File name: | dff2e1a0b80c26d413e9d4f96031019ce4567607e0231a80d0ee0eb1fcf429fe |
Full analysis: | https://app.any.run/tasks/7419f27a-346d-47d7-b47f-7b19997ff044 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 00:25:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Locale ID: 1033, Author: khsvh, Subject: rowaedlk |
MD5: | E8FCF85C39C4B99B903148CBA3E2D913 |
SHA1: | 420DD443312E70319C65CCBC2E43EEF3E0D843C0 |
SHA256: | DFF2E1A0B80C26D413E9D4F96031019CE4567607E0231A80D0EE0EB1FCF429FE |
SSDEEP: | 3072:tyPAtVqKuBZfVih8YzpWZxoXoYUoAndsrG:tyEVqKKfVihrqQ9mIG |
Subject: | rowaedlk |
---|---|
Author: | khsvh |
LocaleIndicator: | 1033 |
CodePage: | Windows Latin 1 (Western European) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3100 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\dff2e1a0b80c26d413e9d4f96031019ce4567607e0231a80d0ee0eb1fcf429fe | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
940 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\dff2e1a0b80c26d413e9d4f96031019ce4567607e0231a80d0ee0eb1fcf429fe" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
272 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\0.8870355.jse" | C:\Windows\System32\WScript.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8833.tmp.cvr | — | |
MD5:— | SHA256:— | |||
940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB3326B598F3A0ED1.TMP | — | |
MD5:— | SHA256:— | |||
940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFC5FA50F2731FA35A.TMP | — | |
MD5:— | SHA256:— | |||
940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFE7E4F1A1D0BF9D0C.TMP | — | |
MD5:— | SHA256:— | |||
940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF0594262216E03C47.TMP | — | |
MD5:— | SHA256:— | |||
940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFEC14561A65BF6A89.TMP | — | |
MD5:— | SHA256:— | |||
940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFAF27C0748F49DCB6.TMP | — | |
MD5:— | SHA256:— | |||
940 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\0.8870355.jse | text | |
MD5:BB73A321FE0B2D2DCDB9147A4CB5B081 | SHA256:9E8B64864A9DE71CF2B455CF9263374F5964573102F6AAD3E7DF3B808AFBD47C | |||
940 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$f2e1a0b80c26d413e9d4f96031019ce4567607e0231a80d0ee0eb1fcf429fe | pgc | |
MD5:53A33B6AA991B50CD834B06438C29F8E | SHA256:BD09689DA268C9794F05991B8C833D9A1F0A1A8E6685AD487E686CD52087AE20 | |||
940 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:DE670F4591A39FC85F4FA7C7B3240FD1 | SHA256:5E120EF55FB48531EE1ED36DEB77921752E30C7270DEBA98BFC70384E6E2C40D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
272 | WScript.exe | GET | — | 209.141.54.161:80 | http://209.141.54.161/crypt18.dll | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
272 | WScript.exe | 209.141.54.161:80 | — | FranTech Solutions | US | malicious |