569a.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Utility Manager Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3452 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR147A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3452 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mso17BD.tmp | — | |
MD5:— | SHA256:— | |||
1276 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs18CB.tmp | — | |
MD5:— | SHA256:— | |||
1276 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs18DB.tmp | — | |
MD5:— | SHA256:— | |||
3452 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1C3731FA96EBDD2B59DD9077E7304E50 | SHA256:90231EF6597C66760A15F548BBB57E7F36AE0729947BF09439BF18DB568920C7 | |||
3452 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$f8825195f6b8a93ec606957931edcd2597f826a2979facc5a0c0879bba95c2.doc | pgc | |
MD5:D403D070C1B3313E1FADB63346ACA762 | SHA256:C8129ED01176AA0FC3821553FF1354CA3CB7FB8B225FCF063115CE27CB7E8BDF | |||
3452 | WINWORD.EXE | C:\ProgramData\Memsys\ms.exe | executable | |
MD5:2397D13C8CC78829AD0FBBF046C31B32 | SHA256:B23991F31319DCAECF034CEE98A71150A9C20BB39787F37F505A29244C6C65DF | |||
3056 | ms.exe | C:\ProgramData\90059c37-1320-41a4-b58d-2b75a9850d2f\8569a.exe | executable | |
MD5:2397D13C8CC78829AD0FBBF046C31B32 | SHA256:B23991F31319DCAECF034CEE98A71150A9C20BB39787F37F505A29244C6C65DF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2340 | sdclt.exe | GET | — | 109.234.34.48:80 | http://109.234.34.48/bin/cpu.exe | RU | — | — | suspicious |
1968 | WindowsAnytimeUpgradeui.exe | GET | — | 109.234.34.48:80 | http://109.234.34.48/bin/cpu.exe | RU | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2340 | sdclt.exe | 109.234.34.48:80 | — | Webzilla B.V. | RU | suspicious |
1968 | WindowsAnytimeUpgradeui.exe | 109.234.34.48:80 | — | Webzilla B.V. | RU | suspicious |
PID | Process | Class | Message |
---|---|---|---|
2340 | sdclt.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2340 | sdclt.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
Process | Message |
---|---|
ms.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
sdclt.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
8569a.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
8569a.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
WindowsAnytimeUpgradeui.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|