File name: | f0bd42a30f53d762959c867d2aa1d3abca582df7f51831228746340d38bea2c4.doc |
Full analysis: | https://app.any.run/tasks/eb4c70d9-7984-400e-a049-590199be4c6e |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | June 12, 2019, 02:07:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: , Author: george.deveney, Template: Normal.dotm, Last Saved By: Buro de Crdito, Revision Number: 569, Name of Creating Application: Microsoft Office Word, Total Editing Time: 2d+14:35:00, Last Printed: Sun May 23 19:23:00 2010, Create Time/Date: Sun May 23 18:50:00 2010, Last Saved Time/Date: Sat Jun 8 23:28:00 2019, Number of Pages: 2, Number of Words: 78, Number of Characters: 435, Security: 0 |
MD5: | DC3110BB19946614B75ADE4D554FFE3D |
SHA1: | EFA569F57C5EB12988E4655126AEE04B0E7EEC58 |
SHA256: | F0BD42A30F53D762959C867D2AA1D3ABCA582DF7F51831228746340D38BEA2C4 |
SSDEEP: | 768:n1n2Pn2G82I0oWsDmxz99j6KaaynSm61xP6QDbrO53E5vFB6+OrBYQp:qsDm3I0ynSm61Z6Sq5MvFB6fVYQ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Documento de Microsoft Word 97-2003 |
---|---|
CompObjUserTypeLen: | 36 |
HeadingPairs: |
|
TitleOfParts: | |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 512 |
Paragraphs: | 1 |
Lines: | 3 |
Company: | OCS LTD |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 435 |
Words: | 78 |
Pages: | 2 |
ModifyDate: | 2019:06:08 22:28:00 |
CreateDate: | 2010:05:23 17:50:00 |
LastPrinted: | 2010:05:23 18:23:00 |
TotalEditTime: | 2.6 days |
Software: | Microsoft Office Word |
RevisionNumber: | 569 |
LastModifiedBy: | Buro de Crédito |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | george.deveney |
Subject: | - |
Title: |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2716 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\f0bd42a30f53d762959c867d2aa1d3abca582df7f51831228746340d38bea2c4.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2548 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2500 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2548 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2488 | cmd.exe /c "C:\Users\admin\AppData\Local\Temp\verinstere.xls" | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2080 | C:\Users\admin\AppData\Local\Temp\verinstere.xls | C:\Users\admin\AppData\Local\Temp\verinstere.xls | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3972 | "C:\Windows\system32\nslookup.exe" | C:\Windows\system32\nslookup.exe | verinstere.xls | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3EB2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2548 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2548 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2500 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bit[1].txt | text | |
MD5:0016D3694801A107F05764EC2832F5F8 | SHA256:7FD986663B837E7D5DE4C7B94E46F4E723A81C5357FE0E5FDCA135C69FE0A0B1 | |||
2716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:12517EE854149D972AD71A72749C0F14 | SHA256:49EBC01539F69DF66A6055256DA118414995D8BCADEAC183DBB8FACAADFD711D | |||
2716 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FC364354350804BC97FCC9AEF07F32AD | SHA256:92F1088DD2889EF5A10207CF69EE4CBB09EE8339CF991F0014322B6A82C5C463 | |||
2500 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4439RZA2\cAbmwJVs[1].txt | text | |
MD5:FCAA7D5A0D31B0EA650E2714FA0D4E9C | SHA256:60FFD63D8F0B904DC581450BEC709304C5E36FDB1BD269929368D17368B92ACB | |||
2500 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:960DBFF0EA0CC4E3EE30C2BAAA81A1AC | SHA256:AC7A8CF469E398BCFCE5F102F79E1A511FB62494E6F28AB625E393670420F562 | |||
2500 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:379365FEE5C2FE3C28B833F7ACA7567E | SHA256:5475CA2594C0230864C9C4E8B2CD134B8041AB943E9A98B4120DC197D8FA0BB2 | |||
2716 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$bd42a30f53d762959c867d2aa1d3abca582df7f51831228746340d38bea2c4.doc | pgc | |
MD5:2476B99AE83719F2C452BCEADC071E32 | SHA256:5B5D78F3E49CB78F97770D845418E35DA09E3C36AADC3B52A02A853B25368E09 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2548 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2548 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3972 | nslookup.exe | 187.155.35.55:2404 | du4alr0ute.sendsmtp.com | Uninet S.A. de C.V. | MX | malicious |
2548 | iexplore.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2500 | iexplore.exe | 67.199.248.10:443 | bit.ly | Bitly Inc | US | shared |
3972 | nslookup.exe | 187.155.84.184:2404 | wifi.con-ip.com | Uninet S.A. de C.V. | MX | unknown |
2500 | iexplore.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
bit.ly |
| shared |
pastebin.com |
| shared |
casillas.hicam.net |
| malicious |
casillasmx.chickenkiller.com |
| unknown |
casillas.libfoobar.so |
| malicious |
du4alr0ute.sendsmtp.com |
| malicious |
dns.msftncsi.com |
| shared |
settings.wifizone.org |
| unknown |
wifi.con-ip.com |
| malicious |