File name: | Booking - 1511195841.doc |
Full analysis: | https://app.any.run/tasks/fa135a99-9a57-4b9a-9187-bc2ab5829187 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | June 19, 2019, 15:52:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Jun 19 19:26:00 2019, Last Saved Time/Date: Wed Jun 19 10:29:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 61D493D1DBE1947A337E664BBFF9E21B |
SHA1: | 0F5B473AE4E46401E13505188F24009C8F18A34A |
SHA256: | E9736F2494AAB6CD9514D9596E1AD9A2B85E6B6457F5D06934F8E5E402A59176 |
SSDEEP: | 3072:sKEcYSUEVu228iY7+V+nwbJ26iJqjJoiTqciJqAkmkj9JxXIRn0:S5SUx9j2lkF7d |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal |
LastModifiedBy: | Administrator |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | 1.0 minutes |
CreateDate: | 2019:06:19 18:26:00 |
ModifyDate: | 2019:06:19 09:29:00 |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Bytes: | 11000 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1684 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Booking - 1511195841.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000 | ||||
2596 | "C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exe" | C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exe | — | WINWORD.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2692 | "C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exe" | C:\Users\admin\AppData\Local\Temp\Compatibility-mode.exe | Compatibility-mode.exe | |
User: admin Integrity Level: HIGH | ||||
1136 | "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\SysWOW64\cmd.exe | — | Compatibility-mode.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2580 | vssadmin.exe Delete Shadows /All /Quiet | C:\Windows\SysWOW64\vssadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2444 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1180 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\cyhf672-readme.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1684 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDE6B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2692 | Compatibility-mode.exe | C:\Recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\Winre.wim | — | |
MD5:— | SHA256:— | |||
2692 | Compatibility-mode.exe | C:\Recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\boot.sdi | — | |
MD5:— | SHA256:— | |||
2692 | Compatibility-mode.exe | c:\recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\Winre.wim.cyhf672 | — | |
MD5:— | SHA256:— | |||
1684 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$oking - 1511195841.doc | pgc | |
MD5:E5A551CBFD97F61D8DE42E739360A4AD | SHA256:453912D00AD9084ADD88B97A3762E40D475BF077CA6A31857972060319B8CDD3 | |||
2692 | Compatibility-mode.exe | C:\program files\cyhf672-readme.txt | binary | |
MD5:DD909E537A980D9ECC710E7DCC0CC273 | SHA256:5705E1E904120DD94F1333EBBC7663E3177BCE33DBA1627477ECA2199C133431 | |||
2692 | Compatibility-mode.exe | C:\recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\cyhf672-readme.txt | binary | |
MD5:DD909E537A980D9ECC710E7DCC0CC273 | SHA256:5705E1E904120DD94F1333EBBC7663E3177BCE33DBA1627477ECA2199C133431 | |||
2692 | Compatibility-mode.exe | C:\Users\admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf | — | |
MD5:— | SHA256:— | |||
1684 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\prola[1].exe | executable | |
MD5:B669889844ECDB2DBF0B6FE93306E31A | SHA256:9576F4DAC40B46CAC84F6F81D8CFA78C7AFA54F26368CD8EEFF5F216AF5BD248 | |||
2692 | Compatibility-mode.exe | C:\program files (x86)\cyhf672-readme.txt | binary | |
MD5:DD909E537A980D9ECC710E7DCC0CC273 | SHA256:5705E1E904120DD94F1333EBBC7663E3177BCE33DBA1627477ECA2199C133431 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1684 | WINWORD.EXE | GET | 200 | 2.185.239.164:80 | http://btta.xyz/prola.exe | IR | executable | 378 Kb | malicious |
2692 | Compatibility-mode.exe | GET | 200 | 192.35.177.64:80 | http://apps.identrust.com/roots/dstrootcax3.p7c | US | cat | 893 b | shared |
2692 | Compatibility-mode.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt?9ab7c1c1fc7648da | US | der | 914 b | whitelisted |
2692 | Compatibility-mode.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt?e57873237d26d5cc | US | der | 993 b | whitelisted |
2692 | Compatibility-mode.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2b0e034bfaff30a9 | US | compressed | 56.2 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1684 | WINWORD.EXE | 2.185.239.164:80 | btta.xyz | Iran Telecommunication Company PJS | IR | suspicious |
2692 | Compatibility-mode.exe | 192.35.177.64:80 | apps.identrust.com | IdenTrust | US | malicious |
2692 | Compatibility-mode.exe | 166.62.108.43:443 | luvbec.com | GoDaddy.com, LLC | US | malicious |
2692 | Compatibility-mode.exe | 149.210.195.135:443 | salonlamar.nl | Transip B.V. | NL | malicious |
2692 | Compatibility-mode.exe | 157.230.253.64:443 | babysitting-hk.helpergo.co | Joao Carlos de Almeida Silveira trading as Bitcanal | US | suspicious |
2692 | Compatibility-mode.exe | 103.23.22.248:443 | alharsunindo.com | PT Infinys System Indonesia | ID | suspicious |
2692 | Compatibility-mode.exe | 37.221.193.90:443 | tages-geldvergleich.de | netcup GmbH | DE | unknown |
2692 | Compatibility-mode.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2692 | Compatibility-mode.exe | 104.25.143.36:443 | amco.net.au | Cloudflare Inc | US | shared |
2692 | Compatibility-mode.exe | 45.76.45.105:443 | triplettagaite.fr | Choopa, LLC | FR | unknown |
Domain | IP | Reputation |
---|---|---|
btta.xyz |
| malicious |
luvbec.com |
| suspicious |
salonlamar.nl |
| suspicious |
alharsunindo.com |
| suspicious |
babysitting-hk.helpergo.co |
| suspicious |
apps.identrust.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
amco.net.au |
| suspicious |
nuohous.com |
| suspicious |
grancanariaregional.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1684 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
1684 | WINWORD.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1684 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
2692 | Compatibility-mode.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |