File name: | Invoice&Contract.doc |
Full analysis: | https://app.any.run/tasks/655df80d-3ec6-4e39-b7b0-59136e334003 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 05:24:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Author: 11000, Keywords: 1, Comments: 1, Thumbnail: 1, 0x17: 1048576CDFV2 Microsoft Word |
MD5: | 6D55FE98FD27DB2F2B97FEACBA738794 |
SHA1: | 41D32102C091574C59D12068E95B8CC803201631 |
SHA256: | F22F6182A20851B33FB25A2BF4D2D994782982B46D4DA5888694A77B1DEA51CA |
SSDEEP: | 1536:c0PBeWVjjsw/APPPPPPPPP8ZaLdScXjjHXV+a9dbseEA+Wa6DsGdX:zeWVjjswlZaLdScXjjHXdoeuWaw |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Bytes: | 11000 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3148 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice&Contract.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1136 | "C:\Users\admin\AppData\Local\Temp\iorbo.exe" | C:\Users\admin\AppData\Local\Temp\iorbo.exe | WINWORD.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1936 | "C:\Users\admin\AppData\Roaming\winupd\svchosts.exe" | C:\Users\admin\AppData\Roaming\winupd\svchosts.exe | iorbo.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3856 | "C:\Users\admin\AppData\Roaming\winupd\svchosts.exe" | C:\Users\admin\AppData\Roaming\winupd\svchosts.exe | svchosts.exe | |
User: admin Integrity Level: MEDIUM | ||||
2924 | "C:\Users\admin\AppData\Roaming\winupd\svchosts.exe" 2 3856 1216859 | C:\Users\admin\AppData\Roaming\winupd\svchosts.exe | — | svchosts.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFA4B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1136 | iorbo.exe | C:\Users\admin\AppData\Roaming\winupd\svchosts.exe:ZoneIdentifier | — | |
MD5:— | SHA256:— | |||
3856 | svchosts.exe | C:\Users\admin\AppData\Local\Temp\CabAD5F.tmp | — | |
MD5:— | SHA256:— | |||
3856 | svchosts.exe | C:\Users\admin\AppData\Local\Temp\TarAD60.tmp | — | |
MD5:— | SHA256:— | |||
3856 | svchosts.exe | C:\Users\admin\AppData\Local\Temp\CabAD90.tmp | — | |
MD5:— | SHA256:— | |||
3856 | svchosts.exe | C:\Users\admin\AppData\Local\Temp\TarAD91.tmp | — | |
MD5:— | SHA256:— | |||
3856 | svchosts.exe | C:\Users\admin\AppData\Local\Temp\CabAE4D.tmp | — | |
MD5:— | SHA256:— | |||
3856 | svchosts.exe | C:\Users\admin\AppData\Local\Temp\TarAE4E.tmp | — | |
MD5:— | SHA256:— | |||
3856 | svchosts.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | compressed | |
MD5:7EB117D4F238090940DBE43EFBCDF1F4 | SHA256:A45A77D256628943190F8AA0F4673496D11DBA6BC3569796B6F733465FD005E4 | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C111F99CD469831004E4547E39009B06 | SHA256:3479C3CB813B5D1C331B8400A690378D71DF89F98184E62788F05713D903F6AF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3856 | svchosts.exe | GET | 200 | 8.248.127.254:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 56.1 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3148 | WINWORD.EXE | 93.123.73.193:443 | www.turbominebtcminer.com | Histate Global Corp. | BG | malicious |
3856 | svchosts.exe | 109.236.80.32:8808 | egonbute.mefound.com | WorldStream B.V. | NL | unknown |
— | — | 8.248.127.254:80 | www.download.windowsupdate.com | Level 3 Communications, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.turbominebtcminer.com |
| malicious |
egonbute.mefound.com |
| unknown |
www.download.windowsupdate.com |
| whitelisted |