File name: | gd.docx |
Full analysis: | https://app.any.run/tasks/1426d4a0-3b3b-43f1-8182-e6a9a7cdcb04 |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 11:04:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 8FC06AE874C24934487CF0145DE38879 |
SHA1: | 4CFFD573CF8FE074B2A88121EEA87882703B1310 |
SHA256: | E02D74EAB1D170F441DD55AFFD19BE0DC1EE2F785AA5E21805523DA1498CB10D |
SSDEEP: | 192:rDGt2GoTEX8uyMtWNYc0mqQTnhr5OyQT1QpP55QVbFTB8GoA6aGkWlms:rDGt/vsuyMtiYeLOyQT1QpDQvdq3ms |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | Microsoft |
---|
ModifyDate: | 2017:09:24 17:27:00Z |
---|---|
CreateDate: | 2017:09:24 17:26:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | Microsoft |
AppVersion: | 14 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 7 |
LinksUpToDate: | No |
Company: | SPecialiST RePack |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 7 |
Words: | 1 |
Pages: | 1 |
TotalEditTime: | 1 minute |
Template: | dotm.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1422 |
ZipCompressedSize: | 358 |
ZipCRC: | 0x82872409 |
ZipModifyDate: | 2019:01:22 09:33:08 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\gd.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
(PID) Process: | (3012) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 52, |
Value: 35322C00C40B0000010000000000000000000000 | |||
(PID) Process: | (3012) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (3012) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (3012) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1312227351 | |||
(PID) Process: | (3012) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1312227472 | |||
(PID) Process: | (3012) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1312227473 | |||
(PID) Process: | (3012) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: C40B0000DC1CC57A0BB3D40100000000 | |||
(PID) Process: | (3012) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | w4, |
Value: 77342C00C40B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3012) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | w4, |
Value: 77342C00C40B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (3012) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREA25.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{4DE96153-8D1D-43A1-8CA1-0250456188D0} | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{B03A125E-8298-4F04-B580-4E592FBA81D1} | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C204AACB-E338-47C0-A877-4646010FEB06}.FSD | binary | |
MD5:62D0E6BF6176C1FD1222BE9969E9C5A7 | SHA256:B81261CCA8A184F4C94962AC90573FBBEF1E13E0B9CF81BCC2CF93856B25043F | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:379B7A780787F681EC0B34A62569B4A0 | SHA256:8B409C69A8F2E1E8F52F6CE2040F9BE15B38A3DC0CB7D49B909FC25F9F276AAC | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E0DA57D5-0196-4351-9168-35B6F27FFFE5}.FSD | binary | |
MD5:F7A92831F03764AC95AECED71FD780CA | SHA256:C0934833C0DC2AD6B486DF72D1DC8998FB89BCBF9DB2E67208DA1716E5F41E3A | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:F8898957A71622D7DC1DC692A25BB41F | SHA256:B3834F41BAB99224637530FB756998C51A0095D999A59B693EA35B03168D61D9 | |||
3012 | WINWORD.EXE | C:\Users\admin\Desktop\~$gd.docx | pgc | |
MD5:14B4E97FE1E5751BB649F9E1B35A5311 | SHA256:3013CCFC5B4E55203843112A4AA1655C2E7AE4AB683F8F6A11C61BA3F3EA240A | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:497E1AD127A8ABBFE00D98C31D379CD7 | SHA256:7BD9A49D66C5DD1EFF70D156F00D4FF99DC350442B7BB0865B9683AC9BBE07ED | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\good[1].rtf | text | |
MD5:A29F2FE230C0CDA79A58E5E17F99DEB6 | SHA256:0FC922E74C4FEF1E429497DA9A8B9CB88B69DBC3F2DF8B0B15CE26ED1F7B44C8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3012 | WINWORD.EXE | HEAD | 200 | 194.36.173.46:80 | http://194.36.173.46/good.rtf | unknown | — | — | malicious |
3012 | WINWORD.EXE | OPTIONS | 200 | 194.36.173.46:80 | http://194.36.173.46/ | unknown | — | — | malicious |
976 | svchost.exe | OPTIONS | 200 | 194.36.173.46:80 | http://194.36.173.46/ | unknown | — | — | malicious |
3012 | WINWORD.EXE | HEAD | 200 | 194.36.173.46:80 | http://194.36.173.46/good.rtf | unknown | text | 69.3 Kb | malicious |
3012 | WINWORD.EXE | HEAD | 200 | 194.36.173.46:80 | http://194.36.173.46/good.rtf | unknown | — | — | malicious |
976 | svchost.exe | PROPFIND | — | 194.36.173.46:80 | http://194.36.173.46/ | unknown | — | — | malicious |
976 | svchost.exe | PROPFIND | 405 | 194.36.173.46:80 | http://194.36.173.46/ | unknown | html | 226 b | malicious |
3012 | WINWORD.EXE | GET | 200 | 194.36.173.46:80 | http://194.36.173.46/good.rtf | unknown | text | 69.3 Kb | malicious |
976 | svchost.exe | PROPFIND | 405 | 194.36.173.46:80 | http://194.36.173.46/ | unknown | html | 226 b | malicious |
976 | svchost.exe | PROPFIND | 405 | 194.36.173.46:80 | http://194.36.173.46/ | unknown | html | 226 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3012 | WINWORD.EXE | 194.36.173.46:80 | — | — | — | malicious |
976 | svchost.exe | 194.36.173.46:80 | — | — | — | malicious |
PID | Process | Class | Message |
---|---|---|---|
3012 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |